Category Archives: Computer Safety

Your biggest security vulnerability, according to the World’s Greatest Hacker

Kevin Mitnick was a hacker before hacking was even illegal. He was famous for having broken into the computer networks of some really large companies. He didn’t make a single dime from his activities; he just wanted to prove it could be done. He was eventually arrested, convicted and given a harsh five-year sentence, served in solitary confinement because the judge was convinced Mitnick could “start a nuclear war by whistling into a pay phone” (source: Wikipedia).

Later, he was released from prison and started a security consulting business (Mitnick Security Consulting, LLC), and now gets paid by companies to break into their computer systems and tell them what they need to fix.

Since he’s no longer dangerous (many argue that he was never all that dangerous, in the “this guy wants to destroy the world” way the prosecution claimed), Mitnick has also become a popular conference speaker. He knows the single biggest security flaw in every single commercial or private computer system, including yours:

It’s the people.

Time and again, Mitnick bypassed high-tech means of hacking (using software to force his way into a system) in favor of low-tech hacks: calling people on the telephone and asking for information.

It’s called social engineering, and it amounts to tricking people into giving away information simply by talking to them.

Mitnick concentrates on corporate network security, teaching businesses how to keep their data safe. However, the same goes for your own personal online safety: you are the weak point. How public have you made the names of your pets, your birthdate, your children’s names and birthdates, or the school(s) you attended? (I’m looking at you, MySpace and Facebook users.) All of this information can be used to steal your identity, by providing a would-be thief with enough information to talk you into accidentally revealing too much information.

Mitnick’s business card, a miniature lock-picking set, has become quite famous these last few years. Look at his website again, under the “Get Kevin’s Business Card” section. It says “Send your IP address and password to:” and his address. It’s obviously meant as a sly inside joke, but I wonder how many people actually mail this information to him.

Video Dispatch: Twitter Phishing

Clicking links on Twitter can be hazardous. Fake links can lead to malware or sites designed to steal your password. Additionally, cybersquatters posing as your credit union or bank may attempt to get you to reveal personal identifying information. Keep your guard up; there are some real dangers hidden among all that pointless babble.

Note: Videos hosted on YouTube contain links to other video content, which will play on the current page if clicked. REGIONAL Federal Credit Union is in no way affiliated with or responsible for this content and has no control over videos or advertisements that may be linked from our video content.

Facebook IQ Tests: Yes, they’re a rip-off

I did a couple presentations to some eighth graders this past Monday on the topic of common email scams like lottery and mystery shopper schemes, as well as having their parents check their credit reports to make sure nothing shows up.

I was surprised at how many of them had already encountered these emails, and I hope my message got through.

Another topic came up, however, during the Q&A portion of the presentations: those IQ tests that always show up on Facebook.

This isn’t the “Which Variety of Traditional German Sausage Are You?” tests. (Knackwurst, by the way, in case you’re wondering.) I’m talking about the IQ tests that appear as banner ads, with a few of your friends’ photos and the “score” they allegedly received, challenging you to beat them.

My quick advice is: don’t even click on those links. End of story.

The longer answer is this: if you click the link, it will take you to a website (not affiliated with Facebook) that asks you for your cell phone number, allegedly to give you your score. What it’s actually doing (if you read the fine print) is signing you up for a “service” with a monthly fee of $29.99. Then you take an idiotic IQ test, which is not even a little bit official, and wait until the charges show up.

I guess it’s not technically a scam, since you’re told (in very tiny text) that it will charge you, and I guess you’re signing up for something (though I’m not sure what). However, it’s sort of a dirty trick, if you ask me. These ads are aimed at teenagers, most of whom aren’t going to read the fine print.

This was the only real disconnect I had during the presentations. Some of the kids apparently believed that their parents wouldn’t mind paying an extra $360 per year for their kids’ cell phones. “It’s only a dollar a day,” one protested. Tough crowd. “Is this thing on?”

Yeah, it’s only a dollar a day. For a one-time IQ test that is in no way official and is not administered by a professional. I tried to emphasize that just because it’s on Facebook doesn’t mean you should trust it, and that these tests are essentially idiotic, but in the end had to admit to them, “Hey; it doesn’t matter to me if you want to get ripped off to take an idiotic test. If you think your parents will be thrilled to pay an extra $30 per month in this economy just so you can get your fake IQ score, then have at it.”

I think that might have woke them up a little. There was a short “I’m still processing what you just said, and realizing that you’re probably right” silence. I took that as a good sign.

All in all, a successful presentation, I think.

More information about fake virus scan pop-ups: what the FTC has to say

Today I was checking out some articles at FTC.gov, and I came across a good one called “Free Security Scan Could Cost Time and Money.”

The article dates back to December 2008, but it’s still relevant. It covers the same basic topic as my post “Fake Virus Scan Pop-Ups” from a couple weeks ago, with some additional information I thought it would be wise to share.

