Westfield Links

About

Bookmark and Share

FeedBurner

  • Enter your email address:

    Delivered by FeedBurner

Subscribe to this blog's feed

Archives

More...

Categories

Blogroll & other links

Hubspot Code

  • Hubspot Code

17 posts categorized "Cybercrime Trends"

10 August 2009

Four Steps to Avoid Scams: A Courage-Building Cheat Sheet

New scams are created every day which target each and every one of us.  The AMS Users group identified a prime example recently that targets independent insurance agents. This new scheme attempts to steal an agent's credit card information posing as a representative of the department of insurance.

 

Our blog posts have identified several of the scams in the past such as toner scams, and the Michael Jackson spam emails recently spread across the web.

 

Most people find it difficult to challenge these scammers, but a great courage builder is to make a simple cheat sheet and post it near your phone. Here is an example that hopefully will save you quite a bit of grief and money in the future:

 

Step 1: If it sounds too good to be true...it most likely is.

 

Don’t be afraid to ask hard questions after all they wouldn’t be calling you if they didn’t want to.

 

Step 2:    Ask for a reference for validation or a call back number.

 

A scammer probably won’t have a reference available and surely won’t want to give you a number to contact them back. If they aren’t reputable enough to have a reference, use caution.

 

Step 3:    Ask for the request or offer in writing.

 

Any offer can be provided in writing, and it provides you an easy out if someone is attempting to pose as an official or service provider.  Most companies have policies which state they must send you a notice in writing if requested.

 

Step 4:     If and when they hang up on you, take it as a compliment.

 

You most likely just avoided a scam.  Feel good about yourself, and share your experience with others.  One of the best ways to protect yourself and others is to share positive experiences.

 

Feel free to share your cheat sheets as well!

 

Posted by Jake Harris | | Comments (0) | TrackBack (0)

| | | |

13 July 2009

The dangers of vacationing via your web browser

Now that mid summer has arrived, most people are looking forward to a vacation.  Of course it's important to let everyone know you will be away from work for a few days, but when is broadcasting your upcoming vacation on Facebook, Myspace or Twitter a danger?

Let's say you plan to travel out of state for the week, and you post to your Facebook profile about it.  It just so happens a thief may be watching by searching public profiles for the word "vacation" or "leaving", and they run across your post.  Now they know when you will be gone, and it's not very hard to lookup your full name and city from your profile.  From there a simple google search provides directions to your home.  Guess what happens next?

What can you do to protect yourself?

Take steps not to post information which could harm you or your property.

Examples: 

  • Don't post about vacations, business trips, the big graduation party at the park, or going to the mall until you've come back.
  • It's not a good idea to post about your brand new car or HD TV.

Ensure your privacy / security settings are appropriate for your accounts.

Example:

  • Set your Facebook "Privacy Settings" so you aren't broadcasting information to everyone in your "Network." Remember, "network" could mean everyone in a specific geographic region for example.  Maybe only your friends, and maybe their friends, should be able to view your profile.

There are multiple options to securing a Facebook profile:

  • Secure your basic profile to make sure only people you want to see your information can see your information.
  • Secure your search settings to determine who can search for you, and what they can see about you.
  • Secure your posts to make sure you aren't sending everything you post to everyone, unless of course you want to.
  • Secure any add-ins and remove applications which are no longer being used on your account.

Sure are a lot of options available to secure an account, but it's important to pay attention to each of them. 

I hope this encourages a few people to take another look at their profile settings, and start thinking about what kind of personal information should or shouldn't be posted.

If anyone has any great ideas or recommendations, please drop them off so everyone can benefit.

Posted by Jake Harris | | Comments (0) | TrackBack (0)

| | | |

23 June 2009

Social Networks: The Good, The Bad and The Ugly

Where were you on June 9, 2009 at 10:22am?  At that moment in history, the 1,000,000th word was adopted into the English language.  What was that word?  Web 2.0.  Now you are probably asking yourself, I’ve heard of Web 2.0 well before June…why are we only adopting it now?  Well, the Global Language Monitor has certain criteria by which they judge; but that is well beyond the scope of our discussion here.

