Posts Tagged ‘Web Security’

Earlier this month we talked bout “scareware“. One such attack recently was perpetrated through the popular social networking site Twitter. In fact, this week I have witnessed several different phishing schemes on Twitter.

1. Scareware Scam: Scammers were found to be using machine-generated Twitter accounts to post messages about popular topics. Each of these messages would include a link, often disguised using a link-shortening service (making it difficult to know where the link would lead). The link would lead to servers hosting fake Windows antivirus software.

2. DMs that Steal Logins: This second scam would use hacked accounts to send direct messages (DMs) to users. Clicking the link in the scam would take you to a fake login page in a ploy to steal your login information. This scam would then perpetrate to all the friends of the compromised account. Receiving direct messages with links from “friends” increases the likelihood these links will be clicked.

3. Baiting Users: I have witnessed attempts by several auto-generated accounts to bait particular users. To do so, they will accuse the user of something, such as a political stance, in repeated @ messages. This will be retweeted or continued by a whole series of other accounts. In all cases, the accounts will have other “real” looking tweets with links in them, trying to bait you to check the account and click the links.

In reference to the second scam, I know of individuals who had their accounts breached without handing over their passwords, so it’s imperative that anyone who has received direct messages with links not click those links. If you do, change your password right away and contact Twitter support to report the issue.

I myself have been baited by many of these schemes, but I never click the links. Here, for example, is one a “friend” sent me yesterday:

If you are unsure about a particular link, don’t click it. If it is a shortened URL, you can see what it leads to with a service such as LongURL. If you use Firefox and want added protection from cross-site scripting attacks, you can install the NoScript plugin.

Via mashable, computer world

The SANS Institute has just released the results of a comprehensive study on the topic of cyber security risks. The study is based upon prevention systems in 6,000 organizations and vulnerability data from 9 million systems. The study indicates that there are two major risks out there to organizations, both of which could be mitigated.

Cyber attacks are a growing issue to organizations of all sorts, with new and sophisticated attacks being created every day. Though organizations may have difficulty keeping up with the threat landscape, this study found that organizations are not doing what they could to mitigate the two largest risk areas. Specifically, client-side software is remaining un-patched and websites are not being scanned for common flaws that criminals use to exploit visitors to those sites.

Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access.

The ultimate goal of attackers is to steal information and to install “back doors” so that the attacker can return to further exploit organizational systems. The study found that major organizations take at least twice as long to patch client-side vulnerabilities as they do to patch operating system vulnerabilities. Addressing this single issue could drastically reduce your risk of being exploited. What this also means is that the question of Mac vs PC is not going to be your solution to mitigating risk, as these risks come from cross-platform applications and from the Internet.

The report, which is available here, targets major organizations who want to ensure their defenses are up to date. The report shows some interesting patterns to data and includes a tutorial on how some of the most damaging attacks actually work. You may find it handy to print this report off to study the graphs in detail.

We’ve been talking a lot lately about Facebook, particularly as Facebook aims to improve its security and privacy measures. A new article from Switched has laid out 5 common Facebook social engineering scams and how to avoid them. It’s a great primer on how to avoid being duped by any scan.

Aside from never clicking on suspicious or shortened links from friends (unless you expand them first), the article outlines these 5 common scams and how to avoid them:

1. 419 Scams - your friends’ accounts may be hijacked if you receive any message from them claiming to be desperate for cash. Always talk to your friend by some non-web-based means to confirm if they really are in need first!
2. Hidden Fee Apps – You should never have to submit your cell phone number or other personal information in order to unlock features or receive quiz results from any application
3. Fake Login Pages - they may look real, but if you get an email asking you to log into Facebook, make sure you’re actually at Facebook, not following some link (particularly if the link leads to anywhere other than Facebook.com).
4. Malware Links - If you receive messages from friends with links, beware. There is a chance that account has been hijacked and you’re being sent to malicious sites that could then steal any personal info on your computer.
5. Facebook Apps that are Malware – Yes, even the applications themselves can be dangerous! Some may even mimic valid applications, sending you realistic messages such as a notification that someone has left a message on your wall. Like with #3, their goal is to get you to a fake login page. So, look for anything weird in these emails (odd icons, poor grammar, invalid links).