For example, this article also says that when a window pops up offering a “free security scan” or telling you that “malicious software” or (for maximum scare value) “illegal pornography” has been found on your computer, not to trust the “Cancel” or “No” buttons on that pop-up window, since it usually does the same thing as the “Scan” or “Yes” buttons. However, they also give you specific directions, which I did not do in the previous article:

If you use Windows, press Ctrl + Alt + Delete to open your Task Manager, and click “End Task.” If you use a Mac, press Command + Option + Q + Esc to “Force Quit.”

The article further warns you, “Make it a practice not to click on any links within pop-ups” (my emphasis), which I think is pretty good advice.

There is one paragraph I disagree with (or, more accurately, only-sort-of agree with) in the FTC article:

If you get an offer, check out the program by entering the name in a search engine. The results can help you determine if the program is on the up-and-up.

I only take issue with this advice because, in general, I feel that if you’re getting an offer at all, it’s probably not legitimate, so don’t bother wasting too much time on a search.

Norton, McAfee and Kaspersky are going to advertise on the Internet, obviously. However, they’re never going to do it by running one of these pop-up traps. If you’ve got a “free scan” or “clean your registry” window, you’re looking at a scam. I’d consider that a zero-tolerance policy if I were you.

If you truly feel like an offer might be legit, go ahead and do a quick search on it. However, my first reaction is to not trust any offers that I wasn’t looking for in the first place. If you were looking for security software to begin with, it’s a different story; obviously, Symantec’s website might have special offers on it from time to time, since they’re the actual company that produces the Norton line. It’s when you’re looking for the latest Hollywood scandal photos that you’re going to run into trouble.

How to avoid spyware and adware

I’ve said before that I don’t have the tech chops to get into an extremely detailed description of computer security issues, but I think its important to at least understand the basics. The minutiae of VBS or C+ programming doesn’t matter for our purposes here much as the following facts:

  1. There is a lot of malicious software out there
  2. It is important to know how to recognize it and how to avoid it
  3. It is important to keep your security software updated, and to make sure it is legitimate software from a trusted source

Let’s dive right in. Warning: this is one of my longer posts.

Basic Definitions

Malware: This is sort of an “umbrella term” for software intended to harm your computer. It includes (but is not limited to) spyware, misleading adware, viruses, worms and trojan horses.

Spyware: This is a term for software that, in some form, sends information from your computer to another entity without your consent. This information can be anything from words typed into search engines (Google, e.g.), websites visited or even keystrokes. Spyware can pose a serious identity theft risk, as it can relay financial account information (account numbers and passwords) to a third party.

Adware: Adware is software that displays advertising in some form. Not all adware is necessarily malicious (the free version of the Eudora email client contains benign adware), but sometimes it is. Often, spyware and adware are bundled together.

How Spyware and Adware Infect Your Computer

Some spyware is intentional. Some companies install keyloggers on their computers to keep tabs on employee computer use. I’m just guessing, but I’ll bet every letter you type into an FBI computer is logged.

However, the spyware I’m talking about is the kind that installs itself on your computer without your knowledge or consent. These programs can install through a variety of channels. Some of them are:

Backdoor: These programs exploit “holes” in your web browser or computer’s security features. You can become infected simply by visiting a website that has been set up to install malware, and you probably won’t even know it at the time.

Piggybacking: Sometimes software you want is bundled with software you might not want. Adware often shows up in this form, but other malware uses this method as well. I mentioned the free Eudora email client earlier. This is pretty benign adware—in return for not paying for the full version of the software, you put up with some banner ads, from which the software company earns revenue. However, you’ve also got examples like Bonzi Buddy, which was designed to appeal to children (and secretly send information about their web browsing habits to a third party). Bad scene.

Trojan Horses: A trojan horse is software that poses as useful or desirable software, but is actually spyware, adware or other malware. Some of the most common examples right now are Fake Virus Scan Pop-Ups, which I talked about a couple weeks ago. While visiting a website, a window pops up with a frantic message telling you that your computer is infected with a virus, and to click “OK” to run a scan now. This downloads software, some of which may actually even look like a real virus scanner, that can wreak havoc on your computer, to say nothing of the financial threat it could pose if it contains some really nasty spyware. I want to touch on a few examples of trojan horse software here:

MS Antivirus: This is a fake virus scanner that can disable your real antivirus and anti-spyware programs. Other than that, it’s mostly just annoying, but turning off your security software opens the door to all kinds of other infections. MS Antivirus goes by about a million different names, and it is constantly being updated to evade detection by legitimate security software, which just illustrates the importance of keeping your antivirus software updated. Pay for the subscription. It is worth it.

No-Adware: This was a trojan horse designed to confuse you with a name similar to Ad-Aware, which is a legitimate product. No-Adware is supposedly no longer considered “rogue” software, but you know what? I still haven’t forgiven them.

