Tag: security

Malware’s third party path

How to take care in a changing world of cybercrime.

One of the few constants with computer security is that threats are constantly evolving.

Malware – malicious software like computer viruses, worms or Trojan horses – are the most common security threat the ordinary technology home or business users will encounter on their PC, laptop or smartphone.

During the big computer virus epidemic of the early 2000s the main target were Windows 98 or XP machine running Internet Explorer as these were so easy to infect.

Today, it’s harder to infect Windows systems and the malware writers have become more sophisticated in the tools and methods they use to catch victims.

Right now, we’re seeing the malware writers focusing on  weaknesses in third party software such as Java, Flash and Microsoft Office.

Mac users have been affected by the Flashback worm which used flaws in the Java computer program and now Adobe have released an emergency update to their Flash application to fill a security hole that could affect all operating systems.

Along with being more sophisticated in their methods, today’s malware writers are also more organised with real criminal objectives as opposed to the earlier generations that were derided as “script kiddies”.

So there’s real risks in not taking basic steps to protect your computer system.

Have the latest updates

When your system asks you if you want to install updates, do so. Both Macs and PCs have an automatic update function which you should enable and pay attention to.

Individual software packages like Java, Flash and Microsoft Office have their own update reminders which you should also pay attention to.

Sometimes though the malware writers distribute fake updates to fool people into installing their software so if you are suspicious about an update, check online to see if you have the latest version.

Run computers in Restricted User mode

One of the big weaknesses for all systems is there is a tendency to run as an Administrator. In older Windows systems this gives almost complete control over the system and can still create problems in newer systems as well as with Mac or Linux systems.

Every user should be run as a Restricted User and this can be set up in the Windows Control Panel or Mac Preferences.

Have an antivirus

While the antivirus industry loves flogging overpriced and overfeatured software that generally slows your computer down as much as it protects the system, it’s still worthwhile having.

For Windows users, the free Microsoft Security Essentials is fine for most users. For Mac users, the free ClamAV or Sophos Anti-Virus for Mac are good choices.

Use a third party browser

Generally using the built in web browsers – Internet Explorer in Windows and Safari on the Mac – tends to amplify security risks. So use a third party browser like Firefox, Google Chrome or Opera.

Be careful

Malware writers, like all crooks and conmen, try to exploit human weaknesses so their tricks often appeal to our greed, fear or lust.

Try to avoid websites offering pirated software, movies, music or pornography and never click on emails or pop up adverts that claim you’ve won the lottery or been infected with a virus.

Cybercrime is real and growing although we should keep in the threat in perspective and not fall for the hysterical headlines we often see in the media.

The risks are going to continue to evolve as the crooks move onto trying to exploit weaknesses in smartphones, social media platforms and cloud computing services.

Despite this, most people won’t be affected by malware or other computer crime by being careful. Just don’t count on being lucky.

Undermining the cloud

Google’s broad claim on users’ data risks the viability of their services

Whenever I do a presentation on cloud computing and social media for business, I focus on one important area – The Terms Of Service.

Google’s relaunch of their Cloud Drive product has reminded us of the risks that hide in these terms, particularly with the one clause;

When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps). Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services. Make sure you have the necessary rights to grant us this license for any content that you submit to our Services.

This is an almost identical clause to that introduced – and quickly dropped by file sharing Dropbox – last year. It’s also pretty well standard in the social media services including Facebook.

Basically it means that while you retain ownership of anything you post to Google Drive, or most of other Google’s services including Google Docs you’re giving the corporation the rights to use the data in any way they choose.

While the offending clause does go onto say this term is “for the limited purpose of operating, promoting, and improving our Services, and to develop new ones” there is no definition of what operating, promoting or improving their services actually means.

Not that it matters anyway, as one of the later terms says they reserve the right to change any clause at any time they choose. So if Google decided that selling your client spreadsheets to the highest bidder will improve the service for their shareholders, then so be it.

If you’re a photographer then the pictures you upload to Facebook or Google+ now are licensed to these organisations as are all the documents stored on Cloud Drive.

To be fair this is not just a Google issue, Facebook has similar terms as do many others. Surprisingly just as many premium, paid for services have these conditions as free ones.