So what is Web 2.0?  It has nothing to do with the technology or domain naming.  Mostly it is about the dynamic content and the way users interact with the Internet.  Remember how your parents read the newspaper every evening or watched a newscast on television?  The information flow was one way.  Web 2.0 is about sharing information, opinions and experiences.  You live with Web 2.0 everyday and you probably don’t even know it.  Have you read a review on Amazon?  Have you commented on a news article?  Those are just a couple examples of user provided content.  Websites such as Facebook, Twitter and MySpace, YouTube and other social networks are the big names in social networks or Web 2.0 but there are countless others.  You may think that because you don’t have a Facebook account or don’t visit social networking sites that you, your family or business are immune from anything harmful; you better think again.

The Good

Rather than jump right into the bad or ugly, let’s first discuss how social networks can be good.  Social networking or social media IS the future of communication.  Rather than wait for the newspaper to be delivered, you get news as it happens by the people who are experiencing or involved in the situation.  Remember the US Airway’s flight that landed in the Hudson River?  Well before the media had a chance to deploy reporters to the scene, passengers on the flight were posting pictures and updates through their Twitter account.  Companies are using social networks as a tool to market their brand.  Have you heard of Blendtec?  How about “Will it Blend?”  Blendtec CEO, Tom Dickson, became an instant celebrity when he began posting videos of his blender destroying things like iPhones, Guitar Hero guitars, etc on YouTube.  It also helped them sell a lot of blenders.  Even Westfield Insurance uses LinkedIn and Facebook to find talent, as well as, communicate promotions and events.  Blogs such as this one and the Westfield Loss Control Blog are another way that companies can reach out to current and potential customers.  Internally, employees can network between departments giving them a feeling of being more than just another “employee.”

The Bad

Those were just a few examples of how social networks can be beneficial to a company. What are some of the drawbacks?  First, it is difficult to balance a work culture that embraces social networking while ensuring that it does not impact productivity.  It is increasingly more difficult to monitor or limit these activities as social networks extend beyond the desktop and onto cell phones.  Additionally, companies may have a difficult time restricting or limiting the content that employees post.  A disgruntled employee may post negative information about their employer for all to see.  Companies may have human resource policies when it comes to employees posting information about their employer; but how does a company draw a hard line in the sand between moral, religious and political biases and freedom of speech?  Social networks are making it difficult for companies to separate an employee’s business relationship and their personal lives.  On the other hand, employees are learning that inappropriate use of social networking may allow a company to terminate their employment.

The Ugly

So your company is on the cutting edge of technology and you have an HR policy that addresses social networks; is that enough?  Not quite.  Aside from the fact viruses, Trojans and other malware have found a new distribution vector; there are many other security concerns.  Data Loss Prevention is among the top as employees may maliciously or accidentally distribute sensitive company information.  Depending on the leaked information, your company may be faced with regulatory fines and requirements such as privacy breach.  Even if the information isn’t overtly sensitive, information may trickle that may give a hacker or your competitors an inside advantage.  Take for example your network administrator who blogs and/or posts questions about Cisco routers and firewalls.  A hacker may use that inside knowledge to target the vulnerabilities specific to Cisco products.  I am sure there are additional threats that remain to be discovered.

Conclusion

Whether your company has adopted or is blocking social networks; it is probably time for a revisit.  While the inherent risks and productivity impact of social sites such as Twitter, Facebook, etc. are good reason to not allow them in the work environment; you may find that people are spending more time on their cell phones texting or other social activities.  It is difficult to balance a no tolerance policy for social sites while allowing shopping or other entertainment sites while on company time.  Blocking all non-work essential sites has proven time and time again to reduce employee morale; which in turn has greater impact in reducing productivity.  If you feel your company is behind in addressing this issue, don’t feel alone.  Many companies are working struggling to weigh the risk versus the reward.  We would love to hear how your company handles social networks. Please make a comment or contact us at infosec@westfieldgrp.com.

Posted by John Doan | | Comments (1) | TrackBack (0)

| | | |

15 June 2009

Securing the future

Today was a day for milestones... I've reached 10 years with Westfield and my 8 month old starting saying da da. 

10 years ago information security meant keeping up with anti-virus, and making sure you sent your e-mail to the right person.  People were concerned about locking their doors, and making sure their checkbooks were still in their possession.  Schemes weren’t as complex as they are today.

