Tag: security

ABC Nightlife December 2012

Paul joins Rod Quinn on ABC Radio Nightlife across Australia to discuss the tech issues of the day.

Paul Wallbank joins Rod Quinn to discuss how technology affects your business and life. For December 2012 we’ll be looking at business security, Windows 8 and the saga of Apple Maps.

If you missed the program, you can listen to the recording through the ABC website.

Answers to listeners’ questions and links to some of the programs we discussed, including removing Norton Anti-Virus and getting your Windows start button back, are on a later blog post.

Some of the topics we discussed included these below.

We’d love to hear your views so join the conversation with your on-air questions, ideas or comments; phone in on the night on 1300 800 222 within Australia or +61 2 8333 1000 from outside Australia.

Tune in on your local ABC radio station or listen online at www.abc.net.au/nightlife.

You can SMS Nightlife’s talkback on 19922702, or through twitter to @paulwallbank using the #abcnightlife hashtag or visit the Nightlife Facebook page.

Similar posts:

Repelling the online break and enter merchants

Romanian crime gangs have broken into business systems in Australia and the US, how can you stop them from stealing your customers’ credit card data?

Last week’s bust of a gang of credit card thieves by the Australian Federal Police is a warning to businesses on the need to take computer security seriously.

In Australia a Romanian crime gang targeted small retail businesses’ computer system and stole customers’ credit card details. They would then use the data to create fake credit cards.

A year ago US Authorities broke up a similar gang who had targeted Subway computer franchises which netted the gang over $10 million before they were caught.

In both cases the gangs used remote access software that was included with their victim’s Point Of Sale (POS) equipment. Once logged into the target’s computers, the bad guys were able to install key logging and monitoring software so they could steal credit card details as they were entered into the system.

There’s a number of lessons in both the Australian and US experiences for big and small business on securing systems safely.

Use secure passwords

It’s almost boring to say this, but you need strong passwords for your systems and networks. Make sure you change all default passwords on the systems so they aren’t easily guessed or broken into.

Secure your systems

The Subway hack happened because of sloppy security, you can harden your systems by following good practices such as updating your systems, having malware protection and proper access policies.

Both the Australian and US incidents happened on Windows computers. The crooks were able to get into the computers and then install software because the victims were running in Administrator mode which allows anybody on the computer to control the system.

Daily use should be in limited user mode which stops people from installing software or changing system settings andAdministrator accounts should only be used for system maintenance and have very strong passwords which are different to the normal limited user profile.

Turn off remote access

Another common factor in the US and Australian incidents is the use of remote access software so technicians can check things and managers can login in from home and other sites.

Unless these are properly set up they are a serious security risk. Unless you or your supplier knows exactly what they are doing, these can open a door from the public Internet straight into your system.

Do not use them unless you are 100% confident in yours, or your suppliers’, ability to run these properly.

Comply with standards

Another factor in these incidents is that systems haven’t complied with the PCI-DSS security standards for card payments. Again if you don’t understand these – and they are complex – find a POS vendor or payments processor who does.

Basically, the standard requires that customers’ card details are not stored on your systems and that devices for processing payments are kept separate from other equipment in your shop or office. Following these basic rules would avoid many of the problems.

Consider cloud services

Many of the problems businesses confront with security is because they don’t have the skills or resources to deal with the ever evolving security threats.

Moving POS systems and other business critical functions onto cloud services addresses many of these issues so it is worthwhile considering ditching expensive, unreliable and sometimes insecure server or desktop based systems and move to cloud services that use tablet computers or smartphones.

Whichever choice you make, it’s important to be engaging suppliers and consultants you can trust because if your customers can’t trust you with their details, then you are out of business.

Similar posts:

Protecting yourself on Facebook

A follow up to listeners’ questions from December’s 702 Sydney morning program

One of the topics we looked at in yesterday’s ABC 702 Morning show was how to protect yourself on Facebook.

