|
 |
Thursday, June 12, 2008 |
... get in the habit of quickly installing all software program updates ... beyond that also consider:
Certified e-mail [?? Seems off the point since these services are directed at businesses not individuals]
Web page scanners ... tools using varying technologies to gauge the reputation of most Web pages. EG AVG's LinkScanner, ScanSafe's Scandoo, Trend Micro's TrendProtect, McAfee's SiteAdvisor [which I use] and Finjan's SecureBrowsing grade Web pages as safe, unsafe or questionable.
Browser security tools ... anti phishing filters
[In other words a toolbox instead of a tool.]
9:37:58 PM 
|
|
OUCH!
SANS Institute Security Newsletter for Computer Users
Volume 5, Number 5 May 2008
************************************************************************
In This Issue
1. Eight Surefire Ways to Become an Identity Theft Victim - 2. Malware
- - 3. Scams and Hoaxes - 4. Microsoft and Apple Security Updates - 5.
Security Newsbytes
************************************************************************
A formatted version of the OUCH newsletter can be found at https://www.sans.org/newsletters/ouch.
You can subscribe to OUCH on the same site. Send your comments to OUCH@sans.org.
************************************************************************
1. Eight Surefire Ways to Become an Identity Theft Victim
- --Practice unsafe surfing. When you purchase a new computer, go online without activating the firewall, or purchasing protective software.
Further expose yourself digitally by sharing a wireless connection with the entire neighborhood. Without digital encryption, you can share the contents of your hard drive with anyone on the street. For maximum risk, do some online banking on a public computer -- like the one at the library or a public cafe. Bonus points are added if your Social Security number is your user ID for any transactions.
- --Skimp on anti-virus and anti-spyware protection. Courting disaster online is easy. Invite malicious code to attack your computer simply by doing nothing. Antivirus programs can be pricey, and the maintenance of constantly downloading updates is time-consuming. Combine that with the security updates from Microsoft or Apple and it's enough to seriously annoy anyone.
- --Passwords are a pain! Make life easy for yourself by using the same password for EVERYTHING, and make it something easy to remember, like your first name or 'password'. Just in case, make sure you write it down on a yellow sticky and put it somewhere easy to see.
And don't forget to have your browser set to 'remember password' to make life easy for you - and the cyberthief.
- --Peek at junk email and open attachments from unknown sources. Open attachments from strangers, secret crushes, long-lost friends saying "what's up," or strangers hawking cheap drugs -- you'll never know unless you peek at that email. One of the many fun things that can happen when you open an attachment containing malicious code is infecting your computer with a Trojan horse or virus, which can easily lead to identity theft.
- --Stuff your wallet with juicy identifying tidbits. Wallets and purses are more than just handy cash-carrying devices. They often have credit cards, identification, insurance information and even Social Security cards. Obviously, more is better if you'd like to become the prey of fraudsters. Losing or misplacing a wallet or purse can cause more problems than just the hassle of replacing all those cards and buying a new bag. Armed with your date of birth, Social Security number and mailing address, there's no limit to the damage thieves could cause.
- --Make your checks payable to criminals. If you're like most people, you wouldn't post your checking account information on your front door, though you should if you'd like to be a victim of fraud. Similarly, checks reflecting the same information can be dropped casually into unsecured mailboxes. Statistically the chances of your mailbox being targeted by criminal elements are low, but not that low. According to the 2008 Identity Fraud Survey Report from Javelin Strategy and Research, almost 1 in 10 victims of identity theft who can pinpoint the scene of the crime say that it happened at the mailbox.
- --Opt out? Opt in! While you're mailing checks from the unlocked mailbox, go ahead and get credit card companies to send you all the pre-approved offers that the postman can cram into the box. Similarly, don't get credit card statements online; leave them on the side of the road so that they're more convenient for fraudsters who lack the technical knowledge or follow-through to launch complicated hacking schemes.
- --Nothing is too good to be true. Everyone wants to feel special and maybe more importantly, filthy rich. When reading an emailed proposition from an African business tycoon, an imperiled prince or downtrodden heiress offering millions of dollars in exchange for some small measure of assistance, it's difficult not to wish it were true. Falling for the story will undoubtedly lead to unpleasantness.
