Sunday, November 11, 2007

How not to be left holding the bag after Internet crime 

What do crooks do when they steal someone's online banking password?

They don't want to transfer money to their own accounts directly and leave an arrow pointing straight at them. Instead, they launder the money through intermediaries. Sometimes they're not honest about recruiting their mules, imagine that.

The scam, a truly poisonous one, is to advertise a job handling financial transfers. The pitch is that you get money into your bank account, forward it to a Western Union destination or something of the sort, and keep a commission. The reality is that you're receiving money stolen from someone else's account, forwarding it to criminals, and profiting from the crime. This could be hard to explain to the authorities.

A fellow in the UK is making a hobby of exposing money transfer fraud. He gives many examples of the dishonest advertising and tips on avoiding it (no legitimate business wants to transfer money to your personal bank account and be real, you're not getting job offers in spam).

I found this link via the folks at anti-virus firm F-Secure, who have a video about recruitment of money mules.


Saturday, November 10, 2007

computers and voting -- what can happen by accident 

Test data got mixed up with real data in Rockville, Maryland, where voters whose house numbers began with 5 got marked as absentee voters. They couldn't vote at the polls until an emergency fix.

The lesson here is that procedures and processes are real and they matter.


Electronic voting in New York 

The state of New York did its own review of voting machines and didn't want to accept any of them.

Which should be the end of it, right?

Not so fast, says the federal Department of Justice, which is taking New York to court trying to force them to use the machines they had rejected: Information Week article about e-voting in New York.


Saturday, November 03, 2007

Mac users: upgrading to Leopard? 

There are reports that the upgrade process turns off the firewall. Take a second to check it after you install Leopard.


Cluefulness on e-voting in Ohio 

Ohio's Secretary of State Jennifer Brunner is spending $1.7 million for independent security reviews of voting machines.

That's the sort of scrutiny everyone should give them, but there's a fundamental problem not being addressed. Finding bugs and fixing them when they're found barely works for normal software, and if you try it with security-critical software you'll wind up with problems even after a review. Security has to be designed in from the start.


When to fire your security people 

I usually like Jon Espenschied 's writing.

How to spot and deal with rogue employees.


Can you spot a bogus web address? 

Carnegie Mellon University has developed a video game to teach people to avoid phishing.

In the game, you're a fish (phish?) swimming around in a pond full of worms. Hold the mouse over a worm, and a URL comes up (just like you can hover the mouse over a link and see the web address it goes to). Then you decide whether to eat the worm or swim past it. If the web address is bogus, you get hooked. You can ask for advice at any point in the game.

This is fun, and useful, but I'm not sure it's teaching the right thing. No matter how good a URL looks, if you saw it in random email telling you to log in and "verify your account", it's still going to be a trick of some kind.

They also have sharks swimming around trying to eat you, which is just a distraction and doesn't have much to do with the real Internet, where you should take all the time you need to make a security decision.


Are you still hesitating about the iPhone security upgrade? 

One of the problems it fixes could become a biggy. There's a Bluetooth security bug in the iPhone which could let anyone within Bluetooth range take over your phone. The reason to worry is that the details of how to do it are known, so it's just a matter of bad guys deciding to do it. They'd rather attack millions of computers at a time than take over phones one at a time, but I'm sure they've thought of writing a worm that would spread from iPhone to iPhone.


How much is your email password worth on the black market?A 

Anywhere from a dollar to $350, according to a Report on password theft from security firm Symantec. That's almost as much as bank account details (up to $400).

The article doesn't say why it's so much, but my guess is that it's because of all the password reset mechanism that email you a new password or a link where you can change it. Someone who can log in to your email can use that to get access to almost anywhere that you have a password.

So if you do write your password down, something I've been known to recommend, then be sure to keep it someplace where you'd be comfortable keeping $350.


I need to change some earlier advice 

Remember I said to stay out of bad neighborhoods on the web?

According to antivirus firm Sophos, 80% of the web sites that try to take over your computer weren't malicious to begin with. Instead, they were legitimate sites that have been taken over by criminals.

Which invites the question of just how to protect yourself. Keeping up with security patches to your browser is effective. Running NoScript in Firefox takes away many chances for you to get hit.