Because these Terms Of Service are about establishing a power relationship, there’s usually an over-reach by large companies with these terms.

While an over-reach is understandable, its not healthy where the customer has to trust that the big corporation will do the right thing.

Right now, if you’re using a cloud or social media service for important business information you may want to check that service doesn’t have terms that grant them a license to your intellectual property.

Are we prepraed to embrace risk?

The world is a dangerous place, can governments protect us?

It’s safe to say the Transport Security Administration – the  TSA – is one of America’s most reviled organisations.

So it’s notable when a former TSA director publicly describes the system the agency administers as “broken” as Kip Hawley did in the Wall Street Journal on the weekend.

 More than a decade after 9/11, it is a national embarrassment that our airport security system remains so hopelessly bureaucratic and disconnected from the people whom it is meant to protect. Preventing terrorist attacks on air travel demands flexibility and the constant reassessment of threats. It also demands strong public support, which the current system has plainly failed to achieve.

The underlying question in Kip’s article is “are Americans prepared to accept risk?” The indications are that they aren’t.

One of the conceits of the late twentieth Century was we could engineer risk out of our society; insurance, collateral debt obligations, regulations and technology would ensure we and our assets were safe and comfortable from the world’s ravages.

If everything else failed, help was just an emergency phone call away. Usually that help was government funded.

An overriding lessons from the events of September 11, 2001 and subsequent terrorist attacks in London and Bali is that these risks are real and evolving.

The creation of the TSA, along with the millions of new laws and billions of security related spending in the US and the rest of the world – much of it one suspect misguided – was to create the myth that the government is eliminating the risk of terrorist attacks.

It’s understandable that governments would do this – the modern media loves blame so it’s a no win situation that politicians and public servant find themselves in.

Should a terrorist smuggle plastic explosive onto a plane disguised as baby food then the government will be vilified and careers destroyed.

Yet we’re indignant that mothers with babies are harassed about the harmless supplies they are carrying with them.

It’s a no-win.

This is not an American problem, in Australia we see the same thing with the public vilification of a group of dam engineers blamed for not holding back the massive floods that inundated Brisbane at the end of 2010.

While we should be critical of governments in the post 9/11 era as almost every administration – regardless of their claimed ideology – saw it as an opportunity to extend their powers and spending, we are really the problem.

Today’s society refuses to accept risk; the risk that bad people will do bad things to us, the risk that storms will batter our homes or the risk that will we do our dough on what we were told was a safe investment.

So we demand “the gummint orta do summint”. And the government does.

The sad thing is the risk doesn’t go away. Risk is like toothpaste, squeeze the tube in one place and it oozes out somewhere else.

While Kip Hawley is right in that we need to change how we evaluate and respond to risk, it assumes that we are prepared to accept that Bad Things Happen regardless of what governments do. It’s dubious that we’re prepared to do that.

Ending the era of Mac complacency

Does the Flashback bug end the Mac’s virus free status?

The news that the Flashback Trojan has infected an estimated 600,000 Apple Mac computers has been greeted with joy by the dozens of industry experts that have predicted a virus holocaust for smug Mac users for nearly a decade.

While the Flashback malware – the earlier versions could be described as a computer Trojan Horse while the later editions are more like a computer worm – is a real risk to Mac users and it’s important to take this risk seriously.

The Netsmarts business site looks at how Mac and Windows users can protect themselves from Flashback and its variants.

One of the key things in the advice is to make sure anybody using the computer has limited rights; as a Managed User on the Mac and as a Limited User in Windows. This dramatically reduces the opportunity for bad things to happen while online.

I’ve discussed previously while user privileges are one of the reasons why the Mac has historically been less prone to infection to virus infections than their Windows cousins.

Microsoft made the decision in the 1990s not to tighten Windows’ security settings and their customers paid the price for the next decade. This was compounded by some poor implementations of various technologies in Microsoft Windows.

This isn’t to say the Mac, or any other computer system, doesn’t have security bugs. Every operating system does and it’s a conceit of everybody immersed in new technologies, be it cloud computing back to horse drawn chariots, to believe their products are magically infallible.