More information:
http://finance.yahoo.com/banking-budgeting/article/104894/7-Surefire-Ways-to
-Become-an-ID-Theft-Victim
************************************************************************
2. Malware
- --Zeus. A Trojan being spread by the so-called "Rock Phish" group of Russian criminals through phishing scams. Zeus is designed not only to trick victims into clicking on a link in a phishing email to give up personal information, but also to drop a Trojan on the victim's computer at the same time. The new attacks combine phishing and the Zeus Trojan to steal personal information and spread financial crimeware. Zeus can steal personal data such as usernames, passwords and Social Security numbers entered by the user while interacting with other websites.
More information:
http://www.scmagazineus.com/Rock-Phish-gang-adds-malware-download-to-attacks
/article/109240/
- -- RaceForTibet. Rootkit* malware that surreptitiously installs a keystroke logger on end users' PCs once they open a Flash movie file which uses a cartoon to mask its malware payload. The captured data is reportedly sent to a computer in China. The cartoon ridicules the effort of a Chinese gymnast and then displays images supporting a free Tibet.
The malware is being distributed as an attachment called RaceForTibet.exe.
More information:
http://www.itpro.co.uk/wireless/news/187935/tibet-supporters-targeted-by-tro
jans.html
* Rootkit: http://en.wikipedia.org/wiki/Rootkit
- -- OSX.RSPlug.A. A Mac Trojan that spreads by spam emails designed to lure users to pornography sites. Visitors are presented with a still image from a salacious video. Clicking on the image to play the video returns the following message: "Quicktime Player is unable to play movie file. Please click here to download new version of codec." After the linked page loads, malware is downloaded and launches an installer. The installer requires the user to enter the admin password. Once the password has been entered, the malware infection is complete. The Trojan alters network settings, redirecting webpages and funneling advertisements for porn sites to your Mac.
More information:
http://www.geekstogo.com/2007/10/31/osxrspluga-trojan-info-and-removal/
************************************************************************
3. Scams and Hoaxes
- --Economic Stimulus Refund Phishing Scam A number of phishing scam emails are currently targeting US taxpayers by offering bogus refund payments as bait. This email, purporting to be from the Internal Revenue Service (IRS), claims that the recipient is qualified to receive the 2008 Economic Stimulus Refund. The recipient is instructed to follow a link in the message in order to fill in an online form, ostensibly to allow the refund to be processed. The email includes the IRS logo and copyright notice and is from a seemingly genuine IRS email address. However, the email is not from the IRS.
More information:
http://www.hoax-slayer.com/economic-stimulus-refund-scam.shtml
- --United States District Court Subpoena Malware Email This seemingly official email purports to be a subpoena sent by the United States District Court. The message claims that the recipient must testify before a Grand Jury at a specified place and time. The recipient is instructed to follow a link in the message to download and print a complete copy of the subpoena document. However, the message is not from the United States District Court. In fact, the message is an attempt to trick recipients into installing information-stealing malware on their computers.
More information: http://www.uscourts.gov/newsroom/2008/alert.cfm
http://www.hoax-slayer.com/subpoena-phishing-scam.shtml
- --Visa Personal Password Phishing Scam An email claiming that recipients can protect their Visa credit card for online purchases by clicking a link in the message and creating a personal password. However, the message is just another phishing scam and was not sent by Visa. Those who fall for the ruse and click the link will be taken to a very sophisticated, but fraudulent, website that has been designed to closely resemble the genuine Visa website.
More information: http://www.hoax-slayer.com/visa-password-scam.shtml
- --Mail Server Report
According to this warning message, a dangerous virus is being distributed via emails with the subject line "Mail Server Report". The warning claims that opening attachments that come with the email will first display a message saying "It is too late now, your life is no longer beautiful" before destroying all files on the infected computer and stealing personal information. However these claims are untrue.
There is not, nor has there ever been, a virus like the one described in this bogus warning message.
More information: http://www.hoax-slayer.com/mail-server-report-hoax.shtml
************************************************************************
4. Microsoft and Apple Security Updates
Microsoft and Apple provide free security updates for their software products.
Windows: Microsoft issues patches for all Microsoft products on the second Tuesday of each month as well as out-of-cycle patches on any day of the month. The next scheduled release date is May 13th. Check manually too, once every two weeks, to make sure all of the updates have been installed.
More information: http://www.microsoft.com/athome/security/default.mspx
OS X: Updates are issued frequently, and their contents may differ depending on which processor is in your Mac (PPC or Intel).
