Tag: security

702 ABC Mornings – Hacking 102

This month’s 702 Sydney tech spot looks at how security is evolving

A number of callers asked about protecting their Facebook pages and information from hackers and spammers. Details are on the Netsmarts webpage

On 702 Sydney Mornings with Linda Mottram, we’re revisiting security and how it affects businesses and consumers after some stories of serious security breaches in everything from shops to pacemakers.

We’re looking at some pretty important issues, including how four million hotel locks are open to hackers and thieves.

Even more scary is the risk that pacemakers can be hacked. This story is a cautionary tale on good intentions being bought undone by bad security practices.

For businesses, the risk of having customers’ credit card details hacked is a serious issue. Two years ago the US fast food chain Subway had a major breach when criminals managed to break into franchisees’ Point Of Sales systems.

Recently the Australian Federal Police broke up a similar crime gang operating out of Romania.

A misconception about computer security is that all hackers are evil. The reality is most aren’t and a good example of this is Random Hacks of Kindness where geeks get together to find ways of using tech to improve society. We’ll look at last weekend’s Melbourne event.

Join us on 702 Sydney from shortly after 9.30am. We’d like to hear your views, comments or questions so call in on 1300 222 702 or SMS on 0467 922 702 or tweet with @702Sydney in the message.

Social malware and cunning tricks

Malware writers are moving onto using social media apps to harvest addresses and personal information.

Last week an interesting media release from anti-virus company Bitdefender appeared in the inbox describing a tricky little scam that promises to change Facebook page colours but actually grabs a user’s information to set up fake blogs associated with the victim’s email address.

Those fake blogs in turn link to a working from home scam, the type which are becoming depressingly common online. No doubt the malware authors have some sort of interest in that scheme.

What makes this malware interesting is how it brings together a range of opportunities for the malware writer – social media, apps, data aggregation, identity spoofing and the Ponzi affiliate schemes that are prevalent as people try to find new ways to supplement their income.

Many people say “I’d never get caught by these scams” but the reality is the scammers are rat-cunning, if not clever. Assuming you’re immune to these because you’re too smart, or you use a Mac or there’s nothing of value on your computer is a risk in itself.

Here’s the media release from Bitdefender.

Google Chrome App grabs identities, forges blogs in victims’ name to promote scam

Bitdefender catches Facebook colour scam with both hands in cookie jar

SYDNEY/AUCKLAND November 19, 2012 – A Google Chrome app that promises to change the colour of Facebook accounts instead nabs authentication cookies and generates dozens of blogs registered to the victims’ Gmail address, in a new scam analysed by Bitdefender, the leading global antivirus company.

Once the malicious app is installed from Google’s Chrome Web Store, it starts displaying a large Google Ads banner redirecting users to a “work from home scam.” When clicking the sign-up link, users are redirected to a fraudulent website.

“Scammers gave a new twist to the old change-your-Facebook-colour scheme that’s been luring users to fraudulent websites to grab credentials and other sensitive data,” says Chief Security Strategist, Catalin Cosoi. “By creating dozens of blogs for a single account, the scam spreads like wildfire among Facebook friends.”

The blogs generating under the email address of the victims, which are used in further disseminating the scam, have registered a large number of hits among users in the US, the UK, Germany, Spain, Romania, and other countries.

The app can also post wall messages on the victims’ account. The messages use friend tagging to convince the victim’s friends to visit the blog domains. Each time the app posts on a users’ timeline, it links to one of the auto-generated blogs as to avoid blacklisting.

Bitdefender encourages users to use an antivirus solution and the free application Safego, which protects Facebook and Twitter accounts from scams, spam, malware and private data exposure.

Tracks in the ether

Smartphones, the web and tracking technologies are giving governments and businesses more power than ever.

Bureaucrats dream of tracking every person or asset under their purview and the rise of technologies like smartphones,  Global Positioning Systems (GPS) and Radio Frequency IDentity (RFID) chips are giving them more power than ever.

Two stories in the last week illustrated how these technologies are being used by authorities to monitor people; a school district in the United States is fighting a student who refuses to wear an RFID enabled identity card and Saudi immigration authorities are now sending text messages to guardians of travellers, mainly women, leaving the country.