Part of the crowing from the security experts and charlatans who’ve been desperately predicting a “Macapocalypse” for nearly a decade overlook this.

Even with the proven problem of the Flashback virus, its unlikely we’re see the deluge of malware like that of the early 2000s simply because the Mac OSX, Windows 7 and all the other mobile and computer operating systems don’t have the structural flaws that Windows 98, ME and early versions of XP had.

Much of the Mac versus PC argument in security is irrelevant anyway; the main game for scammers and malware writers has moved to social media services like Facebook and this is where computer users need to be very careful.

However the stereotype of the “Smug Mac” user was true, one caller to my radio show claimed he didn’t have a problem with spam because he had a Mac. Nothing could convince him that email spam wasn’t related to the type of computer you used.

To be fair to Apple they never made the claim their computers were invulnerable to malware, apart from the odd dig at Microsoft. Their users did it for them.

That type of smug Mac user are those who do need a wake up call. For the industry though, it’s business as usual although some will be feeling a little smug their hysterical predictions of the last decade came true in a small way last week.

702 Sydney Weekend computers: April 2012

Join Paul and Simon Marnie to discuss the tech that affects your home and office

On ABC 702 Sydney Weekend computers this Sunday, April 8 from 10.15am Paul Wallbank and Simon Marnie will be looking at the end of innocence for Apple Mac users, the DNS Changer Virus and how political campaigning is coming to a Facebook site near you.

Some of the topics we’ll discuss include;

If you’d like to learn how to protect your Mac or Windows computers from malware, visit our Netsmarts article on the Flashback virus that explains the security settings and suggests some free anti-viruses.

Listeners’ Questions

While we had a great range of calls from listeners, there was only one we promised to get back to. Kay clearly has a virus infection on her Windows computers and we recommend the free MalwareBytes program to clean it up.

Our IT Queries site has more instructions on cleaning up a virus infection if you’re worried about a sick computer.

We love to hear from listeners so feel free call in with your questions or comments on 1300 222 702 or text on 19922702.

If you’re on Twitter you can tweet 702 Sydney on @702sydney and Paul at @paulwallbank.

Should you not be in the Sydney area, you can stream the broadcast through the 702 Sydney website and call in anyway.

Navigating the Internet jungle

When we’re in the wild, we need to keep our wits about us.

I usually don’t pay much attention to stories about Apple malware given that most hysterical stories about Mac viruses are written by charlatans spruiking third rate security products.

The story of the Flashback Trojan is an interesting one though, not because the malware is particularly original or that it comes with the usual hysterical claim of being part of the coming wave of viruses that will wipe the smug smiles off Mac users’ facers.

Flashback’s interesting because it combines all the tactics of a modern computer virus or malware, bringing together unpatched vulnerabilities and some social engineering with the intention of stealing user passwords.

These are risks regardless of what type of computer, smartphone or tablet you use. It illustrates how the security risks have moved on since the first epidemic of Windows computer viruses just before the beginning of the century.

Similarly, the motivation for writing viruses and malware has evolved. Where it was once an intellectual exercise for bored, highly skilled young code cutters, today it’s a lucrative criminal enterprise aimed at getting access to victim’s bank accounts and other assets.

Which is the reason why it’s a good idea to have different passwords for various online services – no more using the same password for your online banking, Minecraft and Facebook accounts.

Having the latest security patches installed is also important, particularly with third party products like Adobe Flash, Java or Microsoft Office, so don’t ignore those warnings as a caller to one of my radio slots boasted.

We also need to keep our wits about us online and watch out for the sneaky tricks used to fool us into opening malware, it’s a jungle out here on the web.

ABC702 Weekends: Facebook and your Family

How do we use social media safely and effectively.

For the first 702Sydney Weekend program for the year ABC 702 Sydney Paul Wallbank and Ian Rogerson looked at how to use Facebook safely.

Facebook and other social media services are becoming an increasingly important part of our lives, so it’s important we understand the benefits and the risks involved in using the web.

All the details of what we discussed in the program are available at the Facebook and Your Family post.

