Archive for the ‘Web Security’ Category

Twitter has become a great way for friends and family to keep in touch throughout the day.  It’s become so popular that even celebrities provide daily updates so that they can keep track of each other and connect with their fans.

As is the case with many social networking sites, predators have been trying to capitalize on the weaknesses associated with using Twitter.  Whether someone has created an account for the sole purpose of befriending potential identity theft victims or the profile just pumps out spam, not everything on the popular site is as it seems (read about how scammers are abusing Twitter).

Twitter has decided to take action by adding a “report as spam” feature which can be found under the “Actions” section of a profile’s sidebar.

Once a user has been reported, Twitter’s Trust and Safety team investigates the situation and makes decisions regarding what action, if any, should be taken.  Users who click the “report as spam” button will automatically have the profile blocked from following or replying to them.

I think this is a step in the right direction and, hopefully, will help deter spammers and scammers from using Twitter as a way of hurting others.  It’s important since cybercrime on social networking sites is on the rise.

Earlier this month we talked bout “scareware“. One such attack recently was perpetrated through the popular social networking site Twitter. In fact, this week I have witnessed several different phishing schemes on Twitter.

1. Scareware Scam: Scammers were found to be using machine-generated Twitter accounts to post messages about popular topics. Each of these messages would include a link, often disguised using a link-shortening service (making it difficult to know where the link would lead). The link would lead to servers hosting fake Windows antivirus software.

2. DMs that Steal Logins: This second scam would use hacked accounts to send direct messages (DMs) to users. Clicking the link in the scam would take you to a fake login page in a ploy to steal your login information. This scam would then perpetrate to all the friends of the compromised account. Receiving direct messages with links from “friends” increases the likelihood these links will be clicked.

3. Baiting Users: I have witnessed attempts by several auto-generated accounts to bait particular users. To do so, they will accuse the user of something, such as a political stance, in repeated @ messages. This will be retweeted or continued by a whole series of other accounts. In all cases, the accounts will have other “real” looking tweets with links in them, trying to bait you to check the account and click the links.

In reference to the second scam, I know of individuals who had their accounts breached without handing over their passwords, so it’s imperative that anyone who has received direct messages with links not click those links. If you do, change your password right away and contact Twitter support to report the issue.

I myself have been baited by many of these schemes, but I never click the links. Here, for example, is one a “friend” sent me yesterday:

If you are unsure about a particular link, don’t click it. If it is a shortened URL, you can see what it leads to with a service such as LongURL. If you use Firefox and want added protection from cross-site scripting attacks, you can install the NoScript plugin.

Via mashable, computer world

The SANS Institute has just released the results of a comprehensive study on the topic of cyber security risks. The study is based upon prevention systems in 6,000 organizations and vulnerability data from 9 million systems. The study indicates that there are two major risks out there to organizations, both of which could be mitigated.

Cyber attacks are a growing issue to organizations of all sorts, with new and sophisticated attacks being created every day. Though organizations may have difficulty keeping up with the threat landscape, this study found that organizations are not doing what they could to mitigate the two largest risk areas. Specifically, client-side software is remaining un-patched and websites are not being scanned for common flaws that criminals use to exploit visitors to those sites.

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access.

The ultimate goal of attackers is to steal information and to install “back doors” so that the attacker can return to further exploit organizational systems. The study found that major organizations take at least twice as long to patch client-side vulnerabilities as they do to patch operating system vulnerabilities. Addressing this single issue could drastically reduce your risk of being exploited. What this also means is that the question of Mac vs PC is not going to be your solution to mitigating risk, as these risks come from cross-platform applications and from the Internet.

The report, which is available here, targets major organizations who want to ensure their defenses are up to date. The report shows some interesting patterns to data and includes a tutorial on how some of the most damaging attacks actually work. You may find it handy to print this report off to study the graphs in detail.

We’ve been talking a lot lately about Facebook, particularly as Facebook aims to improve its security and privacy measures. A new article from Switched has laid out 5 common Facebook social engineering scams and how to avoid them. It’s a great primer on how to avoid being duped by any scan.

