Archive for the ‘Security’ Category

TapThe little slip reveals the fraud

12 Oct 2009 16:55 by Rick

Today I had an inbox full of messages apparently from HM Revenue and Customs, Following one link (not something I reccomend unless you know what you are doing) took me to a very realistic looking government site (click to enlarge)

Fake IR web page

Just one little slip – “federal taxes”! The link is a windows executable which probably installs some rubbish on your system.

TapFacebook Spam

10 Oct 2009 08:01 by Rick

This is a new phenomena (at least for me). What the rogues are doing is getting into Facebook accounts, I don’t know whether by signing up or by hacking someone else’s. Then they go to Friends ==> Invite Friends and then paste in their spam email list. I know that this must be the case because I have had invitations on addresses that I haven’t used for years but are popular with spammers.

What you receive is a message with the title “Reminder: <some name> invited you to join Facebook” for someone you have never heard of and with a selection of “other people you may know” who you have also never heard of. The problem is that this is a legitimate Facebook email by the time it arrives so pollutes your spam trap system.

The motive? The only one I can think of is a rather elaborate scam involving Facebook reputation. By getting you as a friend they can see your friends. Now that they “know” you they can invite your friends to become their friend and so integrate themselves into your community. There is a chance that they may come across one who is less than careful with their private information and may manage to get into other accounts. Another tack is to use that reputation to send a “Help! I am stranded in Nigeria and my passport and wallet have been stolen, can you wire me some cash to get home?” type of message.

TapWPA/TKIP broken

2 Sep 2009 09:19 by Rick

For those of you with Wireless Internet systems at home who have just got around to not using WEP encryption because it was seriously broken, I’m afraid you can’t rest there. It has been announced in Japan that it is possible to break WPA/TKIP encryption in under a minute. Not in a way that can discover the key but enough to insert bogus messages into the stream and compromise your traffic.

So, if your hardware has the capability, and that is always the problem, switch over to WPA/AES or WPA2 as soon as possible.

TapID Card Victory?

1 Jul 2009 14:05 by Rick

The Home Secretary, Alan Johnson, announced yesterday that there was to be a change in policy and that Identity Cards were no longer to be made compulsory for any UK Citizens. This would abandon the trial for air-side staff at airports. They would, however, become compulsory for foreign nationals and the voluntary scheme was to be speeded up.

Does this make sense? Not really, as foreign nationals should have their own passports anyway so an additional card won’t make a lot of difference. There may be more of a case for people who have “mislaid” their papers.

Is this a victory? Well, partially. It is a clear indications of a steady back-pedalling by the government on the policy. You can no longer be required to produce it if there is no requirement to have one. There will no longer be an issue with lost or damaged cards or fines for failure to register.

However, there was no mention of the back-room ID Register. This will remain and be populated with information from passport applications. There is no indication that the amount of information required here will be relaxed at all. A passport, in theory, is voluntary but, if they can argue that digital television and broadband access are essential for daily living, then I can hardly see that passports can be regarded as optional.

My old (pre-blog) article on the issues is still largely relevant and, of course, No2ID.

TapFacebook Regional Networks

22 Jun 2009 10:56 by Rick

Facebook have announced that, over the next few weeks, they will be discontinuing the system of regional networks. These are the ones based on countries, states, cities – so, for instance, I am in a network for “Bristol.”

Ever since I joined (only a few months ago) they have been next to useless. What is the point in suggesting that such-and-such a person also lives in Bristol and perhaps I know them?

The bad news is that, when they remove them, your privacy profiles will change. All the permissions that used to say “My Networks and Friends” will be automatically changed to “Everyone” which may not be (probably won’t be) what you would like. So go into Settings ==> Privacy Settings now and change them. Educational and Work networks will remain so you can connect to and use those instead, though saying I should know everyone who ever went to Bristol University is just as daft.

TapFacebook Privacy

11 Jun 2009 08:59 by Rick

I trust that those of you who have signed up for Facebook (and other similar) accounts have looked carefully at all the options and have decided who should be able to see what aspects of your profile. I also hope that you only accept as friends people that you really know in the “real world,” because “friend” status gives them greater access to your profile and access to your other friends. This can be misused to create a false web of trust.

Yet I see a surprising number of dubious applications, polls and quizzes come up on my wall. When you first connect to one of these, whether as an active initiator or in a response to a friend’s invitation you are presented with an acceptance screen headed “Allow Access?” and it clearly says

Allowing <whatever application> access will let it access your Profile information, photos, your friends’ info and other content that it requires to work.