One listener’s question we said we’d get back to was Emma who asked about Microsoft Word stopping her Mac from closing down.

This is usually due to problems with an office plug in or the normal template. To attempt to fix the template, follow the instructions at the Word Mac site.

As Ian suggested, it may be time to consider a more up to date program as Office 2001 is seriously outdated.

The importance of logging off

It’s the simple things that bring us unstuck in the online world.

English Labour MP Tom Watson today learned why logging off your computer is important when his office intern cracked what she thought a joke on his behalf.

What appeared to be a mis-step by the Member of Parliament bought predictable criticism from his enemies in politics and media, particularly given his role as a critic of News International.

The biggest risk in computer security are your staff and co-workers; they have access to your systems and the data saved on them.

In Tom’s case – like most business security breaches – the intern wasn’t being malicious, she was making a very valid point about a serious topic, it was her unfortunate choice of words that caused a problem.

Luckily for her, the boss has taken a mature attitude towards the problem – there’s many bosses who wouldn’t. So the intern seems safe unless the media can beat the story up further.

The moral for all of us is to log off or shut down our computers whenever we step away from them.

If we’re using public terminals in flight lounges, Internet cafes or hotels, then we should make sure we’ve logged out of our email, social media or banking services before the session ends.

Should someone leap on your system when you turn your back, you could find anything from your social media or email account used to send out fake messages about you being robbed through to your online bank balance being pillaged.

We often worry about evil, sophisticated hackers breaking into our accounts but often it’s these simple mistakes that let opportunistic thieves get our details.

Often it’s the simple things that bring us unstuck, so logging off is a good habit to get into. Tom’s intern is right.

Password blues

Sharing passwords is like giving away the keys to your car, be careful.

“Johnny down the street hacked my Minecraft account!” is something almost every parent today has heard in one way or another.

If you believed the kids, the schools are full of 12 year old hacking geniuses that can unravel passwords faster than a CIA super computer.

Usually it turns out the “evil hacker” in Grade 5 had the password all along as the kids share their login details with all their friends.

The New York Times recently pulled together story showing how teenagers are sharing passwords to show their affection. One wonders how many abusive relationships see the dominant partner control the other’s social media and online accounts.

It isn’t just kids and teenagers who find themselves in trouble though, businesses make the same mistakes. Commonly sharing a password to important files and tech functions across the organisation.

Thinking this is just a small business problem would be a mistake; Australia’s Vodafone made all their entire customer base available on the Internet thanks to single logins and shared passwords for each of their dealers.

Over the years this caused major problems for customers and the honest Vodafone dealers as their unscrupulous competitors hijacked accounts and churned clients to new plans. The cost to Vodafone Australia must have been huge but impossible to quantify given they apparently had no tracking mechanism to figure out who had accessed accounts.

In households and business, the main reason we share passwords is convenience – security by nature is always inconvenient. It’s convenient not to bother locking your front door or leaving your keys in the car.

When you really value something, you lock it up and you don’t give a key to everyone in your neighbourhood. It should be the same with passwords, keep them strong and keep them secret.

Our kids learn this the hard way, we shouldn’t have to.

Strategic lessons from a security breach

What businesses can learn from Stratfor’s data lapse

2011 has been the year of the IT security breach. Big and small organisations around the world ranging from major corporations like Sony through to smaller businesses such as security analysts Stratfor found their customer data released onto the web.

The frustrating this is most of these breaches are avoidable and “hacking” is often giving too much credit for the security used by the targeted companies.

While the ‘hackers’ themselves may be skilled, the compromised organisations are often easy targets as they don’t follow the basic rules of protecting their data.

Standards matter

Customer payment account details are covered by the Payment Cards Industry -Data Security Standard (PCI-DSS) operated by the PCI Security Standards Council.

The PCI Security Standards Council helpfully has a range of information sheets for merchants of all sizes and if you are taking payments off the web you should make yourself aware of the basic requirements.

For most businesses, the cardinal rule is not to save customer’s card details. Once the payment is approved, you have no business retaining the client’s credit card or bank account numbers.

In Stratfor’s case, they were almost certainly processing payments manually and credit card details were being saved on customers’ records in case of errors or to make renewals easier.

