Cybersecurity New Years’ Resolutions

New Years is a great time to reboot your life habits, including diet, exercise, relationships, and more. To keep your systems safe and your personal information private, consider adopting one or more of the following News Years’ resolutions:

• Use strong passwords – On each website and service you use, construct strong passwords, consisting of lower case and upper case letters, numbers, and one or more special characters.
• Use unique passwords – Use a different password for each service you use. This will help prevent a compromise of one service (where cybercriminals are able to obtain its users’ login credentials) from spreading to others.
• Use a password manager – If you use strong, unique passwords, you’ll need a password manager such as Password Safe or KeePass to store them. I recommend you NOT use your browser to store passwords.
• Use multi-factor authentication – when available, select multi-factor authentication, whether by a text message (SMS), or an authenticator app such as Google Authenticator. Doing so will make it more difficult for criminals to break into your accounts.
• Install OS security patches – Configure your operating system (Windows, macOS, ChromeOS, iOS, Android, etc.) to automatically download and install security patches. This helps prevent criminals from compromising your device. When security patches are no longer available, you’ll need to upgrade your OS to keep your system safe.
• Keep applications up to date – Configure your system to update all of the applications you use. This helps keep your system and your data safer by fixing security flaws that criminals can exploit.
• Be wary of spam and phishing – Be wary of all incoming email, so that you can better spot scams and fraud. If someone you know has sent you a strange looking email, confirm by calling them (but not by replying, as the reply could go back to the fraudster who is trying to con you). Resist the temptation to click on “too good to be true” links and attachments.
• Use a VPN – If you frequently go online at hotels, restaurants, airports, and other public places, install a VPN software package to help protect your network traffic from prying eyes. It can be surprisingly easy for cybercriminals to see your network traffic while on a public Wi-Fi network. Avoid free VPN services as they likely eavesdrop on your traffic.
• Upgrade your home Wi-Fi router – If your home Wi-Fi router is more than four years old, chances are good that it has exploitable vulnerabilities that the manufacturer will not fix. These vulnerabilities can make it easy for criminals to take over control of your router, resulting in eavesdropping and routing your traffic through their systems to help them steal your data.
• Move your home’s smart devices to your guest Wi-Fi – Often, smart devices are vulnerable to attack by cybercriminals. Some smart devices do more than they advertise, looking around on your network for other targets. Moving your smart devices to your guest network prevents them from accessing your computers and smartphones.
• Check your credit report – Cybercriminals are exceedingly good at identity theft. The best way to stay on top of this is to periodically check your credit report, and even to put a freeze on your credit to make it more difficult for criminals to open credit accounts in your name. Freezing your credit may be a minor inconvenience when you try to open a new account, but this is minor when compared to the inconvenience of having your identity stolen.
• Place transaction alerts on all your credit and debit cards – Log in to your online banking and set up alerts (texting, email, or both) to notify you of every transaction. If any of your cards have been compromised, you’ll know it when you see transactions that you did not authorize.
• Learn more about these and other kinds of risks – Visit the National Cybersecurity Alliance at www.staysafeonline.org to learn about more steps to protect your network, systems, and identity.

More phishing leaks into Gmail

I’ve been a Gmail user since its beginning in 2004. Unlike Yahoo! email, Gmail has historically done an exemplary job of blocking spam and phishing.

Until this year.

New forms of phishing are evading Google’s filters: the first is what I call the “invoice scam,” where the sender emails an attachment claiming to be an invoice. I surmise that either the attachment has malware embedded in it, or they are hoping that I will pay the invoice by sending money to who-knows-where.

Another form of phishing I’m seeing a lot (several each day) are emails in which the entire contents of the message is a single image. The image claims to originate from a major retailer such as Home Depot, Ace Hardware, and others. I’m told that I have been selected to win a product of some sort. Like the invoice scam, I’m certain that clicking the image will take me to a watering hole attack, a page where I’ll be asked for login credentials or payment information.

I don’t doubt that Google will figure out how to block these types of phishing messages. But the senders are not going to give up so easily. We must continue to be on our guard and practice the principles of incoming emails:

• Be wary of emails from people you don’t know.
• Be wary of emails from people you DO know that are out of character.
• Confirm the message through independent means (NOT a reply).
• Do not be curious and click, just to see what happens next.

Crypto Purchase Scam

Over the past three weeks, I’ve received several invoices through PayPal for alleged purchases of cryptocurrency. One such invoice is shown here.

Recent PayPal invoice

I don’t have a PayPal account, and I have not been in contact with this seller, so my natural inclination is to consider this a scam.

