Monday, August 29, 2011

Facebook notification emails invite spammers to imitate

Webroot has tweeted along a link to a Zdnet story giving examples of phishing attempts that imitate legitimate Facebook notifications. The link is here

The complicated URL’s used by Facebook, and the buttons can appear on legitimate notifications, a possibility that invokes criticism for the story writer Ed Bott.  But users can also check with their mouse without clicking whether links are legitimate.

Newer browsers, including Safari, Google’s Safe Browsing and Microsoft’s Smart Screen are supposed to be able to detect the phishing attempts. Many email programs like AOL will not correctly identify all of them.
What Bott offers her e is a good true-false quiz.  It’s rather like a TSA quiz of employees expected to identify dangerous carry-ons.

A few months ago, spammers propagated a scam involving site “guessology” and fake surveys when misspellings of “Facebook” were keyed in. I reported this (Feb. 27, 2011) and some people confirmed running into this.

Friday, August 19, 2011

Security risks increase on social networking sites because of natural human gullibility

A story by Steve Ragan in Tech Herald maintains that “many social networking platforms are still a gold mine for criminals online”, link (website url) here

The report cites a study by Webroot (tweeted yesterday), which examines the natural tendency for people to trust their “friends”.  But you can’t know a thousand people well enough, and that’s where the crooks can get in.

People who use the web more as a publishing platform and who network passively seem to be at less risk.

Younger adults -- professionals and college students, especially talented, attractive or popular “kids”, often attract hundreds of friends or followers.  So do people whose business is to build client leads and sell to them, like insurance agents.   The problem is that among so many people, a few will be untrustworthy.  It can be dangerous, for example, to announce vacation plans or when you will not be home.

Webroot reports that over 18% of social networking users have been infected by Koobface viruses.

Pew did a study on the perception of Internet users on their friends’ “trustworthiness”.

Tuesday, August 16, 2011

In a public Wi-Fi environment, be wary of how you count on https

Here, from “The Insider Online”, is another summary on the question, “Are free public wi-fi networks safe?”  That includes “free wireless Internet” in many hotels (only a few offer Ethernet cable, which is safer; that’s what I had at a Holiday Inn in New York City in June, and it was great).

The link for the article is here.

The upshot is, no it isn’t, for entering anything with personal information or pw’s.  In a public wireless environment, even "https for logon only" is not safe enough; do personal stuff only if the entire site is https (with SSL).

Here’s a little article on how Firesheep works, and a Wiki article on it, too.

A safer option for travel is a personal MiFi "secure" hotspot, for example, the Verizon device shown here. 

I have used hotel WiFi (before I got the MiFi) without any incidents. However I find a MiFi card works very well on the road, and will operate on battery for some time in an airport lounge. 

Monday, August 15, 2011

Security of client data when people telecommute is becoming a bigger issue; a Seattle hospital gets hit

People who work from home may be inadvertently exposing clients of their employers to theft of information. A news story in SC Magazine reports how an employee accidentally exposed data on patients of a Seattle hospital through changes in his home network, link here.

Although it has become popular for some employers to expect associates to supply their own systems for work-from-home jobs, security standards for these arrangements don’t seem to have gotten the systematic attention they need.  

It may be less of an issue as long as the employer supplies the laptop (which may have been the case with the hospital in this story), but employee home networks could be subject to Wardrive attacks if not properly password protected and encrypted.

A safer solution is for the employer to use a reliable and totally separate and encrypted online access, such as Verizon cellular wireless, with RSA Tokens for sign-on.  Using an employee's hardware (even cell phones, with the saving of phone numbers and messages in memory) always adds to potential security threats.  

Wednesday, August 10, 2011

Media reports are mixed on "Anonymous" threat to Facebook, scheduled for Nov. 5

There are wide reports that elements of the hactivist group “Anonymous” have threatened to invade and shut down Facebook on Saturday, Nov. 5, 2011.

For example, here is the CNET story by Chris Matyszczyk, with some mention of the WB film “V for Vendetta” here

Chloe Albanesius has a more analytic article at PC Magazine here

Business Insider has a briefer story with a portrait of Mark Zuckerberg, and a disclaimer from Anonymous leadership, here

The original YouTube video complains that Facebook continues to sell personal information and that information cannot be deleted even by closing an account.

Ironically, Facebook has recently been arguing in public that anonymous use of the Internet should be banned, despite the importance of anonymous speech in the recent "Arab spring" and for civil disobedience against authoritarian regimes. 

Friday, August 05, 2011

Las Vegas Black Hat convention: possible remote threats to PC batteries, cell phone and cellular wireless transmission

Some scary stuff is coming from the Black Hat security convention in Las Vegas.  According to a CNN story, a hacker has developed a way to interfere with the battery charging technology in a Macbook remotely (presumably this could be done with a PC, also), to cause the computer to stop running or conceivably even explode. This sounds like the stuff of a sci-fi channel movie, but it could happen.

Another exhibit showed how homemade drone “airplanes” could disrupt cell phone towers, and probably cellular wireless transmission particularly popular with telecommuting arrangements with employers. 

About two years ago (and discussed earlier in these blogs), the Washington Times had discussed military microwave weapons that, of acquired illegally, could destroy all the electronics in a neighborhood of a city.

The CNN story link is here

Somini Sengupta has a Business Day New York Times story today “Guardians of Security are Targets”, link here about hacker attacks aimed at antvirus and Internet security companies themselves as well as government agencies. 

Tuesday, August 02, 2011

Amy Winehouse tragedy inspires rather obvious phishing scams

Webroot is warning users of widespread Trojans spread by phishing emails exploiting the death of Amy Winehouse.  Phishing based on celebrities, especially when they run into tragedy, is nothing new. Back in 2000, a major corporate partner of mine was fooled by a virus involving a tennis player, in a time before phishing was widely understood.

This time the hackers are focused in Brazil as well as China and are mainly motivated to invade bank accounts, as usual.

But it’s an easy ruse to miss. Just don’t click on links in unsolicited emails, and as usual, mark suspicious emails as spam. Let’s see if the ISP’s catch this one automatically.

The link for the tweeted Webroot story is here