 

Today information security is almost as complex as the brain teasers you can pick up at the local toy store.  You still need to keep your doors locked, but now you need to make sure you clean the circle the GPS device leaves on your windshield so your car doesn't get broken into.  You also need to shred every document which could remotely leak your identity.  If that's not enough, you need to keep your computer as secure as Fort Knox, with anti-virus software, personal firewalls, anti-spyware, anti-spam, and quite a few more anti-products that are widely available.  If people are willing to dig through trash cans, and spend countless numbers of hours creating viruses what could tomorrow hold in store?

What is information security going to be like in 10 years?  Will your home computer be joined by many other devices requiring all of the anti products above?  Will your car need them, so a hacker doesn't program it to follow their car back to a chop shop?  Will you have to use your fingerprint to access any computer information, including your email?  Will your cell phone be capable of communicating with a maintenance robot doing your laundry, as it senses an intruder breaking into your home? 

 

The message here is that we don’t know what is coming next, but it doesn’t mean that we can let our guard down.  The best we can do is to educate ourselves and others to help protect the future and prepare for the unexpected.

 

I'm interested in hearing others thoughts on this topic?  Please drop a comment, and help us keep the future secure.

Posted by Jake Harris | | Comments (0) | TrackBack (0)

| | | |

31 March 2009

Lock your doors, here comes the Conficker worm!

You can hardly look at any news source anymore without being bombarded by articles about security incidents, privacy breaches, worms, viruses, zombies, botnet's or a host of other Information Security related headlines.  The media really eats this Information Security stuff up.

This week’s news continues this trend.

Get ready for the “Conficker.c” worm that has already infected 5 to 10 million computers worldwide and is waiting for April 1, 2009 to awaken.  The experts predict that the payload, which is what the worm will do when it is activated, will somehow involve people being separated from their money.  This assumption is based on the knowledge that many of this worms predecessors have been targeted at convincing their helpless victims to purchase what they think is "anti-virus software" to protect their computers from the very worm that they are already infected with.

It really is all about money these days. Microsoft has even jumped in and offered a $250k reward for information leading to the capture and arrest of the worm writer.

Over the last few months the news has been filled with companies getting "hacked" and loosing their customer privacy related information (SSN & Account numbers, etc...). There have also been several companies that have just simply lost information through carelessness and bad security practices.

And over the next few months I am sure that we will continue to hear about more about companies losing information, more virus and worm scares that threaten society and more about victims who have lost money due to identity theft, phishing attacks or more worms.

I have been in the Information Security profession for a long time and while Information Security threats are ever changing, fast paced and have grown to ever increasing scales, there are some simple and basic things that companies and people can do to significantly reduce their exposure to these threats. 

Not surprisingly, they are really just common sense, don't change much over time and you already know how to do them.

  • Patch your systems and do it all the time. The Conficker.c worm exploits a vulnerability that a patch was released to mitigate in October 2008.  New patches are being released all the time.  I guarantee viruses and worms will be written to exploit them.

  • Have basic protections in place like a personal firewall that blocks nonstandard traffic and antivirus software that is regularly updated and is configured to regularly scan your computer.  We hear this all the time.  Are you doing it?

  • Don't download and run pirated software or software that does illegal things.  This includes peer-to-peer file sharing as well as pirated versions of your favorite tax software.

  • Be suspicious of everything.  And even more so if someone or something is trying to help you or give you something for free.  Nothing is free.  Come on, you know that don’t you?

 The bottom line is simple. Protect the information on your computer the same as you would protect your physical property.  Lock your doors and windows.  Don't let strangers in your house even when one comes to the door and wants to give you $100 dollars.  Change your locks if you think that someone has been inside your house.  Don't accept (or seek out) stolen property.  If you receive a recall notice for your car because of failing brakes, make a point to get them fixed as soon as possible. 

Security is security. Use the same logic with computers and information that you use to determine what you should and should not do with your valued physical possessions.  Applying this logic will avoid the majority of the Information Security problems that you hear about in the news.