In Saudi Arabia, the law prohibits minors and women from leaving the country without the permission of their adult male guardians. As the Riyadh Bureau website explains, to streamline the permission process Saudi authorities enabled online pre-registration for travellers so now male guardians can grant assent through a website rather than dealing with the immigration department’s paperwork every time their spouse or children wants to travel.

When the spouse or child passes through immigration, the guardian receives an SMS message saying their ward is about to leave the country. One assumes the male can withdraw that approval on receipt of the text.

The Saudi application is an interesting use of the web and smartphones to deliver government services and probably not what Western e-gov advocates are thinking of when they agitate for agencies to move more functions online.

More ominous is the story from the US where Wired Magazine reports Andrea Hernandez, a Texan student, is fighting her local school over the use of RFID enabled identity cards that track pupils’ attendance.

John Jay High School’s use of RFID tags is a classic case of bureaucrat convenience as electronic cards are far easier to manage and monitor than roll calls or sign-ins.

Incidentally John Jay High School has over 200 CCTV cameras monitoring students’ movements, as district spokesman Pascual Gonzalez says, “the kids are used to being monitored.”

The problem is that RFID raises a range of privacy and security issues which the bureaucrats either haven’t thought through or have decided don’t apply to their department.

Notable among those issues is that “has a bar code associated with a student’s Social Security number”. It never ceases to amaze just how, despite decades of evidence, US agencies and businesses keep using an identifier that has proved totally unsuited for the purposes it was developed for.

Probably the most worrying point from the Texan story is how school officials tried to suppress the story, offering Ms Hernandez’s father a compromise on the condition he “agree to stop criticizing the program and publicly support it.”

That urge to control criticism and dissent is probably the thing all of us should worry about when governments and businesses have the ability to track our movements.

In this respects, the Texas education officials are even more oppressive than Saudi anti-women laws. Something we should consider as more of our behaviour is tracked.

Ending the era of the computer password

Has the humble computer password reached the end of the line?

Earlier this year, Wired Magazine writer Mat Honan had his entire digital identity stolen from him when hackers cracked his email password and then systemically took over all of his cloud and social media accounts.

Matt writes of his experience on Wired and proposes it’s time to kill the password.

The problem with Mat’s proposal is that he doesn’t suggest an alternative.

The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place.

Every alternative authentication method to passwords has flaws just as serious, if not worse. Many are plainly impractical.

All of them, including passwords, have the common weakness that those holding the information can’t be trusted either – one of the greatest ways for passwords to get into the wild is when incompetents like Sony give them away.

Security is evolving, in the meantime we need to keep in mind some basic rules.

  • Use different passwords for different accounts
  • Only access accounts from trusted and up-to-date computers
  • Create strong passwords for accounts that matter, like online banking and email
  • Strong passwords are multiword phrases
  • Use two-factor authentication if its available
  • Don’t link unnecessary social media and cloud accounts together
  • Be very careful

We should also remember that a skilled, motivated hacker will probably break into your account regardless of your computer security. In this respect it’s no different to the physical world where a determined criminal will get you regardless of the locks and alarms on your house.

It’s also important to remember that security is more than just evil hackers; data can be damaged or given away by a whole range of means and people breaking into systems is only one risk of many.

Computer security is an evolving field and while it might be premature to declare the password dead, we’re going to see big changes as we try to lock down our valuable digital assets.

Listener’s questions – ABC Nightlife computers

As a follow up to last night’s ABC Nightlife computers here are some of the promised answers to listener’s questions

As a follow up to last night’s ABC Nightlife computer spot where we looked at who owns our online data, there were a few questions which we’d get back to listeners on.

The entire show can be listened to online through the ABC Nightlife with Tony Delroy website and includes some of the issues we’d get back to listeners on, but first an apology.

Bruce Willis never sued Apple

One of the callers Mark mentioned the story of Bruce Willis suing Apple over ownership of iTunes tracks.

It turns out this never happened as Charles Arthur of the Guardian explains.

While Charles can be a cranky bugger, he’s right in this case that the media didn’t a very poor job in regurgitating an untrue story without ever checking its veracity. Luckily it’s not one that I cited in the program.

Protecting your Twitter Account

One of the topics we discussed was the threat of accounts being hijacked and Twitter is one service that is constantly being compromised because of poor policies. An important part of protecting a Twitter account from being taken over is to make sure an extra level of authentication is used by clicking the “Password Reset” option in the Twitter Account settings.