Read it again until it sinks in—not only are you giving the application access to your profile which you have carefully edited but also access to those of your friends who may not have been so careful. Think of it as handing over your address book, birthday book and diary. You can see this happening when you are in some applications; the profile photos of your friends pop up suggesting that you invite them to join in.

The Facebook terms of service, which the application writers are supposed to adhere to, is quite clear that this information can only be used for the purposes it was given (like the example above) but do you suppose that they all stick to this. A recent study at the University of Cambridge (sorry, article rather technical) reveals that quite often the information is passed on to advertisers and from there, who knows where it goes. It becomes quite easy for a third party to collect a dossier of inter-relationships and enough personal information to, for instance, crack commonly used passwords.

So now you know why I haven’t responded to many of these invitations—so far only two that I trust and one daft one before I realised what the implications were.

And how much do you trust Facebook itself. If you use it at all then you have to, and in most cases this should be ok. There would be a terrific scandal if it was found to be deliberately misusing its customers information. Yet there are some strange things going on. Early on I took advantage of the offer to scan my email address book for possible friends. I did this very carefully and selected only those that I wanted to invite for follow up. Yet I am still, some months later, being invited to add some of the others as friends; it still knows that I am acquainted with them even though I didn’t initially add them to my friends list. It is in my dossier somewhere!

TapPhishing Phone Call

9 May 2009 11:00 by Rick

This morning we had an automated phone call, one of those that is generated by computer, apparently from our credit card company. It knew the name on the account and asked us to ring back on a given number regarding the security of our card.

The first problem, as this was a call out of the blue, was that we had no pen to hand to write down the number even though it was repeated. We checked the source and it was an unknown (to us) 0845 number.

But secondly, how were we to know that the call came from the bank in the first place. The name of the account is on the card and the name of the bank can be deduced from the first few digits of the card number. Anyone who we had made a transaction with could have discovered those details.

As it happens it was from our bank—I discovered this by ringing our normal telephone banking number and getting put through to the fraud department. It was an out of the ordinary transaction they were worried about which, in fact, was legitimate. I am pleased with their dilligence in bringing it to our notice.

The right way to have worded the phone call was to ask us to ring the number printed on the back of the card or statement and either use a code for the automated routing system or tell us to ask for a particular department. That way we don’t have to find a pen to write anything down and we can be certain that we are really ringing the bank.

TapA test for the Conficker Worm

3 Apr 2009 09:31 by Rick

All the hype about Conficker/Downadup on April 1st was no more than that. It wasn’t a day when you were going to get infected, it was, if you were already infected then that was the day it would become active in whatever it was going to do e.g. spam.

In practice, because of they way it was propagated, home users were less likely to be affected anyway as it used corporate networks, though there was some risk from USB memory sticks. Also, well over half of the worlds affected machines were in areas where they take little notice of licensing and were using cracked copies of Windows.

Anyway, there is quite a simple way to discover if you are affected. Visit this Conficker Eye Chart and follow the instructions, it is very easy. It is not 100% guaranteed because proxy servers can make things seem ok when they are not, but it is a good start. As a second test, go to your anti-virus supplier’s web site. If you can get there and read a sample of the pages then you are almost certainly NOT infected.

TapAVG 8.5 Free is here

30 Mar 2009 19:07 by Rick

This caught me a bit by surprise as we use the paid system on most of the machines I manage and, on there, the update is automatic. However, if you use the free version then you will soon be getting update suggestions. There doesn’t seem to be a time limit yet unlike last year’s debacle so there is no panic, but it will need to be done sometime. It looks quite stable and, as I said, has been on the paid version for a little while.

To get and install it, you need to navigate through their site. You don’t want the free trial versions, you need the real free version, the one they call Free Basic Protection. From then on the install is just like version 8 which I documented last year, except there may be a few fewer questions to trip you up. If you have disabled the link scanner in the browser, it doesn’t seem to get reset or maybe it is not used any more, I am not sure.

TapBulk eMail

9 Mar 2009 17:33 by Rick

Do you send bulk eMail? Are you sure? What about the coffee rota or the minutes of the Squash Club committee meeting. I am not talking Mega Company marketing circulars here (that’s David’s job) but the little things that go to a modest number of people—this is addressed to you.

When you make up the circulation list, whether in an organised address book list or an ad-hoc list just typed into the field, DON’T put them in the “To:” or “Cc:” line—Use “Bcc:”! (blind copy). As there ought to be a “To:” address, make that yourself—it will confirm that it went out ok when you get yours back.

This is first of all plain courtesy as not every one wants their eMail address to be widely published and they gave it to you on the assumption that you would look after it. But secondly, if any one of the machines belonging to the people on your circulation list is compromised, then all the rest of you will be bombarded with spam.

^ Top