Saturday, July 23, 2011

YAFC-Y (Yet Another Facebook Clipjack - Yawn)

Hi folks,

Today, with Amy Winehouse's passing, another young star burned out entirely too soon. Whether we were fans or not is irrelevant. The salient point is that there is a group of greedy, covetous, rapacious, insatiable, avaricious, penurious, gluttonous vultures who eagerly await some misfortune, such as Amy, or yesterday, the cruel events in Norway.

Within hours of these events, they flood Facebook with promises of prurient or sensational videos, but the real goal is to trick kids or teens into agreeing to a $10 a month charge to the cell phone bill. They assume they won't read the fine print.

So, as the title says, on one hand it's YAFC-Y ... Yet Another Facebook Clipjack - Yawn..., but by golly, they're not much more than sociopathic animals. I wonder how they can sleep at night.

Truly, these people (and I use the word loosely) are the lowest of the low, and I can only hope that someone like FTC has them squarely in their crosshairs.


Wednesday, July 6, 2011

Hardening iOS

Hi folks,

iOS is the operating system that powers iPhones, iPods and iPads. These things, along with Android powered devices, are clearly a critical part of the future of computing, and how we go about securing them is an emerging issue. We may be confident that the Bad Guys (tm), whether they be criminals or State-level cyber-warriors are looking hard at how to attack them. With that in mind, I was pleased to see this document, prepared by DSD, the Australian Defense Department Intelligence group, about how to harden these devices against attacks and probes.

It's 36 pages of very interesting reading (if you're a security geek), and definitely worth studying (if you're said security geek). If, however, you're either a simple consumer, or ADD, or both, the critical points seem to me to be these...

(1) When you travel overseas, you need to keep in mind that foreign ISPs and carriers may not provide the same levels of user rights that we often take for granted. Being blunt, foreign governments may well sniff your traffic, so be .... thoughtful... about what you say / type / tweet. (On the other hand, if you are of a mischievous bent, and your friend happens to be traveling in one of these countries, it could well provide much entertainment if you sprinkle seditious words like "revolution" and "protest" in your emails/ IM chats with him... but I digress)

(2) Keep in mind that "Smart Phones" tend to synch (in other words, mirror) lots of data that you might otherwise think was just on your desktop, and if you lose your phone, or it's stolen, you might well be off-network, and thus unable to send a remote-wipe command to it. What this means is that it's a pretty good idea to set a pin on the phone, and set it to automatically wipe itself after 10 failed attempts to guess the pin. A few hundred dollars gets you a new phone, but a lost bank account UID/PW might cost you much more.

(3) Be cautious about what apps you allow on your devices. How do we know what data these apps are transmitting, and how do we know who they are transmitting to? The answer is that we don't. A good rule of thumb is to consider how the app developers are getting a return on their development investment. It costs money, time and resources to build an app, and oddly, not many folks do it for free. If you can't see how they're getting a return, it might be a good idea to pass it by. If I can mix metaphors for a moment, there aren't a whole lot of free lunches on the Internet.

When I first started in anti-virus in 1987, there were only a few viruses... Brain, LeHigh, Jerusalem. By the end of the first year, there were only about twelve in total, and we would wonder each month if there would be any more. Today, every anti virus lab in the world gets about 300k samples every day, 25-30k of which are new and unique. Every day!

For a long while, we only had to worry about Dos, and then Windows viruses, but now we have ubiquitous Windows, plus Apple OSX malware, and a fast-growing Android malware problem. iOS is still fairly safe, but history shows that any platform that has the characteristics of being both widely adopted, and cheap and easy to develop on, becomes a target.

Apple does their best to keep it all safe, but it's in our interests to employ whatever hardening steps we can now. Special thanks and shout-outs to Australia DSD for a fine document.

Keep safe folks.

Tuesday, July 5, 2011

A trap for young players

Hi folks,

Today, on my iPhone (note: not my laptop), I got this message from the friendly folk at Facebook Support...

I've been doing a bunch of things on FB recently, so I thought "I wonder what they want? Did I do something wrong?", and clicked it.

To my shock and chagrin, I was taken, not to FB, but to a Pharma page!

Wait ... I'm much too cunning to be caught by that! What happened?

The issue, friends, is that I was reading FB on my smart phone, and not my laptop. If it had been the laptop, I would, as a matter of course, simply hovered the mouse over the link, and after a small pause, my mail client would have shown me the true URL behind the link. (In non-geeky talk, what that means is that whenever you get a suspicious email, you point the mouse at the link in the email, but _don't_ click it. Just wait a couple of seconds, and it will pop up a message showing the _real_ URL behind the link. If it's not Facebook, or eBay, or whatever you thought it should be, just delete the email)

Because, however, I was on my smart phone (dumb phone might be more correct, perhaps?), there is _no_ way to do a mouse hover, and therefore no way to see what's really behind the link.

Because so many people are moving to either Android or iPhone, this is an emerging problem. In this case, all I had to do to fix it was to close the browser, but if there had been an exploit, or even convincing social engineering behind it, they might have caught me. And I'm a little bit more cunning than lots of users.

What is needed is some way to view the source of the message. If no one builds such an app, maybe I will.

Keep safe folks, and be cautious. When Obi-Wan Kenobi said "There has never been a more wretched hive of scum and villainy", I'm pretty sure he was talking about the Internet.


You just can't believe everything you read

Hi folks,

Over the weekend, our friends over at Sophos noticed that Fox News got one of their Twitter accounts "hacked". The "hacker" posted four or five bogus tweets about the President being assassinated, over a ten hour period, before the Fox guys noticed. I guess we could say that it took them ten hours to tweak that their tweets were being twampled. (Sorry)

Once they realized what had happened, they (presumably) changed their password, and deleted the dud tweets.

Their public response was that they had been "hacked", and they were demanding a full explanation from Twitter about what happened.

Well, I can tell you what happened. You weren't "hacked". Your person, or people, running that Twitter account got his or her password phished.

It hurts a bit, but it wasn't Twitter's fault, so there's no point in blaming them.

What it really underscores is the danger of password re-use. It's dangerous, and you simply must adopt the idea that you'll have one password per website that you want to use. If that's 50 websites, then you need fifty passwords. It sucks a but, but the alternative is that if you only have a few passwords, and one website fails, then that all the other websites that password accesses, are compromised.

Use a password manager, or even write them down and keep them in your wallet, but the rule has to be ...

No password re-use! Ever.

Keep safe folks,