Call in the professionals

There’s no shortage of payment companies, ranging from PayPal through specialist services like eWay to your own bank’s services. Choose the one that works best for you. If you have no idea, call in someone who does.

One of the arguments for using outsourced services, particularly cloud computing, is how data security is a complex field that requires professional and qualified expertise. The internal systems of Sony, Telstra and Stratfor were not up to the demands placed upon. A professional service is better equipped to deal with these issues.

Size doesn’t matter

A major lesson from the last year’s security breaches is that it’s not just the local shop or garage e-commerce business that is careless with data. Some of the world’s biggest companies and government agencies have been compromised.

If anything, Sony’s experience has shown the double standards at work in the application of security rules; there’s no doubt that had a local computer shop been as thoroughly compromised as Sony were, they would have been shut down on the second breach and the management would have been carted off to jail well before the twelfth.

For the management of Sony, there seems to have been little in the way of sanctions of the people nominally responsible for this incompetence. This has to change both within organisations and by those charged with enforcing the rules.

The lesson for customers is you can’t trust anyone with your data; don’t assume the big corporation is any more secure than the serving staff at your local sandwich shop.

Passwords matter

Every time one of these breaches happen we hear about password security, with “experts” pointing out that some of the subscribers were using passwords like ‘statfor’ or ‘password’.

For customers, this actually makes sense if you can’t trust third parties with your details so specific, disposable passwords for each site should be used. There’s little point in having a complex password if some script kiddie is going to post your login details onto 4Chan.

Naturally your passwords for banking and other critical websites should be very different and far more secure than those you use for sites like Stratfor and the Sony Playstation Network.

Will 2012 be any different?

Given the data embarrassments of 2012 for businesses and government agencies, can we expect lessons to be learned in 2012?

While many businesses are going to learn specific lessons from these breaches, there’s a management cultural problem where any spending on information systems is seen as a cost that has to be minimised.

This cost cutting mentality lies at the core at many organisations’ failure to secure their systems properly and until a more responsible culture develops we’ll continue to see these lapses.

Good managers and business owners who understand the importance of guarding their organisation’s and customer’s data are those who are ahead of their competition. Over time, these folk who will have the competitive advantage.

For customers, the sad lesson is we can’t trust anyone and a layered approach to security along with keeping a close eye on our bank accounts and credit card statements is necessary.

Protecting your technology over the holidays

There’s some easy things we can do to protect our systems over the Christmas break.

This post first appeared in the Xero Accounting Software Blog, the advice for protecting your computers and networking equipment applies for home and business users.

The holiday season is here and for many it’s time for a much needed break. Before doing so it’s worthwhile taking a few precautions with your computers and other electronic equipment.

While most of us are moving our data to the cloud, there may still be some data that remains on your office systems. Bear in mind that if your router is damaged or desktop computer has gone missing, you won’t be able to access the web.

And even though your systems will spend much of the next fortnight turned off there are still risks such as power surges, fire and theft etc. There’s even the risk of a virus creeping in when you turn things on when you return. So here’s some things to consider before you leave.

Reset passwords

The New Year is a good time to refresh passwords, so review what your key login details are and update them to stronger, more secure phrases. I personally like using phrases like a song or poem and dropping characters into the spaces so a password might look like: Mary$had$a$little$lamb

You can make the passwords stronger by adding numbers and capitals as well.

Staff turnover happens in all businesses and you may have forgotten to remove some former employees from your accounts when they left. The end of the year is a good time to review who has access to your cloud and remote access accounts.

If you’re a social media user it’s also worthwhile checking what applications you’ve allowed to access your Facebook, Twitter or other online services. That mafia or farm game looks harmless, but often you’ve given it the right to post things and collect data from your account, so take off the ones you no longer find useful.

Unplug everything

Even when turned off, most modern computer equipment still has power running through its systems. This puts technology at risk during storms or brownouts. Printers, modems, routers, should all be turned off and disconnected from power and communications lines.

Network, telephone line or cable connections should be unplugged – power surges can often affect phone and cable network connections. In fact you should unplug anything that connects your equipment to the outside world.