Recording online

Des asked about recording his own message for an audio Christmas card to his friends and relatives.

On Windows computers, Sound Recorder is the long standing built-in app while on the Mac, Garage Band is the built in application.

There is a free third party application available for both PCs and Macs called Audacity which also allows you to record and edit on your system.

US customer service

One interesting thing about the conversation was how many callers criticised the “US mentality” of providing lousy service. This probably isn’t true as most American businesses provide some of the best customer service in the world.

The lousy service from online companies is more a function of the computer engineering and venture capital background of the entrepreneurs setting up cloud computing and social media services, while the majority of these companies are from the US it wouldn’t be fair to brand this as being an American cultural issue.

Our next Nightlife spot is on December 13 at 10pm and we’ll be looking at Windows 8 and what type of computers should people be considering. Hope you can join us.

Unprotected computing practices

The news that many medical computing systems are infected with malware doesn’t suprise those working in the field

A US study finding malware is rampant on medical equipment shouldn’t come as a surprise to those running industrial computer systems in their businesses.

It’s notoriously difficult to update medical equipment or other sensitive systems as a security patch could have unintended consequences. Unlike a home or business computer, these patches have to be thoroughly tested beyond the precautions vendors take.

So it isn’t surprising that these systems aren’t kept up to date although some equipment suppliers are more tardy than they should be in updating the servers they supply.

A few years ago I came across CCTV systems running on the original version of Windows 2000 which were hopelessly compromised. This is an unacceptable situation for the customer and was more the result of vendor carelessness than any concern that customers could be affected by these unsecured machines.

Not having the latest software patches creates a weakness in any computer device as most common way viruses find their way onto networks is through systems not being updated – Australia’s Defense Signals Directorate rates unpatched systems as being the number one cause of corporate security breaches.

This is what caught out the Iranian nuclear program with the Stuxnet worm as the Siemens SCADA devices used by the Iranians were running older, unpatched versions of Windows. The designers of Stuxnet took advantage of a number of known weaknesses in the software and were able to damage the equipment being controlled by the systems.

Obviously systems should be patched wherever they can be and there’s no excuse for not patching most office and home computers. It’s also worthwhile carrying out a number of other security steps to ensure an infected computer can’t damage your network or catch a virus through your Internet connection.

The survey looking at these medical systems is a good wake up call to all of us that we need to take computer security seriously in our businesses.

Posting without permissions

Facebook’s groups feature can be dangerous if you don’t check before adding people.

A client of mine once had a angry worker scream at him when she found out he’d posted photographs of all his staff on the company’s website.

“My ex is a psycho, he doesn’t know where I live or work. If he finds this, he might come around here and kill us all,” she cried.

The photos went down immediately and Kevin made sure he got explicit consent before he posted any details of his staff onto the website.

It was a valuable lesson on why you shouldn’t just post people’s details online without first asking them. We all have reasons why we’d like to keep certain facts out of the public light.

A Texan gay choir’s organiser posting the details of members onto Facebook is another reminder of why it’s a bad idea to put someone else’s details online without asking them first.

For two members of the Queer Chorus at the University of Texas, having their sexual orientation pasted on their Facebook feeds caused terrible damage with their families and it should serve as lesson to every manager, business owner or community group leader that this stuff matters.

One of the worrying features with Facebook is how other people can add you to groups without your permission – almost certainly a recipe for misunderstanding and mischief.

What’s even more unforgivable with Facebook’s conduct is the privacy settings for those groups overrides an individual’s own privacy settings.

As one of the victims said in the Wall Street Journal of when his father saw the status update, “I have him hidden from my updates, but he saw this,” she said. “He saw it.”

So even though both the individuals had chosen to lock their profiles away from public view, Facebook and the organiser of the group decided they knew better.

We shouldn’t let the administrator of the Facebook off the hook on this lapse, Christopher Acosta decided to make the group open and public. “I was so gung-ho about the chorus being unashamedly loud and proud,” he’s quoted as saying.

That’s nice when you have a tolerant family and you’re from a liberal community but for others that ‘transparency’ can lead to damaging family relations for years, if not lifetimes. In some communities the consequences could be far worse.