There are many websites featuring this list. For more comprehensive details about these scams and how to avoid them, you can check out PC World. Another variant of the same theme can be found at CSO Online, which also includes tips to avoid Twitter scams.

If you do find yourself a victim of a scam on Facebook, it’s best to alert Facebook administrators with all of the details of the scam.

A few months ago we mentioned that McAfee had launched a new web series called H*Commerce: The Business of Hacking You. That web series has now put out all of its 6 episodes, each one involving real people doing normal online activities that result in them being targeted by cyber criminals. The series calls on a number of experts in the field to describe cyber crime, how it happens, and what the outcomes are.

The six topics covered in the series include: the history of HCommerce, email scams & 419 scams that involve money transfers, how the ease of the Internet helps HCommerce, people trying to help stop this scamming and social engineering, the reality of HCommerce and how much is lost by it, information on botnets, protecting your computer and your computer habits, moving forward after being a victim. Watch all six episodes here!

(more…)

In August, we wrote that the Canadian Government had given Facebook 30 days to comply with 24 aspects of Canada’s Personal Information Protection and Electronic Documents Act or enforcement by the Federal Court may be requested.

On August 27, the Office of the Privacy Commissioner held a news conference to announce progress in the Facebook investigation. Facebook has also released a news brief.

Facebook has announced that it will be making changes to its API, the interface third-party services use to request information from Facebook and its users. The changes would require application developers to specify which pieces of information they would like to access in a user profile and why. Users will also be able to deny access to specific pieces of information. Up until now, the nearly 1 million application developers had almost unrestricted access to profile information.

As many have rightly pointed out, it seems contradictory to participate in a social network and to then attempt to restrict access to some or all of your personal information.

To us at the Office, users should have the chance to find out what information is being collected by the social networking site or a third-party application, and for what reason. Third-party applications have long been a concern to members of the privacy advocacy community, since they have had relatively free access to the information stored in your Facebook profile.

I’m incredibly happy that the Canadian government undertook this privacy investigation. After all, the changes that Canada is requiring of Facebook will not only make the site safer for Canadians but for all Facebook users. These changes, and others requested by the Commissioner, may take months to implement. That said, the Privacy Commissioner is “satisfied Facebook is on the right path to addressing the privacy gaps on its site.”

For a full outline of the issues that the Canadian government brought up, and Facebook’s response, read here.

McAfee has released its annual report on the “Most Dangerous Celebrities in Cyberspace”, outlining how risky the names of Hollywood stars and starlets are on the web. You may be surprised to know, for example, that searching for Barack Obama is less dangerous than celebrities such as Jessica Biel and Beyonce! I say surprised because all the hype and news reporting that surrounded the election and the economic crises focused on the riskiness of the President’s name in malware attacks.

This report looks at the searches of a celebrity figure and how many of those searches land on a website that’s tested positive for online threats such as viruses, spyware, adware, spam, phishing or other malware.

Jessica Biel was named as the Most Dangerous Celebrity in Cyberspace, with searches for “Jessica Biel”, “Jessica Biel downloads”, “Jessica Biel wallpaper”, or “Jessica Biel photos” having a one in five chance of landing on an unsafe website.

The top 10 most dangerous celebrities online are:

1. Jessica Biel
2. Beyonce (for second year)
3. Jennifer Aniston
4. Tom Brady
5. Jessica Simpson
6. Gisele Bundchen
7. Miley Cyrus
8. Megan Fox, Angelina Jolie
9. Ashley Tisdale
10. Brad Pitt

You can read details of the celebrities and why they’re risky here.

Image: Clipart

Chad Perrin of Tech Republic has put together a fantastic how-to for using Firefox’s in-built password manager. The article shows you, step-by-step, how to set up a Master Password in Firefox.