Friday, November 02, 2007

Can you expect your email to be private? 

"...the government is seeking to eliminate any Constitutional privacy interest in e-mail."

So says Mark Rasch, whom I've quoted before. According to his bio, "SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit".

The quote is from a long but informative analysis of a court case about email privacy.

He says the government's legal arguments go way beyond being able to secure evidence in an investigation:
What is silly about this is the fact that, at least for the government, the argument is unnecessary. The Fourth Amendment protects against "unreasonable" invasions of privacy interests. The government could effectively argue that, by obtaining a subpoena or other court order for the records which are relevant to a legitimate investigation, the search or seizure is reasonable, and therefore comports with the Fourth Amendment. All subpoenas and demands for documents infringe some privacy interest, and unless overbroad, they are generally reasonable. The statute which permits government access to stored communication pursuant to a mere subpoena may likewise be perfectly reasonable and may withstand constitutional scrutiny. But that doesn't mean that the Constitution doesn't apply.


Mac users, you are being targeted now 

No matter whether a platform is "secure", if you download malicious software it can make your machine do things you don't want.

There is a Trojan Horse program in the wild for Mac OS X. It pretends to be a Quicktime codec that you're supposed to install to be able to watch porn videos. Lures like that have been common in the Windows world for years.

Several security experts expect that this is just the first and that Macs will become regular targets.

Mac users, be as street smart as Windows users. If a porn site asks you to download software, don't trust them.


Thursday, November 01, 2007

Physical security: pickpockets 

One guest at the security conference I just attended was Bob Arno, whom you may have seen on TV. If you haven't, you could call him a white hat pickpocket. He lifts things from people as a comedy act, studies real pickpocket techniques, and consults to travelers and law enforcement.

He invited some people up to the front of the theater and made their belongings disappear. One victim left without his necktie. Another had his watch removed and he didn't notice. Bob Arno gave it back, and as the victim was leaving, Bob Arno gave it back again, having lifted it a second time.

He also worked the seated audience, acting friendly and seeing what he could get away with. He's a good observer, and homed in on the audience members who were paying more attention to their own thoughts than to their surroundings. Like me.

He closed in acting all hail-fellow-well-met, but also crashed through my personal boundaries and grabbed the hand that he wasn't shaking. I let myself react as I'd been taught in a self-defense class. I shouted for him to leave me alone. Several audience members commented on it afterward. I said to one "I must have sounded like a bag lady", and he said "well, a little".

Bob Arno told me that I'd done everything right and said "Have you ever been to Moscow or Rome?".

He showed hidden-camera videos of pickpockets in action and talked about how he's made friends with pickpockets around the world. (He likes to let his pocket get picked, quietly follow the pickpocket, lift the pickpocket's cell phone and then approach smiling with an offer to trade the phone for his wallet). A few important things you should know:


Physical security: locks 

I just went to a security conference, where among other things a Boeing security expert named Keith Turpin demonstrated attacks on physical locks.

In case you haven't been following the news, it takes only a little skill to open a normal lock without a key in seconds. He ran through a set of padlocks, door locks and luggage locks. The combination padlock he opened faster than I could have opened it with the combination. Basically, if you paid less than three figures for the lock on your front door, it's just a speed bump to someone willing to invest time in a little practice.

Which was already fun to watch, when someone dropped by and said "That's a really good bump key". Turns out he was one of the experts on the subject.

Which gave me a chance to ask a question that's been on my mind.

Earlier this year an attorney and lock expert named Marc Weber Tobias disclosed a way to attack high-security locks from Medeco. This caught my attention because that's what I have on my front door. In August, Medeco was reported to be making some design changes to address the problem. I've been wondering whether those changes have made it out to retail locksmiths yet. I made the mistake of asking my locksmith about that.

My locksmith, despite three attempts on my part on my part to explain that Medeco was aware of a problem and had made a design change to fix it, gave me an endless (and in my opinion patronizing) lecture about the security features of a Medeco, things that I had known before I bought one.

The expert at the security conference was able to give me an instant answer to the question my former locksmith had failed to address. It turns out that if you buy one of the Medecos that's available at retail today, you are in his words "golden".