We had a number of callers struggling with controlling spam and scams that seem to be coming from their Facebook details. To fix this, you need to lock your personal details so they can’t be seen by the public.

The detailed instructions on how to lockdown your Facebook page are available on the Netsmarts website.

Our next ABC Mornings spot will probably be in late January. We’ll let you know when it’s approaching.

Similar posts:

702 ABC Mornings – Hacking 102

This month’s 702 Sydney tech spot looks at how security is evolving

A number of callers asked about protecting their Facebook pages and information from hackers and spammers. Details are on the Netsmarts webpage

On 702 Sydney Mornings with Linda Mottram, we’re revisiting security and how it affects businesses and consumers after some stories of serious security breaches in everything from shops to pacemakers.

We’re looking at some pretty important issues, including how four million hotel locks are open to hackers and thieves.

Even more scary is the risk that pacemakers can be hacked. This story is a cautionary tale on good intentions being bought undone by bad security practices.

For businesses, the risk of having customers’ credit card details hacked is a serious issue. Two years ago the US fast food chain Subway had a major breach when criminals managed to break into franchisees’ Point Of Sales systems.

Recently the Australian Federal Police broke up a similar crime gang operating out of Romania.

A misconception about computer security is that all hackers are evil. The reality is most aren’t and a good example of this is Random Hacks of Kindness where geeks get together to find ways of using tech to improve society. We’ll look at last weekend’s Melbourne event.

Join us on 702 Sydney from shortly after 9.30am. We’d like to hear your views, comments or questions so call in on 1300 222 702 or SMS on 0467 922 702 or tweet with @702Sydney in the message.

Similar posts:

Social malware and cunning tricks

Malware writers are moving onto using social media apps to harvest addresses and personal information.

Last week an interesting media release from anti-virus company Bitdefender appeared in the inbox describing a tricky little scam that promises to change Facebook page colours but actually grabs a user’s information to set up fake blogs associated with the victim’s email address.

Those fake blogs in turn link to a working from home scam, the type which are becoming depressingly common online. No doubt the malware authors have some sort of interest in that scheme.

What makes this malware interesting is how it brings together a range of opportunities for the malware writer – social media, apps, data aggregation, identity spoofing and the Ponzi affiliate schemes that are prevalent as people try to find new ways to supplement their income.

Many people say “I’d never get caught by these scams” but the reality is the scammers are rat-cunning, if not clever. Assuming you’re immune to these because you’re too smart, or you use a Mac or there’s nothing of value on your computer is a risk in itself.

Here’s the media release from Bitdefender.

Google Chrome App grabs identities, forges blogs in victims’ name to promote scam

Bitdefender catches Facebook colour scam with both hands in cookie jar

SYDNEY/AUCKLAND November 19, 2012 – A Google Chrome app that promises to change the colour of Facebook accounts instead nabs authentication cookies and generates dozens of blogs registered to the victims’ Gmail address, in a new scam analysed by Bitdefender, the leading global antivirus company.

Once the malicious app is installed from Google’s Chrome Web Store, it starts displaying a large Google Ads banner redirecting users to a “work from home scam.” When clicking the sign-up link, users are redirected to a fraudulent website.

“Scammers gave a new twist to the old change-your-Facebook-colour scheme that’s been luring users to fraudulent websites to grab credentials and other sensitive data,” says Chief Security Strategist, Catalin Cosoi. “By creating dozens of blogs for a single account, the scam spreads like wildfire among Facebook friends.”

The blogs generating under the email address of the victims, which are used in further disseminating the scam, have registered a large number of hits among users in the US, the UK, Germany, Spain, Romania, and other countries.

The app can also post wall messages on the victims’ account. The messages use friend tagging to convince the victim’s friends to visit the blog domains. Each time the app posts on a users’ timeline, it links to one of the auto-generated blogs as to avoid blacklisting.

Bitdefender encourages users to use an antivirus solution and the free application Safego, which protects Facebook and Twitter accounts from scams, spam, malware and private data exposure.