Why use a Master Password? Having unique and complicated passwords for all the various websites you use is the most secure method of accessing them. But then you’re likely to forget all those passwords. By using the password manager in Firefox, you can store all those passwords, and just remember a single unique password.

This is something you can set up either on Mac or PC following the same instructions, although on the Mac you would access the interface via Firefox > Preferences.

After you set up the password manager, you’ll be required to enter the master password whenever you start up Firefox. In order for this security to be useful for you, remember to quit Firefox whenever you leave your computer or whenever you’re traveling.

Caveat: using Firefox is not a fool-proof security method for storing your passwords. If you want an even stronger solution, consider using an external password manager such as Password Safe.

While you’re at TechRepublic, also check out the recent article about setting IT Security Policies.

McAfee has released the Q2 Threat Report for 2009, which indicates that spam volumes have gone up by 141% since March, making this the “longest ever streak of increasing spam volumes” on record. The Q1 threat report, discussed here, indicated that cybercriminals had taken over almost 12 million new IP addresses (zombies) since January, a 50% increase over 2008. This record has now been broken: Q2 set a new record for zombie computers levels, at nearly 14 million.

In addition to spam volumes, the Q2 report looks at some new trends and threats, as well as continued trends of cybercrime as a service and cybercriminals targeting social networks. Indeed, a major attack was led against Twitter and Facebook just this week.

Key Findings from this Threat Report:

• > 14 million computers have been enslaved by cybercriminal botnets (16% increase over Q1)
• Spam has risen 80% in this quarter, over Q1, with June beating the highest ever recorded spam level
• Spam comprised 92% of all mail, also setting a new record high
• Over a 30-day period, AutoRun malware troubled more than 27 million files, making it one of the most prevalent pieces of malware in the world (with a detection rate greater than Conficker was)
• There were nearly 14 million new zombies in Q2, also a new record. Computers in the U.S., China and Brazil lead for zombie figures.

Download the Q2 Report here [PDF].

After reading a very good article recently about the importance of strong passwords, I thought I’d put together a simple post to ask – have you checked the security of your passwords lately? Are they strong enough?

The easiest way to check your password strength is to use Microsoft’s Password Checker, which will tell you if your password is strong enough. It doesn’t guarantee that your password won’t be hacked, but knowing your password is as strong as it can be is one simple step you can take to protect your personal information.

Here’s me checking one of my passwords:

If you don’t hit the ‘best’ level in the password strength meter, consider changing your password. You can follow the tips Microsoft lays out here, or read more in the article referenced above on Windows Secrets.

Last month, Canada’s Privacy Commissioner released a statement about Facebook and its compliance with Canadian privacy laws. The statement is the result of a study into allegations by the Canadian Internet Policy and Public Interest Clinic that Facebook was not complying with 24 aspects of Canada’s Personal Information Protection and Electronic Documents Act. These aspects included default privacy settings, collection and use of personal information, and disclosure of personal information to third parties. Some of the findings concluded that the allegations were not well-founded, while others were supported.

As a result of the report, Canada has released its Report of Findings and its request that Facebook strengthen its privacy protections. The press briefing included some praise for Facebook’s current privacy measures, though many areas were identified for improvement.

Areas of requested improvement include:

• Improving information about privacy practices (example: information on deactivating vs deleting an account)
• Improving safeguards that restrict outside developers from accessing unnecessary profile information
• Deleting personal information after it is no longer necessary to meet appropriate needs (to comply with Canadian law)

Facebook made some improvements to their privacy measures when provided with an interim report; they now have 30 days (from July 16) to respond to the full report.

Facebook has agreed to adopt many of the recommendations stemming from the Privacy Commissioner’s investigation or, in some cases, has proposed reasonable alternatives to the measures recommended. However, there remain a number of recommendations that Facebook has not yet agreed to implement.

The Privacy Commissioner is empowered to go to Federal Court to seek that the recommendations be enforced. So, it may be that Canada’s report helps to strengthen Facebook privacy standards for all Facebook users!

Via internet evolution