More information: http://www.apple.com/support/downloads/
iPhones: Must be updated manually:
http://docs.info.apple.com/article.html?artnum=305744
************************************************************************
5. Security Newsbytes
- --Hannaford to Spend Millions on IT Security Upgrades After Breach Executives at Hannaford Bros. Co. have said that the grocer expects to spend millions of dollars on IT security upgrades in the wake of the recent network intrusion that resulted in the theft of up to 4.2 million credit and debit card numbers from its systems. The planned upgrades include the installation of new intrusion-prevention systems that will monitor activities on Hannaford's network and the individual systems at its stores, plus the deployment of PIN pad devices with encryption support in store checkout aisles. Hannaford also has signed on IBM to do around-the-clock network security monitoring.
More information:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&;arti
cleId=9079652
- --Microsoft Reports 300% Increase in Trojan Downloaders Computer users are increasingly at risk of being lured to websites that surreptitiously download malicious software onto their machines, but stolen or lost laptops still represent most of the security breaches reported, according to the latest six-month Microsoft Security Intelligence Report. Exploits, malicious software, and hacking accounted for 13% of all security breach notifications recorded in the second half of 2007, while 57% of the breaches publicly disclosed involved lost or stolen equipment. Malicious software attacks via Trojan downloaders and droppers increased by 300% during the same time period.
More information:
http://www.news.com/8301-10784_3-9925077-7.html?tag=nefd.only
- -- Firefox and Safari Updates Tackle "Alternative" Browser Bugs Mozilla has updated its Firefox web browser in response to the discovery of a vulnerability which allows miscreants to take control of vulnerable systems. Apple has pushed out an update for both the Windows and Mac versions of its Safari web browser. The more serious Mac flaws, if left unchecked, create a means for hackers to crash browsers or inject malicious code into vulnerable systems.
More information:
http://www.mozilla.org/security/announce/2008/mfsa2008-20.html
http://support.apple.com/kb/HT1467
************************************************************************
Copyright 2008, SANS Institute ( http://www.sans.org) Editorial Board: Bill Wyman, Alan Reichert, Barbara Rietveld, Alan Paller.
Permission is hereby granted for any person to redistribute this in whole or in part to any other persons as long as the distribution is not being made as part of any commercial service or as part of a promotion or marketing effort for any commercial service or product. Readers are invited to subscribe for free at https://www.sans.org/newsletters/ouch
5:30:35 PM
|
|
|
Saturday, May 14, 2005 |
Next week Denver-based First Data Corp., one of the country's largest electronic financial transaction companies, plans to release survey results showing 43 percent of adults have received a phishing contact. Five percent of those adults gave up personal information. The telephone survey of 2,000 people was conducted by Synovate and had a sampling error margin of 2.2 percentage points.
The Federal Trade Commission advises that e-mailing financial and personal details is never a good idea, and legitimate companies don't ask for those details in an e-mail.
9:39:28 PM
|
|
|
Friday, May 13, 2005 |
MasterCard International Inc. said Tuesday that it has shut down nearly 1,400 phishing sites and more than 750 sites suspected of selling illegal credit-card information since launching an ID-theft-prevention program in June (2004). The program also has led to the discovery and protection of more than 35,000 MasterCard account numbers that were in jeopardy of being compromised.
10:59:18 PM
|
|
According to Netcraft, some fraudsters are replacing text content on their phony sites with similar-looking images, "making it much more difficult for automated systems to detect the presence of keywords such as 'PayPal' and 'credit card.'"
In an online alert, Netcraft illustrated how a phisher could simply embed text within an image to hide it from filters. The text would still be readable by a possible victim, but not by a computer.
10:05:17 PM
|
|
|
Wednesday, March 09, 2005 |
A cyber thief in Wellington, New Zealand apparently installed keystroke-logging software at an Internet cafe that allowed him to harvest user names and passwords belonging to people who conducted online banking there. Consumers are being warned to use caution while banking on line. [Experts warn against using internet cafes when sending/receiving sensitive information. Who needs to be warned about this?!]
1:14:57 PM
|
|
|
Sunday, March 06, 2005 |
True.com has taken on the rest of the online dating industry in pushing state legislators to require matchmaking sites to conduct criminal background checks on members or post a warning that no such screening has been done.
8:51:31 PM
|
|
|
Friday, March 04, 2005 |
Law enforcement agencies increasingly turn to the net for tips from the public.
11:12:56 AM
|
|
|
Tuesday, March 01, 2005 |
A new international Web site (www.virtualglobaltaskforce.com) developed by a global alliance of law enforcement agencies was launched this week to try and prevent individuals from committing child abuse online.
12:57:27 PM
|
|
|
Wednesday, February 16, 2005 |
The Internet has helped bring back "swampland" sales in Florida as companies portray fairly worthless property as good investments, taking advantage of unwary out-of-state buyers. Some of the lots are actually underwater.
6:19:14 PM
|
|
|
Monday, February 07, 2005 |
Coffee shop Web surfers beware: An evil twin may be lurking near your
favorite wireless hotspot. Thieves are using wireless devices to
impersonate legitimate Internet access points to steal credit card
numbers and other personal information, security experts warn.
5:14:04 PM
|
|
|
Friday, November 19, 2004 |
A federal jury Thursday awarded a woman $434,000 in damages after she
sued an Internet matchmaking service that introduced her to her abusive
husband.
3:29:47 PM
|
|
|
Friday, October 29, 2004 |
One of the "Internet's foremost experts in Web usability" (according to Business Week) and the man who ranks number six on ZDNet's "The Web's Ten Most Influential People" calls for a change in policy to thwart Internet scams, saying, "User education is not the answer to security problems." Jakob Nielsen says a strategy relying on user education puts the burden on the wrong shoulders. The only real solution, according to Nielsen, is to make security a built-in feature of all computing elements.
2:56:23 PM
|
|
|
Wednesday, October 27, 2004 |
In findings, from a detailed survey of 329 consumers that included inspections of each of their home computers, released Monday by America Online and the National Cyber Security Alliance (NCSA), a picture emerges of consumers increasingly using their home PCs for sensitive, online transactions without adequately protecting themselves from cybercrime.
While 77% of the survey respondents believed they were safe from online threats, two-thirds lacked current anti-virus software and did not use any firewall protection. More than half said they did not understand the difference between the two. Yet 84% stored personal data on their home PCs, and 72% routinely used the Internet for sensitive transactions, such as banking and medical data exchanges.
7:45:34 PM
|
|
|
Saturday, October 23, 2004 |
Fraud-based Web sites that purport to sell products and services but really only harvest credit card accounts and other personal information are on the upswing, Websense Security Labs*, an Internet content management vendor said Monday (10/11/2004). According to Websense Security Labs, fraud sites outnumber those associated with phishing, a much better-known scam.
Although such fake sites resemble phishing sites -- both try to dupe users into divulging confidential information -- this new category uses a different ploy. Rather than get people to a site by telling them that their credit or bank account needs adjustment, these scams promise merchandise or a service at phenomenal prices. "Fraud sites don't target a specific brand, like phishing attacks and sites do," said Dan Hubbard, the director of security and technology research for Websense.
* an arm of Websense, a provider of content blocking software for enterprises
4:33:18 PM
|
|
|
Thursday, October 21, 2004 |
Security firm CipherTrust has reported that fewer than five zombie networks may be involved in all Internet phishing attacks worldwide, suggesting that only a small number of people are responsible for the threats. CipherTrust researchers found that less than 1 percent of e-mail messages are phishing attacks, but says these threats should be taken very seriously.
In its research, the firm analyzed customer e-mails during the first two weeks of October, and found that about a third of all zombie machines launching phishing attacks are based in the U.S., with South Korea coming in second at about 15 percent. However, the findings do not imply that the attacks originate within the U.S. Because zombie networks can be controlled from any geographic region, U.S. machines used in an attack can be manipulated by phishers in other countries. Most notably, the research indicated that attacks are sending out messages using networks of only about 1,000 PCs. This suggests that the number of perpetrators is small, but very adept at using compromised machines.
4:33:50 PM
|
|
An August intrusion into a social researcher's computer may mean that more than a million Californians need to call the credit bureaus.
On Tuesday, the California Department of Social Services warned the providers and recipients of the state's In Home Support Services (IHSS) that their names, addresses, telephone numbers, Social Security numbers and dates of birth may be circulating the Internet. IHSS allows individuals to get paid for providing in-home care to senior citizens. The warning comes after an unknown attacker slipped in through a security hole in a social researcher's unsecured computer at the University of California, Berkeley, on Aug. 1, perhaps making off with 1.4 million database records containing personal information. The researcher noticed the trespass on Aug. 30 and the university notified the state in mid-September.
3:58:21 PM
|
|
Organized crime rings and petty thieves, federal authorities say — are establishing a multibillion-dollar underground economy in just a few years. The Internet's growth as an economic engine, particularly for financial transactions, is feeding the felonious frenzy. Lured by shoddy computer security and the ability to commit crimes from far-flung countries, the Russian mafia and other Eastern European gangs are plunging into spam, phishing schemes, cyberextortion and the trafficking of stolen goods online, authorities say. Many hire hackers in economically depressed countries, but a growing number are becoming computer savvy to do the dirty work themselves.