Tattoodle: This is an application that usually gets installed (intentionally) through Facebook. I don’t know yet if it’s malicious or just annoying, but I don’t think I care: it changes your browser’s homepage, makes itself difficult to remove and its logo is designed to make you think it’s related to Google. If it looks like malware and acts like malware, I call it malware. Just my opinion.

What To Do About Spyware and Adware

Sometimes spyware doesn’t have a whole lot of symptoms. A sudden increase in popup advertisements, constant frantic popups that claim your computer is infected, or just a sudden decrease in system performance can all be signs of a malware infection. I suppose having your identity or financial account information stolen could also be signs, but we’re not going to let it get to that point, are we?

First and foremost, it is of vital importance to install good antivirus and anti-spyware software, and to keep this software updated, even if that means paying for a subscription every year. Second and also foremost, it is vital to make sure this software is the real thing. Here are what I think of as the “Big Three” real, actual, non-malware computer security programs, along with some other software:

Norton: This is what I use. It currently comes in three versions for home users—AntiVirus, Internet Security, and 360, which range in price from $39.99 to $69.99 (although I’m pretty sure 360 is normally $79.99). As with all security software, you also have to subscribe to the updates every year, but it is well worth it.

McAfee: The Pepsi to Norton’s Coke, McAfee is another good one. It’s not my favorite, but I think that has to do more with the look and feel of the software than its actual functionality. As of this writing, its home computer versions range from $29.99 to $39.99, so it’s definitely more of a “budget” option. It works fine, though.

Kaspersky: This one actually originates from Russia. It is excellent antivirus software, and I’m pretty sure at one point years ago it was absolutely free to download and update. Alas, you have to pay for it now; prices are similar to Norton, ranging from $39.95 to $79.95.

Spybot Search & Destroy: This is free software that I highly recommend. It is not a replacement for any of the three antivirus softwares above, as it only concentrates on spyware and adware, but it is a great little backup program to have on hand. You’d be surprised how much potentially harmful stuff slips past your antivirus software. Beware of trojan horses with similar names—only get it from the website I’ve linked here.

Ad-Aware: This is similar to Spybot Search & Destroy. There is a free version still available, but you can also buy software from their site. To be honest, I haven’t used this one in a long time. Again, beware of imitators.

One final word on avoidance: I think there are certain types of websites that tend to contain more malware than others. You’re mostly safe when it comes to the giant corporate sites like Amazon, but I would never suggest you stick only to huge corporate sites.  You miss out on the whole democratic, DIY side of the Internet if you do that.

However, any time you’re viewing sites that offer pirated software, movies or music, or sites that appeal to the…ahem…prurient interests, you’re going to run into a lot more malware, especially in the form of trojan horses, than you might otherwise. So my advice is to go forth and browse, have fun and don’t be afraid to venture outside the “mall,” but try to avoid the seedy side of town.

Fake virus scan pop-ups

I don’t normally write a lot about specific computer-related issues, mostly because I don’t have the technical chops to really get into a lot of detail.

However, there is something I feel needs to be addressed: fake virus scanning software.

Have you ever gone to a website and had a realistic-looking window pop up, telling you that your computer has been infected with a virus? Usually, it will tell you to “click here” to run a “free virus scan.”

That was malicious software. If you “click[ed] here,” it very likely installed some form of spyware or adware onto your computer.

These are nasty programs. At best, they can annoy you by highjacking your homepage. so that when you open a web browser, some weird “search” page appears that logs every single thing you search for and spams you accordingly. It can lead to constant pop-up advertisements, misdirection to fake websites, and more.

At worst, they can install spyware, such as a keylogger that tracks every single thing you type on your computer, including logins and passwords. Big trouble if you happen to log in to do some online banking or bill payment.

When these fake virus scanners show up, there is always a button to “cancel,” but frankly, I don’t trust it. It could be set up to do the exact same thing as the “Install” button. I always click the “X” in the upper-right corner of the window.

Then I shut down my web browser, disconnect from the Internet and run an immediate virus scan, because I also don’t really trust that “X” I just clicked. Perhaps I am overreacting, but spyware freaks me out. Better to overreact than to give someone access to my online accounts.

If you already have a good virus scanner (I use Norton Internet Security) and are keeping your updates current (and I know you are, right?), they usually run pretty silently in the background. They might throw out a pop-up window if you’re heading straight into serious trouble, but it won’t look like just a regular “Windows window,” and it won’t ask you to install anything (you’ve already installed the software) or talk about “free trials.”

No matter what brand of virus protection software you’re using, I would also highly recommend Spybot Search & Destroy. This is a program designed specifically to target spyware, adware and other malware. Most likely, your primary virus scanner will catch everything, but it never hurts to have a little backup. Spybot S&D is free, but beware of software with a similar-but-not-quite-the-same name. I’d recommend you only get it from the site linked above.

Whatever you do, don’t be taken in by fake virus scanners.