Posted by Bill Murray | | Comments (1) | TrackBack (0)

| | | |

05 January 2009

Post-holiday phishes

I trust everyone had a good holiday break and hope you have a good new year. With the way 2008 ended, many people are making plans for the future. Unfortunately, some of those planners include phishers and social engineers. And as I'm sure you've seen, they are getting more and more creative and professional in their scams. The days when you could delete a message just because it was poorly written are long gone. Today's scams are targeted, well-written and spell-checked.

In particular, we are already an increase in phishing messages that reference the recipient's holiday credit care spending pattern. The messages will claim to be requests for confirmation, reports of transactions and even a few of the traditional "your account has been frozen" scams. During the holiday season, many people have more transactions and shop with more different merchants; the scammers are attempting to exploit any confusion over those transactions in order to trick you into disclosing your account information, passwords, etc. If last year is any indication, expect that phishing campaign to accelerate during this week and last until the middle of next month or so.

We are also seeing a number of scams related to the economy. The number of work-at-home scam messages is up dramatically. As you may remember from prior tips, these scams promise easy money either for helping transfer funds or to conduct "quality control checks" on merchandise. In the first case, you become part of a money laundering operation, in the second, a fence. Either way, you're like to get a visit from some federal law enforcement agency. If it were that easy to make money, they wouldn't need to be sending out random emails about it.

Interestingly, the old "Nigerian fraud" is back in large numbers. These are fairly transparent messages alleging that someone needs your help to get money out of a foreign country (usually in Sub-Saharan Africa) and offering you a percentage if you will allow the person to transfer the money through your bank account. Foreign lottery scams are also back in significant numbers. I believe that by now most people know that these messages are scams but in times of financial difficulty, sometimes hope trumps common sense.

If an email asks for your personal information or if it contains an offer that looks too good to be true, trust your intuition and delete the message. To learn more about how to identify common scams, check out some of the links in our archived Tips on phishing. Have a safe New Year.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | |

08 December 2008

Get ready for a Storm of holiday-related scams

For the past year or so, we've seen a significant uptick in attempted scams and frauds around every holiday. Many of them trace back to the Storm Warn gang, a crime ring based out of Germany that sells hacker software. Their last big attack was at the Fourth of July and tricked many thousands of users into downloading the 'storm-bot' trojan by offering a fake video clip of "the largest fireworks" celebration in the nation. Victims found their computer hijacked as part of a bot-net or had keystroke loggers and other malicious software loaded onto their computer.

If past patterns hold true, we can expect to see a dramatic rise in the volume of spam and phishing attempts during this holiday season. Some of their cons last holiday season included dedicated sites like the Merrychristmasdude.com website (a site offering suggestive holiday-themed photos along with a very malicious download) and spam emails such as the Happy New Year phishes. This group develops very sophisticated software with hundreds of variants that attempt to evade and outrun standard anti-virus software.

To combat these scams, first be suspicious. Never open unexpected messages or attachments.

Second, keep your anti-virus up to date at all times. Set your anti-virus to automatically update itself as often as the software allows. And if you're particularly suspicious about an email or website, force a manual update before clicking the link. Remember that if your kids have a computer at home that runs under parental controls, their computer may not be able to complete the update under the restricted ID. Their computer may be at risk until you log on under your parental ID so the updates can take hold.

Finally, keep your firewall turned on and be very suspicious of any 'free' video or other offer sent through the internet. In particular, be cautious about electronic greeting cards. While some are legit, many are frauds. See this tip for some thoughts on how to sort out e-card invitations.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | |

10 November 2008

Just when you thought it was safe to let your kids back online

As if regular ID theft weren't enough, now there is an organized crime ring of password stealers who are targeting your online gaming accounts.

For those of you who aren't familiar with these online games, you create a character or 'avatar' who adventures through a fantasy world, interacting with other players to overcome various hazards and quests. Many people invest huge amounts of time and energy developing the character's skills and building up possessions in these online worlds. The Wall Street Journal has run several stories about the 'virtual economies' that sprang up around these games. Some players build up strong characters or search for rare possessions for the sole purpose of selling them to new players who don't want to go to the effort of building up an inexperienced character themselves. It may sound a little weird but it's all legal – the free market in action.

The hack in this case is an infection on your machine just so the hacker can steal the password to your online game account. They log on as you and sell all your carefully hoarded possessions for virtual gold coins which are then handed over to some other online confederate who sells the virtual gold for real-world cash at an online exchange like IGE. (Yes, you can make real money playing games.)