“I do take some responsibility,” says Mr Acosta. Which is a nice way of accepting you might have screwed somebody’s life up by doing something you didn’t understand.

Ultimately responsibility lies with the person who presses the button which causes the email or status post to be published. In this case Christopher Acosta was responsible.

To be fair to Mr Acosta, the ability to add people to Facebook groups without their permission is a deeply flawed as are those groups’ setting overriding an individual’s privacy preferences.

Facebook have to understand there are real life consequences to ‘transparency’ which can ruin careers and even cost the lives of people. The damage to families and communities can be immense.

Coming from a secure upper middle class white background, Mark Zuckerberg probably doesn’t quite understand the risks his company’s policies pose to people in vulnerable situations, hopefully some of his older and wiser advisers will explain why ‘transparency’ and ‘openness’ are not always a good idea.

Securing your online passwords

On ABC Sydney we look at how you can make your passwords move secure

Every Internet user has to struggle with the burden of passwords as we’re expected to remember dozens of log in details for various websites and computer networks.

As we’re seeing though, passwords aren’t that effective with universities and private companies being hacked on a regular basis. The problem is so bad banks are considering moving to fingerprints to replace PIN and password logins.

Even if passwords are going to become irrelevant as we move to biometric logins like fingerprints and iris scans they aren’t going away quickly, so how do we protect our important online accounts?

Use different passwords

One of the key ways to protect yourself is not to use the same passwords for every site. Some critical sites, like your online banking and email, need protecting with strong passwords while others like social media sites don’t require such tough security.

As we’ve seen with various security breaches, most notably the continual Sony hacks of 2011 and the deeply embarrassing Stratfor leaks, even the strongest passwords are useless if some dill leaves them on an unprotected server.

Use strong passwords

For the sites that matter, make sure the passwords are strong. You’ll find how to make memorable, easy to use and strong passwords on the Netsmarts site.

You don’t need to use strong passwords on every site, for some websites that require registration to access you might want to fall back on the much maligned password or 12345 for those publications.

Change default passwords

Most of the hacks on university and corporate networks happen because the default passwords on servers aren’t changed. This was also how News International workers broke into British mobile phone message banks.  When you get a new phone or tablet computer, make sure you change the basic passwords that have come with the device and any associated service.

Update your systems

One of the biggest vulnerabilities for home and business computer systems is unpatched systems. Malicious websites, viruses and various tricks use known weaknesses in computer systems to bypass security measures. This applies to Apple Mac users as well.

Consider two factor authentication

Two factor authentication involves having double security, this could be a password linked to a SMS or a special one-off code. Services like Gmail offer this as do many corporate networks and banks.

Be careful linking social media services

A bigger risk than hackers is phishing where someone tricks you into giving away your password. This has become very common in hijacking social media accounts.

If you’ve linked various social media services together then one being compromised can mean bad guys have access to all of your accounts, so be cautious about what applications you allow to connect with your Facebook page or Twitter account.

For businesses

Cyber security is critical for business, it’s been estimated that one in six companies who’ve been compromised will fail as a result of the breach and a credit card lapse can be expensive as well as embarrassing.

The Australian government’s Defense Signals Directorate has an excellent guide to securing computer networks. The DSD’s research shows that just following four basic rules will prevent 85% of attacks.

We should also keep in mind no security system is perfect. Just as your car doors or home can be broken into by a determined thief, the same is also true with computer networks, a skilled operator with enough time and resources can beat even the toughest cyber security regime.

ABC Nightlife Computers: The state of tech

July’s ABC Nightlife tech looks at viruses, online frauds, security and social media

Join Paul and Tony Delroy to look at some of the trends and events that are affecting how you use phones, computers and internet in your home or business.

A lot’s happened in the tech world over the last few weeks – Facebook has gone from the web’s golden business to being shunned, new tablet computers have been launched and we’ve had a virus threaten to knock people off the Internet.