Aside from never clicking on suspicious or shortened links from friends (unless you expand them first), the article outlines these 5 common scams and how to avoid them:

1. 419 Scams - your friends’ accounts may be hijacked if you receive any message from them claiming to be desperate for cash. Always talk to your friend by some non-web-based means to confirm if they really are in need first!
2. Hidden Fee Apps – You should never have to submit your cell phone number or other personal information in order to unlock features or receive quiz results from any application
3. Fake Login Pages - they may look real, but if you get an email asking you to log into Facebook, make sure you’re actually at Facebook, not following some link (particularly if the link leads to anywhere other than Facebook.com).
4. Malware Links - If you receive messages from friends with links, beware. There is a chance that account has been hijacked and you’re being sent to malicious sites that could then steal any personal info on your computer.
5. Facebook Apps that are Malware – Yes, even the applications themselves can be dangerous! Some may even mimic valid applications, sending you realistic messages such as a notification that someone has left a message on your wall. Like with #3, their goal is to get you to a fake login page. So, look for anything weird in these emails (odd icons, poor grammar, invalid links).

There are many websites featuring this list. For more comprehensive details about these scams and how to avoid them, you can check out PC World. Another variant of the same theme can be found at CSO Online, which also includes tips to avoid Twitter scams.

If you do find yourself a victim of a scam on Facebook, it’s best to alert Facebook administrators with all of the details of the scam.

If you regularly browse through the internet, chances are you’ve encountered a website that has been affected by a malicious advertisement.  It used to be that you could somewhat predict what sorts of sites would have these problems (spammy looking and adult-oriented sites) but now the problem is more prevalent.

Readers of NYTimes.com learned over this past weekend that even the most respectable sites can be affected by rogue ads.  Some visitors reported pop-up messages that instructed them to install a fake anti-virus software which, of course, is never a good thing.  To help warn readers, NYTimes.com posted the following tweet:  “Attn: NYTimes.com Readers: Do not click pop-up box warning about a virus – it’s an unauthorized ad we are working to eliminate.”

What can be done about this problem proactively?  As eWeek pointed out, it’s a tough situation especially when it involves a big outlet like NYTimes.com.  From their perspective, they’ve plugged in JavaScript to pull in their ads from suppliers, so I’m sure they believe they shouldn’t have to inspect every ad for malicious content.  At the same time, however, they do have a responsibility to protect their readers.  It’s a tricky problem to solve which is evident from how prevalent these ads continue to be.

Read more about the profitability of these ads as well as a detailed analysis of the code used to create them.

image: sxc.hu/svilen001

A few months ago we mentioned that McAfee had launched a new web series called H*Commerce: The Business of Hacking You. That web series has now put out all of its 6 episodes, each one involving real people doing normal online activities that result in them being targeted by cyber criminals. The series calls on a number of experts in the field to describe cyber crime, how it happens, and what the outcomes are.

The six topics covered in the series include: the history of HCommerce, email scams & 419 scams that involve money transfers, how the ease of the Internet helps HCommerce, people trying to help stop this scamming and social engineering, the reality of HCommerce and how much is lost by it, information on botnets, protecting your computer and your computer habits, moving forward after being a victim. Watch all six episodes here!

(more…)

In August, we wrote that the Canadian Government had given Facebook 30 days to comply with 24 aspects of Canada’s Personal Information Protection and Electronic Documents Act or enforcement by the Federal Court may be requested.

On August 27, the Office of the Privacy Commissioner held a news conference to announce progress in the Facebook investigation. Facebook has also released a news brief.

Facebook has announced that it will be making changes to its API, the interface third-party services use to request information from Facebook and its users. The changes would require application developers to specify which pieces of information they would like to access in a user profile and why. Users will also be able to deny access to specific pieces of information. Up until now, the nearly 1 million application developers had almost unrestricted access to profile information.

As many have rightly pointed out, it seems contradictory to participate in a social network and to then attempt to restrict access to some or all of your personal information.

To us at the Office, users should have the chance to find out what information is being collected by the social networking site or a third-party application, and for what reason. Third-party applications have long been a concern to members of the privacy advocacy community, since they have had relatively free access to the information stored in your Facebook profile.