Unlike a theft of your real-world bank password, the theft is virtual so it's not clear that you can actually report it to the police (or that they could do anything if you did). Furthermore, it's very easy to launder the transaction – there's almost no chance that the hacker will get caught.

On the plus side, some of the recent security updates have closed the worst holes that these password stealers exploited. This example highlights the need to keep your computer fully-patched and your antivirus and anti-spyware up-to-date. And, of course, don't play those online games on your work computer.

Read more at CSOonline or get a copy of Exploiting Online Games by Hoglund & McGraw.

Posted by Mike Rossander | | Comments (1) | TrackBack (0)

| | | |

03 November 2008

Stolen laptops

Law enforcement agencies are reporting a recent uptick in the number of lost or stolen laptop computers. It's not clear yet whether this is a random fluctuation, a consequence of the troubled economy or something else but it is a disturbing trend.

Laptop computers represent one of most significant information risks for any company because of the sheer volume of confidential information that they can hold. Worse, even if you don't think you've ever saved a confidential document onto your computer, the computer will almost certainly have the access credentials needed to access information that is centrally held. One stolen laptop can put all of your data at risk. In those situations, the state-level breach disclosure laws put the burden on the breached company to show that their information was not compromised. When in doubt, the company must disclose. So unless you know positively what information got stolen, you might have to assume that all of it was and notify everyone in your database. Thousands of notifications, leading to lawsuits, wasted time, panicked customers and, most seriously, a loss of trust with your customers.

For most companies, there are two thin lines that protect your customer information.

One is each individual employee's practice of protecting the computer itself. The vast majority of laptop thefts are crimes of opportunity so don't give the criminal the opportunity. Have a policy that requires your staff to keep their laptops locked up at night. If leaving the computer at the office, put it in a desk drawer or cabinet - out of sight, out of mind. Don't assume that the door lock will be sufficient to keep the thieves out. (See this Times article for an example of how easily a professional thief can impersonate his/her way into a supposedly secured office.) If your staff are taking the computer home, make sure they know to either bring it in with them or lock the computer in the trunk if they have to stop on the way. Never let the computers be left exposed.

The second line of defense is encryption. Scrambling your data can provide protection in case the unthinkable happens. That encryption, however, is no stronger than the key used to unlock it. For many companies, the encryption is based on a password (often the same password used to log onto the computer in the morning). Always pick a strong password. Don't just pick a word, capitalize the first letter and add some numbers at the end. This is a natural tendency for english-speakers and the hackers know it. They optimize their cracking routines to break passwords in this pattern and will crack them in mere minutes. Use whole sentences instead. Whole sentences are easy to remember but far harder to break.

And never, never, never write down your password and leave it with the device you are trying to protect. That would be like buying a $3000 security door for your home, then leaving the key in the lock. You'd never be that careless at home. Don't let people be careless at work, either.

If you have a laptop, protect it. Even one loss is too many.

Credit report reminder

For those of us on the "trimester plan" for reviewing our credit reports, it's time to ask for your free copy of your credit report from the next agency.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | |

27 October 2008

Suing the scareware vendors

According to a Washington Post article, Microsoft and the state of Washington recently filed lawsuits against a number of scareware vendors. They're finally taking on the scammers who are trying to trick us into buying worthless (or worse, malicious) "security" software.

One of the lawsuits specifically charges Texas-based Branch Software with involvement in the "Registry Cleaner XP" scam. A number of other "john doe" lawsuits were filed in an attempt to learn the identities of the individuals responsible for marketing other scareware products such as WinDefender, XPDefender, Antivirus2009 and Scan & Repair Utilities.

Kudos to Microsoft for finally attempting to do something about these scammers. Now if they'd just reset the defaults in their own software so it wasn't so vulnerable in the first place…

Until they do, make sure you keep your computer fully patched, never bypass the firewall and be cautious of any suspicious links or pop-ups – especially ones telling you that your computer needs fixing.