How good is Consumer Reports's security advice? 

Their September 2007 issue has 19 tips for avoiding infections, scams, and identity theft. Their advice is only about protecting yourself online. Remember that your single best defense against identity theft is a shredder.

How good is their advice? Pretty good, though I take issue with a few things. Let's go over it point by point.
1. Turn on built-in protection

They mean things like the firewall in your operating system and the spam blocker in your email program. Good advice, but I have no clue what they mean in the details when they say the Mac firewall is "lacking". They recommend a third-party firewall for Windows called ZoneAlarm, which is good if a little geeky, but recommend that you get it from Go to instead. It's usually better to get your software as close as possible to the original source.
2. Use automatic updates

This one's really important and it works. I just heard a guest lecture in a class I'm attending by someone who's studied malicious web pages. He found that browsers that were completely up to date with security patches were immune to all the attacks he found in his research.
3. Upgrade

They're right here too. Vista has some real security improvements over XP, and Firefox 2 is better than Firefox 1.5. But be careful: upgrades can make other things worse.
4. Install a browser toolbar

Ennh. There are a few browser toolbars that are from good guys, but even those have issues. One of them warns you about phishing sites but also transmits your search history to the company that provides the toolbar. That may be OK with you but don't install blindly.
5. Turn off your computer when not in use

No. It makes sense in theory, except that my firewall blocks multiple attacks every minute, so there's no real protection from turning off your computer. Using it at all means you either have an effective firewall or you get attacked.
6. Use public computers with care

They may be infected with programs to steal passwords. That's happened in real life. Beware of checking email from a Wi-Fi hotspot: by default, most email programs log in over the air with an unencrypted password. Anyone else at the hotspot can see that password.
7. Consider a Mac

I'm happy with mine, but Apple hasn't been improving security as fast as Microsoft. Macs are less of a target today, and as my friend Steve Stroh says, "I'll take that!", but all it takes is for criminals to start aiming at Macs and that advantage could disappear overnight.
8. Be careful about downloading free stuff

Yes, but one of the places they listed as a reputable source of free downloads has distributed spyware in the past.
9. Consider a protection suite

Except some of the ones they recommend have poor reputations among people who repair infected PCs, and standalone products can be superior.
10. Run antivirus software

11. Run two antispyware programs

That's because none of them come close to 100% detection, which means that two of them together won't catch everything, which means you should avoid downloading electronic junk food anyway.
12. Use disposable email addresses to make spam easier to block

I use Sneakemail addresses for things like product registration and message board signups. Each one gets a different address, and if one sells my address to a spammer I can turn off that address without affecting other email. I've only had to do that once, however.
13. Use a credit card

Debit cards are pretty hazardous for online use.
14. "Secure" sites may not be safe

That padlock in your browser means (if everything works) that the site has proven they're who they say they are and that your traffic is protected from eavesdropping. It's not a Good Housekeeping seal of approval and the site could still be crooked.
15. Protect your personal information

Consumer Reports says "never" respond to email that asks for account numbers, passwords and the like. At the very least I'd say treat them with suspicion and double-check.
16. Don't follow hyperlinks from email

There are many things that can do wrong, and you can't be sure that email is from who it says it's from, but it's really hard to explain what's safe and what isn't.
17. Beware of typo-trapping sites

Yes to this one. Once upon a time, was a porn site. Disney's lawyers took care of that in short order, but crooks still register misspellings of common site names. Type carefully, like CR says, or better yet use a bookmark.
18. Report phishing

That's good citizenship, not safety.
19. Review your accounts regularly

CR says to check bank and other statements as soon as they come in. I say check them online more than once a month.


Please don't buy from spam 

I just dug down through my piles of paper to the Septemeber 2007 Consumer Reports. They surveyed people about computer security issues and spam. Extrapolating from their survey results, they figure that in the month before their survey about 650,000 people ordered something from a spam email.

Not only were those people helping support the criminals who are destroying email (about 95% of all email is spam now. All email infrastructure has to handle 20 times the volume it would if all email were legitimate), but why do business with a criminal at all?

If it's spam, it's a scam.


This page is powered by Blogger. Isn't yours?