If you missed the show, you can listen to it online through the Nightlife website. Some of the topics we looked at included;

  • So what was the DNS Changer Trojan? Did the FBI really take over a criminal computer network?
  • Could a virus really damage computers and bring the Internet to a halt?
  • Is it true the US, Israel and North Korea are using viruses to attack other countries’ computers?
  • Should we worry about viruses on smartphones and tablet computers?
  • What about virus hoaxes? There’s a good one going around about Facebook at the moment?
  • Both Microsoft and Google have launched new tablet computers, will they knock off the iPad?
  • Microsoft’s tablet is going to run the new Windows 8 operating system, how does that look?
  • Facebook seems to have gone from hero to zero since they launched on the stock market. What happened?
  • There’s been some pretty serious Facebook privacy changes recently, what should people watch out for?
  • Microsoft have had some big security updates this week, what are they.

For the Microsoft updates we mentioned, the major security updates can be downloaded from the Windows Update page or the Automatic Updates in Windows Vista and 7.

Windows 7 and Vista users should also disable the desktop widget feature, Microsoft have two fix it tools available for download and users should run both.

Listeners questions included the following problems;

Alternatives to Outlook Express

George was looking at upgrading to a new version of Windows that doesn’t have Outlook Express included but still wants a computer based email client rather than trusting a cloud service.

Some of the alternatives include;

Antivirus programs

Margaret asked about antivirus options for Macs, there’s a couple of free antivirus programs designed for the Apple Mac

For Windows users, the easiest free anti-virus to use is Microsoft Security Essentials.

Microsoft Silverlight on Android

Accessing Microsoft Silverlight based services like NineMSN on Google Android devices can be a problem as Jason found.

Unfortunately at this stage there’s no clear solution for playing Silverlight sites on Android devices as Moonlight, the open source Silverlight player has been abandoned.

Next Nightlife spot

Our next Nightlife tech spot will be on August 6 and we’ll decide the topics closer to the dates. Watch the website for details over the next few weeks.

Dealing with the DNS Changer Trojan

On Monday computers infected with the DNS Changer Trojan will stop surfing the net. Make sure you aren’t infected.

On Monday, thousands of computers around the world will be cut off the web as the servers behind the DNS Changer Trojan Horse are shut down.

The DNS Changer did exactly what the name says – it changed a computer’s Domain Name Service (DNS) settings so that all web traffic went through servers belonging to the virus writers.

Eventually the writers were caught and the computers were seized, in order to avoid disruption the servers were left running but they will be shut down on Monday.

On Monday, those computers still infected won’t be able to surf the net until the problem is fixed.

How Do I Know I’m infected?

As part of the Shutdown, the DNS Changer working group was set up. On their site they have a  detection tool website that will tell you if your computer is infected.

How can I fix the problem?

The easiest fix is with the Microsoft Malware Scanner which will check your computer for the DNS Changer virus along with other malware. If the scanner detects a problem it will remove the virus. IT Queries also have instructions on Removing A Trojan.

To prevent further infections, it’s necessary to install an up to date anti virus. A good free one is the Microsoft Security essentials tool.

The DNS Changer Trojan was very effective malware and it illustrates why computer users need to be careful of where they go on the mean streets of the Internet.

702 Sydney Mornings Technology

On this show we look at how to avoid malware and protecting your digital legacy

On 702Sydney Mornings this month with Linda Mottram, we’re looking at the continued story of the Flame and Stuxnet worms along with some trickery from the North Koreans who tried to shut down South Korea’s Incheon International Airport with a computer virus.

To help you avoid being infected there’s a detailed description on the Netsmarts website on setting up your computer to avoid being infected.

We’re also looking at protecting your digital legacy in an era when social media services like LinkedIn and Facebook can keep your memory alive long after your passing.

Join us on 702 Sydney from shortly after 9.30am. We’ll probably take some calls on 1300 222 702 and we’d like to hear your views, comments or questions.

Security and convenience

Good security is always inconvenient. We have to learn to live with it.

“Your security advice is too difficult, I don’t want to log in when I start my computer or have to mess around when I have to install new software,” a lady told me on the weekend.

Security is always inconvenient. It would be far more convenient if car doors weren’t locked and starting them was a matter of flicking a switch.

Of course we know if that was the case, most cars would be stolen within hours of buying them.

We accept the inconvenience of car keys because we know the cost of having a vehicle stolen is way higher than the occasional frantic search for lost car keys.

Right now we don’t value our data, computers or smartphones the same way.

This is changing and as we start using our phones as electronic wallets we’ll start valuing our passwords and online security more than our car keys.