Similar posts:

Tracks in the ether

Smartphones, the web and tracking technologies are giving governments and businesses more power than ever.

Bureaucrats dream of tracking every person or asset under their purview and the rise of technologies like smartphones,  Global Positioning Systems (GPS) and Radio Frequency IDentity (RFID) chips are giving them more power than ever.

Two stories in the last week illustrated how these technologies are being used by authorities to monitor people; a school district in the United States is fighting a student who refuses to wear an RFID enabled identity card and Saudi immigration authorities are now sending text messages to guardians of travellers, mainly women, leaving the country.

In Saudi Arabia, the law prohibits minors and women from leaving the country without the permission of their adult male guardians. As the Riyadh Bureau website explains, to streamline the permission process Saudi authorities enabled online pre-registration for travellers so now male guardians can grant assent through a website rather than dealing with the immigration department’s paperwork every time their spouse or children wants to travel.

When the spouse or child passes through immigration, the guardian receives an SMS message saying their ward is about to leave the country. One assumes the male can withdraw that approval on receipt of the text.

The Saudi application is an interesting use of the web and smartphones to deliver government services and probably not what Western e-gov advocates are thinking of when they agitate for agencies to move more functions online.

More ominous is the story from the US where Wired Magazine reports Andrea Hernandez, a Texan student, is fighting her local school over the use of RFID enabled identity cards that track pupils’ attendance.

John Jay High School’s use of RFID tags is a classic case of bureaucrat convenience as electronic cards are far easier to manage and monitor than roll calls or sign-ins.

Incidentally John Jay High School has over 200 CCTV cameras monitoring students’ movements, as district spokesman Pascual Gonzalez says, “the kids are used to being monitored.”

The problem is that RFID raises a range of privacy and security issues which the bureaucrats either haven’t thought through or have decided don’t apply to their department.

Notable among those issues is that “has a bar code associated with a student’s Social Security number”. It never ceases to amaze just how, despite decades of evidence, US agencies and businesses keep using an identifier that has proved totally unsuited for the purposes it was developed for.

Probably the most worrying point from the Texan story is how school officials tried to suppress the story, offering Ms Hernandez’s father a compromise on the condition he “agree to stop criticizing the program and publicly support it.”

That urge to control criticism and dissent is probably the thing all of us should worry about when governments and businesses have the ability to track our movements.

In this respects, the Texas education officials are even more oppressive than Saudi anti-women laws. Something we should consider as more of our behaviour is tracked.

Similar posts:

Ending the era of the computer password

Has the humble computer password reached the end of the line?

Earlier this year, Wired Magazine writer Mat Honan had his entire digital identity stolen from him when hackers cracked his email password and then systemically took over all of his cloud and social media accounts.

Matt writes of his experience on Wired and proposes it’s time to kill the password.

The problem with Mat’s proposal is that he doesn’t suggest an alternative.

The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place.

Every alternative authentication method to passwords has flaws just as serious, if not worse. Many are plainly impractical.

All of them, including passwords, have the common weakness that those holding the information can’t be trusted either – one of the greatest ways for passwords to get into the wild is when incompetents like Sony give them away.

Security is evolving, in the meantime we need to keep in mind some basic rules.

  • Use different passwords for different accounts
  • Only access accounts from trusted and up-to-date computers
  • Create strong passwords for accounts that matter, like online banking and email
  • Strong passwords are multiword phrases
  • Use two-factor authentication if its available
  • Don’t link unnecessary social media and cloud accounts together
  • Be very careful

We should also remember that a skilled, motivated hacker will probably break into your account regardless of your computer security. In this respect it’s no different to the physical world where a determined criminal will get you regardless of the locks and alarms on your house.

It’s also important to remember that security is more than just evil hackers; data can be damaged or given away by a whole range of means and people breaking into systems is only one risk of many.

Computer security is an evolving field and while it might be premature to declare the password dead, we’re going to see big changes as we try to lock down our valuable digital assets.

Similar posts: