Chances are that when you open your inbox today you’ll find an e-mail claiming to be from your bank, an e-commerce site, or another online site you’ve visited. They might offer you an upgrade to your account, inform you that there’s been changes to their, and asks you to verify your account information. This could be a phishing attempt to get sensitive information like your personal information or passwords. Fortunately, you can avoid getting scammed by taking these precautions:

• Be suspicious of any email with urgent requests for personal financial information. Phishers are getting more sophisticated in their attempts, so even if an e-mail appears to be legitimate, look for proof that it came from your e-commerce company. They should be personalized and carry information that only you and your company would know. They might show partial account numbers or other verification tools.
• Use anti-virus software and a firewall, and keep them up to date. Phishers sometimes include script that can track your activities on the internet without your knowledge.
• Never use the links in an e-mail to go to any webpage. Phishers will redirect you to a bogus site to trick you into logging in your account number and password. Log onto the website by typing in the web address to your browser. At the same time, never call any numbers in the e-mail. It could lead you to a VoIP provider that isn’t connected to your company at all.
• Never fill out forms in e-mail messages asking for your personal financial information. Your e-commerce company would never ask you to send sensitive information in that manner.
• Check your bank, credit, and debit card statements regularly to see if all your transactions are legitimate. Report any suspicious withdrawals immediately.
• Finally, report the phishing attempt you received to your company and other anti-phishing groups.

[tags]phishing,spam,spoof emails,indentity theft,pharming,spam filtering[/tags]

Tags: General, indentity-theft, pharming, phishing, Privacy-&-Anonymity, Real-World Issues, spam, spam-filtering, spoof-emails, Tips

Categories: General, Privacy & Anonymity, Real-World Issues, Tips

Comments Off

Fuzz testing may sound like a term far removed from the IT world, but fuzzing is a good way of discovering weaknesses in a network, application or server before others do. Fuzzing involves bombarding a program with randomly generated data to see if it’ll withstand the overload. If it fails, either by crashing or not executing a specific code, then there’s a defect you need to find and correct. Hackers can use fuzzing to find what bugs exist in an application, for example, a web browser, and then create specific code to exploit the application’s weaknesses. But if these bugs are discovered before they can be exploited then a way can be found to fix these exploitable bugs.

Testers can use fuzz testing to find out if the current software being used have easily exploitable vulnerabilities. It is probably the closest approximate to a real-world situation when data coming into a system or application doesn’t always follow validation rules. While fuzzing, testers keep a record of all the data they create, so it’s easy can keep track of what specifically caused any errors. It’s also relatively cheap to perform fuzz testing, and it can be used to compare the security of different programs and operating systems. Open source fuzzing tools and tests for different applications and systems are now available online. Though fuzzing doesn’t guarantee to find every error-producing event and bug that can occur on your system, it does give an idea of where intruders might try to attack. Errors like buffer overruns and attacks on cross-site scripting can be prevented by fuzz testing.

[tags]fuzzing,bugs,buffers,phishing,pharming,software,errors,intruders[/tags]

Tags: buffers, bugs, errors, fuzzing, intruders, IT Security Basics, pharming, phishing, software, Tips

Categories: IT Security Basics, Tips

Comments Off

A proposal for the suggested data retention law is already in the works and may now be extended to affect Web hosting sites and domain name registries. Last week US Attorney General Alberto Gonzales urged Senate to pass the data retention law as an aid in combating online child pornography. He also stressed for a need to increase current administrative subpoena powers and tighter money laundering laws to keep track of who is financing child pornography sites.

Such a law is meant to help combat crime and terroristic activity. The proposed law does not require the content of these communications to be preserved, only the logs of e-mail, Internet, phone activity and other identifying information useful for locating a customer. This data can only be accessed by court order similar to cases involving physical searches.

Privacy and industry groups are opposed to the proposal saying existing laws are sufficient for law enforcement. A 1996 federal law requires Internet providers to retain records for up to 90 days at the request of a government entity, while another law requires child pornography sightings to be reported. Civil liberties groups oppose this move, arguing that the information can be used for other purposes. ISP providers are also pointing out the increased costs of keeping and holding this increase in data. It is not clear just who will end up shouldering this cost.

The European Union had already passed a similar data retention law in 2005 requiring all telephone and Internet traffic to be stored from a period of six months up to two years.

Tags: News, Real-World Issues

Categories: News, Real-World Issues

Comments Off

Mozilla’s Firefox has the most number of vulnerabilities at forty seven, followed by Microsoft Internet Explorer’s thirty eight. This is an increase from last year’s record of 17 and 25, respectively. Even Apple’s Safari doubled its vulnerabilities to twelve, but Opera’s bugs decreased from nine to seven. IE remains as the most targeted web browser, accounting for 47% of all attacks. In second place (31%) are attacks exploiting the same vulnerabilities in multiple browsers, and Firefox placed third with 20 percent.