11:02:24 AM
|
|
|
Tuesday, October 19, 2004 |
A new free SANS newsletter has gotten rave reviews from unsophisticated end users - they really appreciate the plain non-technical writing and the cool examples. It's called OUCH! More than 500 security awareness professionals from around the US and the world helped them get it right. If you want to redistribute it to your users, that' allowed. The newsletter includes a pointer to a great phishing quiz for anyone who thinks he or she can spot a phishing email. To subscribe go to the newsletter page at the SANS portal and choose it.
12:22:32 PM
|
|
|
Monday, October 11, 2004 |
The Federal Trade Committee has filed a complaint in federal court asking that two Internet advertising and software firms be shut down. The activities of New Hampshire resident Sanford Wallace and his two firms -- Seismic Entertainment Productions and SmartBot.Net -- are some of the most egregious in the spyware field, Ari Schwartz, associate director of the Center for Democracy and Technology, told NewsFactor.
The operation of the spyware distributed by Wallace is very complicated, Schwartz explained. In addition, it has operated in different ways over the months. Perhaps the worst allegation is that of direct fraud. Some consumers assert that they were asked to pay US$30 to stop the pop-up ads repeatedly appearing on their computers. Those pop-ups originated from the same web of companies and advertisements originating them. Spy Wiper and Spy Deleter are two of the software programs marketed by Wallace's firms. In some cases, said Schwartz, pieces of software were downloaded to consumer computers without their knowledge or purchase. The company used security holes in Internet Explorer to take control of some operations on computers of users who clicked on particular ads.
The case is the first in the spyware arena to target a company for downloading code to a user's machine without permission. There are no laws against spyware at the national level.
4:31:08 PM
|
|
|
Thursday, October 07, 2004 |
[ALWAYS be suspicious of emails asking you to provide sensitive information by using a link provided in the email instead of the established method of providing such information.]
8:16:26 AM
|
|
|
Friday, October 01, 2004 |
A federal judge on Wednesday struck down a key provision of a law that is the centerpiece of the Bush administration's legal war on terrorism, ruling that the FBI cannot require Internet service providers to turn over subscriber information and keep quiet about it forever without giving the providers a chance to fight the government in court.
8:27:38 AM
|
|
|
Thursday, September 23, 2004 |
A mobile wireless system being tested in Oregon allows police officers in the field to check fingerprints against state and national databases.
3:26:52 PM
|
|
|
Sunday, September 19, 2004 |
Just over six weeks before the nation holds the first general election in which touch-screen voting will play a major role, specialists agree that whatever the remaining questions about the technology's readiness, it is now too late to make any significant changes.
8:29:04 PM
|
|
We found no indication that the larger, more credible, retail sites were the source of credit-card information leaks. Web sites like eBay, Amazon, Office Depot, Best Buy, Sears, and many others appear secure. At least, none of the online purchases recorded in any of the credit-card lists we found contained purchases from major retailers.
It was the mom-and-pop shops, home-based businesses, and smaller companies that showed vulnerability, apparently from ignorance or a lack of professional I.T. resources.
"To get around consumer-security and fulfillment concerns, Internet startups and small businesses will have to align themselves with more credible marketplaces like eBay, Amazon, and Yahoo.
In the meantime, Web-site owners may want to employ a few simple fixes to make sure their critical files and their customers' personal information are not so easily found by search engines.
8:03:48 PM
|
|
|
Sunday, September 12, 2004 |
Mailfrontier has put together 10 suspected fraud emails from their collection of millions-all of them real and all of them actually received by real people. [I got 9 of 10 correct - my paranoia had me calling a legitimate email a fraud. Advice on: use your common sense! advice off:]
10:18:00 PM
|
|
Enacted in 2002, the law gave Pennsylvania's attorney general the power to require that companies like America Online Inc. block customers from viewing Web sites that had been identified by the state as containing illegal content.
No one challenged the state's right to stop the distribution of child porn, which is already illegal under federal law, but lawyers for the Center for Democracy and Technology and the American Civil Liberties Union had argued that the technology used to block those Web sites was clumsy.
Over two years, the groups said, ISPs trying to obey blocking orders were forced to cut access to at least 1.5 million legal Web sites that had nothing to do with child pornography, but were part of the same Internet cluster as the offending sites.
4:51:43 PM
|
|
© Copyright 2008 iWay-Safety.com.
|
|
|