If your office has an IT specialist, make sure he/she is signed up for regular alerts about the latest technical security vulnerabilities. These alerts will help you prioritize which patches need immediate remediation and which can wait while you test them for unintended consequences. Here are a few that I've found to be reasonably thorough:

If you don't have someone who can watch and evaluate these notifications, you probably need to set your patches to automatically update themselves and hope that the patch doesn't break anything else accidentally.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | |

31 March 2008

Fake check scams

Earn millions! Help a damsel in distress! Win the lottery! Work at home! Whoops, I overpaid – please send back the overpayment!

These are just a few of the scams out there. The average adult American receives 4½ emails, phone calls or pieces of mail per week attempting one of these scams. Thirty percent say they receive 10 or more a week and 18% admit that they or a family member have fallen for one of them.

The National Consumers League (NCL) recently launched a website fakechecks.org to help educate consumers about check-fraud scams like these. The website includes a "fraud test" and some great videos that show exactly how these six scams work and how to recognize them when they come in . Take a few minutes at home to see how many of these you would fall for. And remember, this is what these scammers to for a living. Some of them are very good at building a rapport and sounding trustworthy. They play on our inherent trust and desire to be helpful and courteous.

Remember also that in a check fraud scheme, the victim is responsible for the lost money and any overdraft or returned check fees. The fraudster ought to be responsible but given the odds of catching him/her, that is dangerous wishful thinking. The bank has no responsibility if you fall victim to check fraud like the ones above.

If you are a victim who recently wired money to fraudsters, report the incident immediately to the security department of the business that handled the wire transfer. If the payment hasn't been processed yet, they might be able to get your money back. If it's an older scam, report it at fakechecks.org.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | |

04 February 2008

Hackers do it for the money

Every so often, people ask me "why do they do it?" Why do the hackers put so much time and energy into committing crimes and sending spam? Why can't they channel all that innovation for good?

The stereotypical hacker used to be a pimply-faced, pizza-eating kid working late at night in a caffeine-induced frenzy for guts, glory and bragging rights – kids breaking into systems just to prove that they could or writing computer viruses to delete hard drives for the cheap thrill of vandalism. There are still some of those folks out there but the vast majority of hackers and spammers are now in it for the money. They are organized, well-educated and they're making big bucks.

According to McAfee CEO David DeWalt, cybercrime has become a $105 billion business and is now larger than the value of the illegal drug trade worldwide. Unfortunately, computer crimes are relatively safe crimes. Hackers hide behind multiple networks and their digital footprints. Many hackers run at least part of their scam through a foreign country – often one with poor relations with the US, significantly increasing the difficulty in prosecuting any case against the criminal. Law enforcement's ability to find, prosecute and punish cybercriminals has not kept up with the growth of the criminal activity. And even if you do get caught, DeWalt noted that "If you rob a 7-11 you'll get a much harsher punishment than if you stole millions online."

And even if the hacker can't make any money off you directly (by stealing your personal information or using your computer as a point-of-entry into the corporate system), they can still hijack your computer's processing power to attack other systems. The hacker sees your computer as an asset.

Take spam as another example. If we all stopped buying, the spam problem would dry up in a matter of months. Yet 98% of all message traffic on the Internet is now spam. Who buys that junk? According to a study from several years ago, a spammer only needs to make one sale or con per 100,000 messages in order to make a profit. With those odds, they don't even have to be good scams. They just have to find the one gullible person among your 100,000 closest friends.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | |

14 January 2008

Most Americans overestimate their cyberprotection

Most people think that they're protecting their computers but few are as safe as they think they are. According to a poll conducted by the National Cyber Security Alliance (NCSA) and the anti-virus company McAfee, 87 percent of Americans say they have anti-virus software. When their computers were scanned (with their permission), 94% actually had anti-virus software but only 52% had updated it in the last month. New viruses are released daily. An out-of-date anti-virus package does you almost no good at all. Most anti-virus packages have an option to update themselves automatically. For almost all of us, that's the right choice.

73% of those surveyed said they had a firewall. 81% had a firewall but only 64% had it activated. That's like saying your money is protected by the steel door of the bank vault but leaving the door hanging open. Never disable your firewall.

70%t said they had anti-spyware software but only 55% actually have it.