The email actually originated at PayPal, per the SMTP and DKIM headers, and the View and Pay Invoice link actually goes to paypal.com.

Protect your Black Friday and Cyber Monday shopping with a quick PC tune-up

Before embarking on online shopping trips, it’s worth the few minutes required to make sure your computer does not enable the theft of your identity.

Tens of thousands will have their identities stolen in the next few weeks, because malware was able to help steal valuable information from you such as credit card numbers, online userids and passwords. A few minutes work will go a long way towards preventing this.

That, or you can do nothing, and potentially have to take days off of work to cancel credit cards, write letters, get credit monitoring, and get back to where you are right now with perhaps forty hours’ work.

It’s up to you.

Ready?

1. On your PC, connect to http://update.microsoft.com/ .  Go through the steps required to check that all necessary security patches are installed.

Note: If you are able to connect to Internet sites but are unable to successfully install updates at update.microsoft.com, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

2. To eliminate the need to periodically visit update.microsoft.com, confirm that Automatic Updates are properly set. Use one of the following links for detailed instructions (all are Microsoft articles that open in a new window):

Windows XP | Windows Vista | Windows 7 | Windows 8 (automatic updates are turned on by default)

Note: If you are unable to successfully turn on Automatic Updates, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

3. Ensure that your PC has working anti-virus software. If you know how to find it, make sure that it has downloaded updates in the last few days. Try doing an update now – your anti-virus software should be able to successfully connect and check for new updates. If your Internet connection is working but your anti-virus software is unable to check for updates, it is likely that your PC is already compromised.

Note: if any of the following conditions are true, it is important that you seek professional help immediately to make sure your computer is protected from malware.

a. You cannot find your anti-virus program

b. Your anti-virus program cannot successfully check for updates

c. Your anti-virus program does not seem to be working properly

Several free anti-virus programs are worthy of consideration: AVG, Avast, Zone Alarm Free Antivirus + Firewall, Panda Cloud Anti-Virus. I cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program on their computer at all times.

Include safe computing in your list of New Years Resolutions

The New Year is a time of reflection, and traditionally a time to consider changing one’s habits.

Our reliance upon computers and networks has exceeded our means to safely use and control them. Every computer user has some responsibility to make sure that their computer and use of the Internet does not introduce unknown and unwanted risks. By following these recommendations you will greatly reduce your risk to fraud, identity theft, and other risks related to Internet usage.

1. Change your passwords. Use strong passwords, which cannot be easily guessed by others, even those who know you. Do not share your password with any other person. If needed, store your passwords in a protected vault such as Password Safe or KeePass. I recommend you not use an online vault for password storage: if their security is compromised, so are your passwords.

2. Scan for Viruses and other malware. Configure your anti-virus software to scan your entire computer at least weekly. Make sure that your anti-virus software is checking for updates at least once per day. Also scan your computer with one of several online virus scanners at least once per month.

Panda: http://www.pandasoftware.com (look for the ActiveScan link on the home page)

Symantec: http://security.symantec.com/default.asp?productid=symhome&langid=ie&venid=sym

Trend Micro: http://housecall.trendmicro.com/

Kaspersky: http://www.kaspersky.com/virusscanner

CA: http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

3. Block spam, and don’t open spam messages. The majority of spam (unwanted junk email) is related to fraud. Spam messages advertise fraudulent or misleading products, or lure you to websites that contain malware that will attempt to take over your computer (without your knowing it) and steal valuable information from you.

4. Get a firewall. If you use Windows, turn on the Windows Firewall. Ask your broadband service provider to upgrade your modem/router to one that contains a firewall (most newer modems / routers do have firewalls or other similar protection).

5. Remove spyware. Obtain a good anti-spyware program and use it to find and remove spyware from your computer.

6. Update your software. Obtain up-to-date copies of browsers and tools on your computer, as many older versions are no longer secure. This includes Firefox, Internet Explorer, Opera, Microsoft Office, OpenOffice, Java, and other programs.

7. Install security patches. If you are using Windows, turn on Automatic Updates, and configure it to automatically download and install security patches and updates.

8. Use separate accounts on shared computers. If more than one person uses your computer, set up separate accounts for each user. Make each user an ordinary user or power user, but never an administrator. Making each user an administrator makes the entire computer more vulnerable to malware (viruses, etc.).

9. Browse Safely. Change to Firefox and use the NoScript add-on. This is the only combination designed to block the new “clickjacking” vulnerability present in all other browsers. Also consider using Flashblock (works only with Firefox) if you want to control the use of Flash content in your browser.