I’m incredibly happy that the Canadian government undertook this privacy investigation. After all, the changes that Canada is requiring of Facebook will not only make the site safer for Canadians but for all Facebook users. These changes, and others requested by the Commissioner, may take months to implement. That said, the Privacy Commissioner is “satisfied Facebook is on the right path to addressing the privacy gaps on its site.”

For a full outline of the issues that the Canadian government brought up, and Facebook’s response, read here.

McAfee has released its annual report on the “Most Dangerous Celebrities in Cyberspace”, outlining how risky the names of Hollywood stars and starlets are on the web. You may be surprised to know, for example, that searching for Barack Obama is less dangerous than celebrities such as Jessica Biel and Beyonce! I say surprised because all the hype and news reporting that surrounded the election and the economic crises focused on the riskiness of the President’s name in malware attacks.

This report looks at the searches of a celebrity figure and how many of those searches land on a website that’s tested positive for online threats such as viruses, spyware, adware, spam, phishing or other malware.

Jessica Biel was named as the Most Dangerous Celebrity in Cyberspace, with searches for “Jessica Biel”, “Jessica Biel downloads”, “Jessica Biel wallpaper”, or “Jessica Biel photos” having a one in five chance of landing on an unsafe website.

The top 10 most dangerous celebrities online are:

1. Jessica Biel
2. Beyonce (for second year)
3. Jennifer Aniston
4. Tom Brady
5. Jessica Simpson
6. Gisele Bundchen
7. Miley Cyrus
8. Megan Fox, Angelina Jolie
9. Ashley Tisdale
10. Brad Pitt

You can read details of the celebrities and why they’re risky here.

Image: Clipart

Chad Perrin of Tech Republic has put together a fantastic how-to for using Firefox’s in-built password manager. The article shows you, step-by-step, how to set up a Master Password in Firefox.

Why use a Master Password? Having unique and complicated passwords for all the various websites you use is the most secure method of accessing them. But then you’re likely to forget all those passwords. By using the password manager in Firefox, you can store all those passwords, and just remember a single unique password.

This is something you can set up either on Mac or PC following the same instructions, although on the Mac you would access the interface via Firefox > Preferences.

After you set up the password manager, you’ll be required to enter the master password whenever you start up Firefox. In order for this security to be useful for you, remember to quit Firefox whenever you leave your computer or whenever you’re traveling.

Caveat: using Firefox is not a fool-proof security method for storing your passwords. If you want an even stronger solution, consider using an external password manager such as Password Safe.

While you’re at TechRepublic, also check out the recent article about setting IT Security Policies.

Business travelers are often putting their data at risk by using public Wi-Fi access points – wireless networks freely available to connect to. When you don’t have a wired network access point, connecting to a wireless network at random may not be your best alternative. It can open you to malicious attacks and to those who track your activities – including capturing private information like passwords.

In order to avoid the risks associated with unknown Wi-Fi networks, there are two solutions you can use.

USB Internet Stick

By connecting a special USB stick to your computer, you can have access to the web in the same way you would with an internet-enabled phone – via a cellular network. Most major cellular providers have one of these options, though they go by many names – in Canada, examples are the “Rogers Rocket Stick” or the “Bell Wireless USB Modem”.

Right now, Verizon is the only company offering a USB modem that will work in 175 countries (Windows only).

The upside: it is more secure than a Wi-Fi access point
The downside: no added security benefits, most USB sticks are often country-specific, making them impractical for International business travelers.

Virtual Private Network (VPN)

A VPN supplies connectivity to support remote access to the business network. You connect to the internet with whatever means you have available – wired or wireless – and connect to the VPN. VPN technologies use tunneling to create the connection to the business network and uses encryption protocols to provide you with private access both to the company network and through it. This means you can access company data as well as access the Internet through this more secure connection.

A VPN uses various security mechanisms to protect these private / virtual connections. There are lots of vendors out there for VPNs, including the Cisco Easy VPN.

The upside: you connect to a secure network, so outsiders can’t monitor your web use

The downside: there are many technologies involved in choosing the right VPN solution for you. For some tips on choosing, visit here and here.