Despite the higher number of bugs, Mozilla ranks first in issuing patches, averaging only a day after public disclosure. Opera and Safari closely follows, while IE ranks last, avering nine days per patch. As for operating system patches, Sun has the highest patch development time at 89 days, while Microsoft ties with Red Hat for the shortest at 13 days.

7 out of every 10 new vulnerabilities uncovered from January through June were bugs in Web applications, and four-fifths of these were easily exploitable. Most of the attacks targeted home users and small businesses.

Phishing has also increased, with the financial sector receiving the bulk of these attacks. Phishing targeting Internet service providers (ISP) accounts ranked second. The United States was both the source of most attacks and the target for most Denial of Service (DoS) attacks.

A copy of the report can be downloaded from Sysmantec’s here.

Tags: News, Real-World Issues

Categories: News, Real-World Issues

Comments Off

What happens to your old units when you buy the newest mobile phone units coming out every few months? Are you generous and give it away to a friend or relative? Or do you delete your data according to the manual and try to sell it online, earning some cash in the process? Maybe the last option appeal to you, but be warned that your erased data might not be as gone as you think.

Last month a company named Trust Digital bought ten phones from E-bay and managed to recover data from all of them. The data ranged from personal information and bank account details to company communications. They recovered all this data because smart phones today use flash memory to store information, and it’s slow to erase information from them. Such flash memory are also used in music players and digital cameras. Only a zero out reset of the device can ensure the total obliteration of data. The same issues can arise with people selling their laptops online. Software easily obtainable online can recover records of your online transactions, which can then lead to sensitive personal data.

It may seem difficult to make a profit from getting information from an old mobile phone or laptop, but seeing the rise in corporate data breaches from stolen mobile gadgets, it’s not improbable that someone would attempt to do so. The best tip in this situation is to contact your gadget manufacturer for detailed instructions on a complete data erasure. If your device has password protection, you can try to type your password incorrectly until you are notified that the action will erase all of your data.

Tags: News, Physical Security, Real-World Issues, Tips

Categories: News, Physical Security, Real-World Issues, Tips

Comments Off

September saw the introduction of two new web browsers focusing on anonymous web browsing. Early this month, Browzar was launched by Freeserve founder, Ajaz Ahmed. It automatically deletes any cookies after each session, does not save save pages in cached folders, and its relatively small size makes it easy to bring along. There has been issues on it being merely an IE shell and that search results lead to sponsored links and adverts. Also, users need to download any security patches from Microsoft once a flaw has been identified for IE. After the two recent attacks on the browser, many are skeptical to its overall usability.

Torpack on the other hand came from Hacktivismo, a group of computer security experts and human rights workers, and is based on Mozilla’s Firefox. No installation is required to run the browser, though the two folders generated from the free download have to be kept together for it to run. This browser encrypts the data passing from the user’s computer and the TOR network, and causes the IP address seen by the website to change every few minutes. Torpack does have limitations; browsing speeds will be slower and it’s suggested not to log-in sites which cannot offer secure log-ins.

Both of these applications are not meant to replace the current browsers you’re using in your computer. It’s interesting to note that they both have privacy and secure browsing as their main selling points. These features are useful for users who are leery of going online in public access locations like schools and Internet cafés, where a secure connection cannot be guaranteed. So far both of these are available for free download, and you might want to see which one will stand the test of continuous use.

Tags: Privacy-&-Anonymity, Programming, Review

Categories: Privacy & Anonymity, Programming, Review

Comments Off

Though we’ve recently covered a few scams about phishing and e-mail, some swindlers have graduated from targeting victims one-by-one to a large-scale scam called pharming. Pharming can reel in potentially millions of unwitting victims to their schemes without anyone realizing it.

Pharmers divert as many users as they can from legitimate commercial sites to malicious ones. These sites look exactly like the genuine site, but when users sign in with their log-in names and their passwords, this information is taken by criminals. Once they have these, they can access your account information and take credit and bank account numbers for their own nefarious use. Pharming are often targeted o auction and banking sites where financial rewards are great.

The most alarming pharming threat involves something called DNS poisoning. All the hosts in the internet are identified by numbered strings called IP addresses, and computers identify different sites using these. Because it’s difficult to remember a string of 32 numbers, the Domain Name System or DNS translates these addresses to a string of text that will serve as its directory entry. A DNS directory gets poisoned when it’s altered to hold false information leading to the bogus site. Typing in the site URL serves as no guarantee, because you will still be taken to the fake site. Even savvy net users can be caught by this technique.

Site users can protect themselves by logging onto their sites using a secure (https://) connection. If you’re suspicious, you can also check your commercial site’s security certificates to see if they are real. Some sites like yahoo offer various authentication methods such as personalized seals on their mail service page, so you can identify the real site from the fake ones.

Tags: IT Security Basics, Privacy-&-Anonymity, Real-World Issues

Categories: IT Security Basics, Privacy & Anonymity, Real-World Issues

Comments Off

My name is Danjuma Sule, one of the sons of major Gen Gumel Danjuma Sule, The late Nigeria’s former minister of mines and power in the regime of the late former Nigeria’s military Head of state, Gen Sanni Abacha. I am having a huge sum of money in the total sum of $18.6Million presently hidden in a safe place –

Sounds familiar? Maybe the words are different, but the contents are almost always the same. A complete stranger writes to you, and offers a large sum of money in the form of unclaimed foreign lottery winnings, a business investment, or a transfer of illegally-obtained funds. If at this point you express interest, they’d inform you they might need a little advance to handle transactions before you receive your money. Occasionally they will present official-looking documents and ask for your bank account information, as if guaranteeing you will receive the money – but you never do.

This type of advance fee scam is often called the Nigerian 419 scam, after the law it violates in that country. Though purporting to come from Nigeria, a number of these scammers now originate from Europe and America. They send thousands of e-mails hoping one or two might bite, and strange as it might sound, people do fall for these schemes.

At first it might not seem like this is an IT security issue, but the whole operations of these scammers rely on the Internet. They can create a new identity online with a few keystrokes, photos and addressed acquired off a search engine, and a free e-mail account. They’ve recently moved on to targetting online auctions, and credit card fraud. Some have even began searching for victims through popular dating services, but they cannot be traced unless they’re reported to the proper government offices. Statistics on this kind of crime is very unreliable due to the large number of cases that go unreported every year. A modest estimate has each scammer getting thousands of dollars per month. At this point you can use the technology on hand so you do not become a victim of these scams. Use search engines to verify if they are who they claim they are, familiarize yourself with their techniques, and always be constantly vigilant.

Tags: News, Privacy-&-Anonymity, Real-World Issues

Categories: News, Privacy & Anonymity, Real-World Issues

Comments Off

You’re probably taking part in one right now : you write about how your day was on an online journal, and check out how your friends are doing on theirs. You might have a profile on another site, sharing music or photos to friends and maybe complete strangers who’ve linked their profiles to yours, and if you’re feeling particularly romantic you might try online dating. Sites like the ones offering these services promote the creation of online social networks, where you keep in touch with old friends, and make new ones with people who share your interest, but might never meet outside the web.

Sounds like a good thing, all in all. Except for the issues dealing with privacy.

Privacy. In its basic sense, it’s all about keeping certain things that you want to keep to yourself private. It’s always important to safeguard your personal information, especially with people ready to use it for criminal acts against you. But it leads to a tricky situation when you’re dealing with social networking sites, where you might not be aware you’re giving this same information away. After all, popular sites like MySpace allows visitors not logged in to the site to visit profiles. And recently Facebook, a social networking site geared for college students, faced protests from its users when they announced the news feed feature. Users felt it was a breach of their privacy, going so far as to call it stalking, even if most of the information you can get from these were things readily available to their friends. Though the clamor has died down, and Facebook has added privacy settings, the users are now aware how much information Facebook can actually share.

It’s a fact that since Facebook is the one providing the services to connect users to each other, they can make changes in their privacy policy and how they give those services to the users. Users might not like these changes, but they must accept it, or shift to another service. Facebook, and other companies like it, should also take their users’ possible reactions to any percieved attack on their privacy if a situation like this arises again.

Tags: News, Privacy-&-Anonymity, Real-World Issues

Categories: News, Privacy & Anonymity, Real-World Issues

Comments Off

Wireless networks are becoming increasingly common these days, ranging from home use to businesses. Increased mobility within the network’s range and the reduced cost of installing a LAN without cabling are but some of the advantages you can get when using Wi-fi. It’s major disadvantage lies in the higher security risks of unscrupulous users hacking into your personal data and gaining access to the Internet to your network. Here are a few precautions you could take to ensure your network security:

Change the default administrator passwords. Default administrator passwords to network devices are easily available online and well-known to hackers. Most routers allow you to change this easily.

Turn on data encryption. This allows you to scramble the messages and data sent through the network. Most devices come from the manufacturers with this option turned off, so users have to activate this. Also note that all Wi-fi devices in your network must share the same data encryption settings to work together.

Disable SSID broadcast or change the default SSIDs. SSID is short for service set identifier, and is attached to the header of all packets in a wireless network. It also uniquely identifies your network. This is broadcast at regular intervals, and hackers can use this to identify vulnerable networks. Also, change your SSID from the default, and refrain from using IDs that can reveal who owns your router and where it’s located.

Restrict the computers that can access your network. You can do this by filtering the MAC (Media Access Control) addresses to those of the devices in your network.

Install antivirus software and firewalls. This might seem obvious, but after the initial install most users forget to update their virus definitions. Computers on a wireless network needs the same protection as other computers.

Tags: IT Security Basics, Real-World Issues, Tips, Wireless Security

Categories: IT Security Basics, Real-World Issues, Tips, Wireless Security

Comments Off