The poll also reported that 61% believe they have anti-spam software installed but only 21% do. (In this case, the poll question may have been worded poorly. If your spam filtering is done by your ISP or your webmail provider, you may be protected from spam even though the anti-spam software is not on your specific machine.) Regardless of how you run it, the important point is to have an anti-spam solution.

Oddly, the study found that computers of older Americans tend to be more secure than those of the allegedly-more tech-savvy younger Americans.

To be properly protected, you need current anti-virus, an active firewall, up-to-date patches for your operating system and applications and at least one anti-spyware program running. If you don't, you are taking unnecessary risks with your personal information.

Click here to read the full study results.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | |

20 August 2007

Hackers go commercial

For only $700, you too can become a hacker. New hacker tools are as easy to use and as well supported as any commercial software package. The Mpack toolkit is a particularly easy-to-use hacker kit being sold on Russian e-crime forums. It is "guaranteed to bypass all anti-virus programs at the time of purchase". Like many commercial software packages, it includes a year's worth of free updates and support for the hacker in the price. Mpack is also disturbingly common. It has been discovered embedded in more than 10,000 web sites so far.

Between the increased availability of these tools and the sheer number of vulnerabilities that they are programmed to automatically exploit, it is vital that you keep your computer's operating system and applications up-to-date and fully patched.

Regularly check for updates and immediately load them. Consider setting them to automatically update. And remember that you have to check for updates for every program you have on the computer, not just the Microsoft updates.

Shut down your computer every night. This limits your vulnerability to automated attacks against your computer. Depending on how your network is set up, it may also trigger your update process, making sure that the latest patches are loaded to your computer when you log on in the morning.

Mpack targets security holes in many common software programs including QuickTime media player, plug-ins for the Firefox web browser and Microsoft Windows. According to researchers at one anti-virus company, this toolkit uses simple yet very sophisticated web-based interfaces and allows the hacker to take control of the victimized computer to either steal information, install keyloggers or use your computer as a "zombie" to attack someone else. You can read this technical report for more about Mpack.

Posted by Mike Rossander | | Comments (1) | TrackBack (0)

| | | |

26 March 2007

Hackers attack computers every 39 seconds

In the time it takes you to read this entry, two hackers will try to get into your computer.

The Hollywood stereotype of a hacker is a technically-savvy individual trying to get into a specific target computer - the spy trying to breach a military computer, the disgruntled employee vandalizing his former employer or the kid cracking a university system for bragging rights. In fact, most hackers today run brute force attacks using simple software-assisted techniques to randomly attack vast numbers of computers.

According to a Maryland Univ study, computers are attacked on average 2,244 times a day. That's an attack every 39 seconds.

Researchers in this study set up weak security on four computers with internet access, then recorded what happened as the individual machines were attacked. The vast majority of attacks came from relatively unsophisticated hackers using “dictionary scripts,” software that runs through lists of common usernames and passwords trying to break into a computer.

The most commonly guessed usernames were root, admin, test, guest, info, adm, mysql, user, administrator and oracle. The most common password-guessing technique was to use variations of the username. About 43 percent of all attempts simply reentered the username. The username followed by 123 was the second most-tried choice. Other common passwords included blank (that is, no password set), 123456, password, passwd, 123, test, asdf, qwerty and variations based on the date (such as January07).

Once hackers gain access to a computer, they set up back doors so they can easily regain access later, turning the target computer into part of their botnet which they will later either use directly or lease to other hackers so they can send out spam, attack yet more computers, run distributed denial of service attacks, etc.

Never use the kinds of usernames and passwords identified in this research. If your computer came with a default administrator or guest account, change the accountname immediately.

Always choose longer, less obvious passwords with combinations of upper and lowercase letters and numbers that are not as obvious to brute-force dictionary attacks. If your system can handle it, whole sentences make very strong passwords that are still easy to remember and to type.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | |

04 December 2006

Spam trends - Updated

If it seems like you're seeing a lot more spam lately, it's not just you. During the past few months, the incidence of spam shot up around the world. In 2001, researchers estimated that about 5% of all Internet traffic was spam - one spam message for every twenty real messages. By 2003, researchers estimated that 50-60% of all traffic on the Internet was spam - one spam message for each good message. In September of this year, that number was up over 80% - 4 spam messages for every real message.