Hide your equipment

Give thieves as little temptation as possible. Electronic equipment has a high resale value and is easily moved. Lock away anything portable and draw the curtains or blinds in rooms where less portable equipment is kept.

If you have an old laptop or mobile phone sitting around it’s not a bad idea to hide away the modern equipment and leave the old stuff in an obvious location. This is a variation on the old “leave ten dollars in the cash draw” ploy that gives thieves something without them ransacking the place. Don’t leave the sacrificial laptop in plain sight or you’ll be inviting break-ins.

Backup

One of the advantages with cloud computing is that many of your backup needs are taken care of. Unfortunately you still need your own local backups.

In most offices not everything gets saved to the cloud and that information matters. For many small business years of work is sitting on the hard drive.

External hard drives and DVDs are the most popular ways of saving backups. Your backup should include documents, email, address books, favorites and bookmarks.

Store the backups away from the computer, preferably offsite. I recommend making two copies, leave one onsite for easy access and store one elsewhere. If something terrible happens to your home or office while you are away, your data is at least safe.

For home offices, it’s a good idea to leave a copy of the backup with your neighbours or a relative in a nearby suburb. An old client of mine swaps external hard drives with his mother- in-law at church each week so he has a reasonably up to date copy of his data somewhere he knows he can get to.

When you return

Your computer is the very last thing you should turn on. Turn on modems, printers, external drives and network equipment before your computer. If you have a cable or ADSL Internet connection, give it a few minutes to connect before trying to log on.

Update your system

While you were away new Internet nasties in the form of viruses, Trojan horses and spyware will have come out and there’s a good chance some of them may be waiting in your inbox.

Before checking emails or surfing the net, update your security software and check for any system updates. Don’t do anything on the net until everything is updated.

Christmas and New Year are times when you should relax. There’s nothing worse than returning to find office equipment and valuable data lost. By backing up your systems and taking some precautions you don’t need to feel anxious about your business being up and running quickly when you get back to work.

Enjoy your holidays and let’s all look forward to a great New Year.

The online business playground

This article originally appeared as The Business Playground on Smart Company.

Last week, I was lucky to be invited to talk about digital citizenship with school kids and their parents in the Griffith area.

The concept of “digital citizenship” is pretty simple – your behaviour online should be no different from how you’re expected to conduct yourself in the playground or business world.

When talking to some of the parents about the issues their kids face, it stuck me just how seriously most of the concepts like being accountable for your behaviour, safe computing and avoiding bullying are as applicable as much to business as the schoolyard.

Bullying in the workplace is pretty common and – as the tragic case of a young waitress who killed herself after being bullied at a Melbourne café shows – employers are directly responsible if they don’t control it.

While the Melbourne case didn’t have a digital aspect, what employees put up about their co-workers on social media sites or on blogs or in emails can be bullying as well.

Making things worse when social media or the web is involved is that most of the evidence is in writing and difficult to erase.

Safe computing, such as creating strong passwords and not sharing them, is one important part of being safe online.

Just as kids get into trouble by sharing their passwords with their friends, so too do businesses that common login details for their key systems and services.

Some weeks ago there was the story of a Texas waterworks that was hacked because their systems had a simple password.

No doubt the login was kept simple to make things easy for staff and management, just like a 12-year-old sharing their Minecraft or Moshi Monster accounts with their big brother or best friend.

Being accountable for your behaviour is probably something both kids and business people struggle with; just as kids don’t understand that taunting their friends through a Facebook page has real life consequences, many managers and entrepreneurs forget that laws and professional standards apply online as much as they do in any other area.

Of course in business, it’s not just ourselves that can cause problems – our staff can get us in trouble too. Employees need to know that upsetting co-workers, customers, suppliers and competitors is unprofessional and can cost them their jobs.

Having a staff acceptable computer use policy makes it clear employees are responsible for work related comments they make even on their personal accounts outside of working hours is now essential for all enterprises.

In many ways, business is just like being in the playground. It’s usually fun, but when things go wrong it can be painful in many ways.

Just as schools are on the look out for digital trouble among students, watch out for similar pain points among your staff.