10. Protect your wireless WiFi network. The old an still-common “WEP” protocol designed to encrypt your wireless traffic has been broken, and is no longer safe. Upgrade to WPA, even if it means buying a new wireless access point.

11. Back up your data. All kinds of bad things can happen, from mistakes to hardware failures. If you cannot afford to lose your data, then you need to copy it to a separate storage device. External hard drives and high capacity USB thumb drives cost well below US$100. You’ll be glad you did, sooner or later.

12. Encrypt your hard drive. Mostly important for laptop computers, but also important for desktop computers. The TrueCrypt tool is by far the most popular one available, and it’s free. If you don’t encrypt your data, then anyone who steals your computer can (and will) read all of your private data.

13. Check your credit reports. Fraud and identity theft can result in thieves opening new credit card and loan accounts in your name. They run up a balance and then never pay the bill, making that your problem instead. Consider a credit reporting service as well, which will alert you to inquiries and changes to your credit accounts, limits, and balances.

Annualcreditreport.com

Federal Trade Commission information on free credit reports

Equifax

Experian

Transunion

Recommended Tools:

Secunia Personal Software Inspector – free tool that examines your computer and alerts you to all of the unpatched and older versions of programs that need to be upgraded.

Password Safe – safe and secure storage of all of your Internet passwords. Also remembers userids and URLs.

NoScript – the only way to control third-party javascript and clickjacking. Works only with Firefox.

TrueCrypt – safe and free encryption of your PC’s hard drive.

ETrade: phishing or not?

Financial institutions are very in tune with the phishing threat and how it can damage their brand.

Or are they?

I received this e-mail from ETrade yesterday.  I’m a security expert and I recognize spam and phishing. I had to look this one over a few times to distinguish whether it was real or not.

This isn’t helping customers. Instead, it’s training them to respond to *real* phishing mail by making phishing and real messages indistinguishable.

Here is the spam – um, I mean, e-mail:

* * *

Special Pricing Expiration Notification

Your discounted commissions on stock and options trades will expire in 7 days.

You can still get extraordinary value when you trade with E*TRADE. We customize our commissions(1), making it easy to qualify for our best pricing.

If you have any questions, please call 1-800-ETRADE-1 (1-800-387-2331) or log on to your account at http://www.etrade.com and contact us through the Help Center.

View our current commission schedule (https://us.etrade.com/e/t/estation/pricing?id=1206010000)

PLEASE READ THE IMPORTANT DISCLOSURES BELOW

1. For details and additional information about our trading commissions and options contract fees, please visit http://www.etrade.com/commissions.

(c) 2007 E*TRADE Securities LLC, Member NASD/SIPC (http://www.sipc.org). All rights reserved. The information contained in this Smart Alert does not constitute a recommendation by E*TRADE Securities, and is subject to the Smart Alerts Terms and Conditions (https://us.etrade.com/e/t/estation/help?id=1209038000) and the E*TRADE Securities Customer Agreement (https://us.etrade.com/e/t/estation/help?id=1209031000). We cannot respond to e-mails sent to this mailbox. If you have questions, please contact us through the Help Center (https://us.etrade.com/e/t/estation/help?id=1203000000).

New spam: forwarded mail?

Starting on August 28, I’ve been getting tons of email from people I don’t know, and I wasn’t in the recipient list either.  Among the messages I received were the usual e-mail messages to groups of friends as well as e-mail from websites.  Yesterday I saw a pattern when two specific recipients’ e-mail addresses were always in the To: line.

I conducted a short experiment: I created email messages to each of the two recipients, and voila, those messages ended up in my inbox!  In both cases, the user accounts were changed to forward all e-mail to me.

Is this a new type of spam, or just coincidence?

In both cases I have sent e-mail to abuse@<domain> asking them to turn off the forwarding.  We’ll see what happens.

ETrade teaching its customers to respond to phishing scams

ETrade is teaching its users to respond to phishing scams. I am an ETrade customer, and last week they sent me the message below.

ETrade isn’t helping its customers by sending messages like this, because it makes it all the more difficult for customers to distinguish genuine messages from phony ones.

* * *

Thu Mar 13 14:48:00 2008 – Account Service Fee
Dear PETER ,

Account #: XXXX-nnnn

On 03/26/08, your E*TRADE Securities account will be charged a $40 Account Service Fee (ASF) (https://us.etrade.com/e/t/estation/pricing?id=XXXXXXXX).
If your account does not have enough funds to pay for the fee, E*TRADE Securities may sell securities in your account to cover the charge.
If you have questions about your account, call 1-800-ETRADE-1 (1-800-387-2331) or send a secure e-mail through the Help Center (https://us.etrade.com/e/t/estation/help?id=1203000000). (To call from outside of the U.S., dial +1-678-624-6210).
Learn how to avoid incurring an Account Service Fee (https://us.etrade.com/e/t/estation/pricing?id=XXXXXXX)

Review all the ways you can deposit money (https://us.etrade.com/e/t/estation/help?id=XXXXXXXXXXX)
PLEASE READ THE IMPORTANT DISCLOSURES BELOW
The E*TRADE FINANCIAL family of companies provides financial services that include trading, investing, cash management, and lending.
Securities products and services are offered by E*TRADE Securities LLC, Member FINRA(http://www.finra.org/)/SIPC(http://www.sipc.org/).

(c) 2008 E*TRADE FINANCIAL Corp. All rights reserved. The information contained in this Smart Alert is subject to the Smart Alerts Terms and Conditions (https://us.etrade.com/e/t/estation/help?id=XXXXXXXX). We cannot respond to e-mails sent to this mailbox. If you have questions, please contact us through the Online Service Center (https://us.etrade.com/e/t/accounts/servicecenterhome).

* * *

Fraudulent Microsoft Update

There is lots of activity around an email and a fraudulent Microsoft Update web site (that the email directs you to), claiming that there is an urgent Microsoft update.

The web site looks like a legitimate Microsoft site and contains an “Urgent Install” button that, when clicked, attempts to download and install malicious software on your system. The file that attempts to download is not signed by Microsoft and is called “WindowsUpdateAgent30-x86-x64.exe”.

This web site is using fast flux DNS for its web hosting. That make it hard to track and close down, so we expect it to be around for awhile.

Please advise your users, if they receive this type of email, they should just delete it. Microsoft does not distribute updates by sending emails directly to individuals or distribution lists.

Credit to NW WARN for the contents of this advisory.

Beware the latest IRS phishing scam

U.S. taxpayers will almost certainly fall victim to the latest IRS tax refund phishing scam. I received one in my spam trap this morning. The message reads:

“After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $134.80.

Please submit the tax refund request and allow us 6-9 days in order to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, click here.

Regards,
Internal Revenue Service”

The message contains an authentic IRS logo, but of course the website is phony. Here is an image of the message (click on it to see a full size view):

When you receive messages like this that claim to be from a government institution or financial institution, it’s probably a phony. The best thing to do is mark the message as spam and delete it.

How Spammers Get E-Mail Addresses

Submit:

Some of the tools and sources employed in harvesting e-mail addresses from the Web include the following:

• Web spiders
• Newsgroups
• Groups, blogs, and discussion boards
• Test messages
• Unsubscribe links
• Malware
• Unsubscribe requests
• Buying and stealing addresses

Read entire article here

Learn more about blocking spam and spyware here

Learn more about blocking viruses here 

Five ways to block spam

Submit:

There are five fundamental ways to block spam. Which you choose will depend upon your organization’s architecture and business needs.

1. On the desktop. Many of the anti-virus vendors have spam blockers that integrate with Outlook, Eudora, etc. e-mail clients. This is one of two options available for home users. Pros: quarantine is local to your system, and you don’t have to depend on enterprise configurations. Cons: consumes resources on your PC, doesn’t scale for enterprises.

2. On the e-mail server. Many spam-blocking programs are available that run right on your Exchange or Notes server. Pros: installs on your e-mail server – no additional servers needed. Cons: all the spam still hits your e-mail server.

3. A spam-blocking appliance. These appliances terminated your inbound e-mail connections and filter out the spam, so that only clean e-mail reaches the e-mail server. Pros: shields your e-mail server from spam, freeing up cycles and disk space. Cons: another appliance to maintain.

4. Spam blocking service. Your e-mail is directed to the service, which filters the spam, and forwards to your e-mail server only clean e-mail. Pros: spam never touches your network, freeing up network bandwidth. Cons: physically located elsewhere.

5. Filtered by your e-mail provider. The large providers such as Yahoo, Gmail, AOL, and others filter spam so that only clean e-mail reaches your inbox. This is the other option available for home users. Pros: done for you automatically.

All of the above solutions can provide a “quarantine” whereby users can examine blocked messages, in the event they are missing some inbound messages that may have been blocked.

Read more in Blocking Spam and Spyware For Dummies