In the past month, two new computer viruses were released both of which are specially designed to generate spam messages. These viruses are very sophisticated and have been very hard for the anti-virus companies to block. (See this TechWeb article for details.) The latest estimates are that there are 9-10 spam messages for each good message on the Internet. All that means that the total volume of spam on the Internet is way, way up.

Good spam filters are generally 95-98% effective at identifying spam messages as spam. That's actually a pretty good ratio and is about as good as any software package can get. Unfortunately, when you pump so much increased volume through a filter with a 2% leakage rate, more spam will inevitably leak through.

Some people have asked if they can tweak that filter to block more of the spam. The cost we generally pay for that effectiveness is that about 0.5% of good messages are incorrectly identified as spam. If you tighten the spam filter, you will get an increase in the false positives. Every company is constantly trying to make sure that they are at the right balancing point.

We are in an arms race with the spammers. Every time the anti-spam vendors come up with a technique to identify spam, the spammers adapt and find another way around the filters. It has been a story of incredible creativity and innovation.

While we are waiting for the spam-filter companies to release their next round in the arms race, there are some things that you can do to keep yourself off the spammers' target lists. Remember that once you're on one list, spammers will sell your address to other spammers. And once that happens, there's little you can do except to wait until your address ages off their lists.

  1. Never buy anything advertised in a spam message. If you do, you'll jump straight to the top of their list.
  2. Never respond to a spam email, even to complain or to attempt to get off their list. Any reply at all confirms to the spammer that you read the message. Even if you didn't fall for their Viagra scam, they know you might fall for a mortgage scam. Never reply to a spammer. Do not attempt to "unsubscribe" from the list. More often than not, the unsubscribe link is a scam.
  3. If you can, delete the spam message without ever opening it. Spammers use techniques such as web-bugs to track whether or not you opened the message. Again, they hope that even if you didn't fall for one scam, if you're the kind of person who opens spam, maybe you'll fall for a different one.
  4. Do not use your work email address for internet shopping, chat boards, etc. Sign up for a free email account like Yahoo or Hotmail.

The final recommendation is to remember that spam is just like the physical junk mail in your mailbox at home. We do what we can but at some point you just throw it in the trash and let yourself get on with your life.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | |

23 October 2006

Trends in Phishing

A survey by First Data Corp. in 2005 found 43% of US adults had received at least one fraudulent email, in most cases purporting to be a financial institution. Of those, about 1 in 20 – or 4.5 million people – provided the requested information and about half of those ended up being victims of theft or identity fraud. According to antiphishing.org, 89.3% of all phishing attacks target financial institutions.

Those are some large numbers but I have to admit that my first reaction was to ask "who are those lucky 57% who have not yet received a phishing email?" Many of them simply do not have email. For the remainder, unfortunately the question answers itself. They are the people who have not yet received their first phish.

Phishing emails attempt to trick the reader into believing that the message is from a trusted source and following their "convenient" link to a fraudulent site which looks and feels just like the official site but which is designed to steal the user's private information. Even though this doesn't fool most consumers, phishers rely on "spam economics" – they can make money even if only a fraction of a percent of their scams succeed.

Phishers are beginning to add to their tactics. Many are providing a fraudulent telephone number in the email rather than just a fraudulent hyperlink. The criminal then sets up his/her own IVR system to steal your information when you call in. Others are making increased use of trojan horses – programs which are covertly installed onto your computer and which either log all your keystrokes or install a backdoor through with the criminal can take control of your computer.

Never trust anything sent in an unsolicited email. Never directly answer any request for your private information. If you think the request might be legitimate, type the company's address into your web-browser yourself. If this is a real request, expect it to be prominently displayed on your account page on the company's real website. If you are going to call them by phone, get the phone number off of your last paper statement. Never trust the "convenient" number on the email. Finally, remember that no reputable financial institution will ever ask for your personal information via email.

Incidentally, in 2005 the Federal Trade Commission estimated that 9.93 million persons were affected by identity theft, causing a loss to financial institutions of $46.9 billion. Combining that with the statistics above, phishing accounts for only about one quarter of all identity theft cases. This is consistent with other studies which show that most ID theft is based on paper documents. We should still be vigilant against these kinds of scam messages but we should be even more vigilant about making sure that our paper waste is properly destroyed.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | |