Tag Archives: Computer Security

How to make sure you’ve got the latest version of Java (Windows users)

According to the excellent website Krebs on Security, a new Java exploit is set to go completely mushroom cloud on computers worldwide with outdated Java installations within the next few days.

The BlackHole Exploit Kit is used by cybercriminals for purposes various and nefarious, and is currently the most common web threat around. However, we won’t go into too much detail here about the malware itself. Instead, let’s talk about how to keep your Windows-based computer safe.

The first thing you need to do is find out if you have Java installed on your computer at all, and which version you’ve got. The easiest way to accomplish this task is to visit java.com and click the “Do I hava Java?” link. This takes you to a page with a big “Verify Java version” button:

2012-07-06-a

Click the button and the site will tell you if you’ve got the recommended version of Java installed, which currently (as of July 6, 2012) is either Version 6 update 33, or Version 7 update 5. If it tells you to update, follow the on-screen instructions.

(If your computer is set up like mine, your web browser will ask you for permission to run the Java content on this page. At this point, you’ll know you’ve got it installed, but you still need to verify which version you’ve got. Click the “Run this time” button when prompted, and it will let you know if you have the recommended version.)

What if the site says you don’t have Java installed? Should you install it?

Naturally, the java.com website will suggest you do, but if you’ve been using your computer without it so far, I’d recommend not installing it at all. Java is currently the most popular channel through which exploits like the BlackHole pack are used, and new security holes are discovered all the time. If you’ve come this far without Java, there’s really no good reason to install it.

If you’ve got Java installed and want to keep it (there are still some websites that rely on it), make sure you’ve got the software set to check for updates at least once a week, but I recommend taking it a step further and checking daily. Here’s how.

1. Click the “Start” button, then select “Control Panel.”

2012-07-06-b

2. Find the “Java” icon in the Control Panel window and double-click it.

 

2012-07-06-c

3. Click the “Update” tab, then the “Advanced” version.

2012-07-06-d

4. Select “Daily” and check what time of day it will check. I left mine on 11:00 PM. Click “OK.”

2012-07-06-e

5. Click “Apply” and “OK.” You’re done!

2012-07-06-f

Note: if the updater detects that a new version of Java is available, most of the time you’ll have to manually install the update. Your computer will prompt you when it’s time.

The “Slow Computer” Scam

Does your computer seem to be running slower lately?

You’re not alone. Over time, computers tend to get bogged down. For example, you install a piece of software to accomplish some task you only perform every now and then, but the program requires that a component of itself be running in the background at all times. Or you upgrade your antivirus software—the new version does a better job of filtering out malicious software, but it also needs more system resources to do its job.

Perception also plays a role—the “new” wears off a computer pretty quickly, and what seemed like blinding speed a year ago now feels like you’re trudging through treacle every time you want to fire up a web browser, even if the machine is running just fine.

The net result is that a lot of people think, “Hey, this thing isn’t running as fast as it used to—something must be wrong!” Enter the Slow Computer Scam. It generally targets seniors, but anyone with a computer could fall for it.

It begins with a phone call from a stranger who claims to work for Microsoft. The caller tells the victim that the company has received notification that their computer has been running slowly or is infected with spyware, viruses or other problems.

At this point, if the victim agrees, the call will go one of two directions. In the first variant, the victim is instructed to go to their computer, then fed step-by-step directions by the caller that are supposed to fix the problem. What is actually happening is the victim is handing over control of their computer to a criminal, allowing them to search for files containing personal information, install spyware designed to harvest any data the victim enters, or link the computer to a botnet used to transmit data for organized criminals.

In the second version, the victim will be told that the caller can fix the problem, but only for a fee. They will be instructed to use Western Union to wire a few hundred dollars as payment.

There is a recent double-dip version in which the scammers call the same victim again a few weeks later. This time, they inform the victim that they are from Dell (or whoever manufactured the victims computer), the earlier call from Microsoft was a scam, and that their computer was infected with malware by the scammer. They offer to fix the computer for a fee of several hundred dollars, again to be wired via Western Union.

This may be one of the easiest scams to recognize. If your telephone rings, and someone is on the line telling you that there’s something wrong with your computer, that’s your cue to hang up.

Microsoft does not have a giant control room that keeps tabs on the performance of every computer in the world. Nobody is sitting at a monitor going, “Whoa. Some guy out in Indiana has a slow computer. Perkins! Get on this!”

The same goes for Dell and other computer hardware manufacturers—they don’t have a giant database of who owns their computers or how they’re running. If there’s a problem with your hardware or software, or if your machine is infected with malware, it’s basically on you to figure it out and fix it.

There is also no scenario in which Microsoft, Dell, or any other tech company is ever going to require payment via Western Union. Keep your antivirus software up-to-date, and when a stranger calls to tell you there’s a problem with your computer, hang up.

Having a dedicated computer for online banking

Clipart of bills and coins
Image via Wikipedia

Here’s a great idea that doesn’t get talked about enough: having a computer you use only for online banking and other financial activities, and a different computer for games, music and general Internet usage.

It seems like an expensive route to have two separate computers, but think about it—your financial machine only has to be just powerful enough to handle an operating system, an Internet connection and a web browser. You don’t need massive amounts of RAM or a great (or even particularly good) video card. You could probably even find a used laptop running Windows XP (if you’re a PC user; however I would not recommend Windows Vista) if you poke around. Install your antivirus software and Mozilla Firefox with the NoScript plugin, and you’re ready to go. I would also recommend setting up a separate email address for anything related to finances, and only check it with your financial computer.

What this does is keeps your financial activities separate from everything else; you’re not likely to encounter malware by logging in to your credit card providers or financial institution’s website. In the meantime, if you run into malware trouble on your “fun” computer while mucking about on the Intertubes, the damage will be limited. Your banking passwords won’t get snagged by a keylogger you picked up on an infected website, even if your Facebook password does.

Of course, buying a separate computer is going to cost money whether you go new or used, and in any case you have to keep your security software up-to-date on both machines. It’s not an option for everyone. However, if you can swing a few hundred bucks for a dedicated banking computer and some good security software, it’s just one more layer of protection.

Online security: teach your children well.

I don’t have any kids yet, but I know a few people who do.

Okay, so I know more than a few. I know many, and almost all of them have something in common: their computers are constantly being infected with viruses, trojans and other types of malware. I’m not talking about the occasional adware popup or tracking cookie—these machines are usually just crawling with malicious software.

There’s sort of an old myth that your twelve year old is always going to know more about the computer than you. Perhaps this is true when it comes to first-person shooters and making goofy videos, but kids don’t know everything about computers, and security is one of those areas where they generally seem to lack the fundamentals.

Of course, they’re invincible, too. There’s always that. Ask them sometime; “Is it even possible that you might run into a virus on the Internet?” They’ll probably look at you like you’re an idiot. Again.

But it happens, and it seems to happen a lot. You’ve got to educate your kids about malicious software, because a keylogger doesn’t care who downloads itself; it’s going to send login and password information, whether it’s to a Facebook profile (bad news) or your financial accounts (worse).

First, if you’ve got kids using the Internet, try to keep an eye on them at least some of the time. Since this is impossible, though, make sure you’re using Firefox with the NoScript plug-in. No Internet Explorer! There are more holes in that browser than a hunk of Swiss.

Secondly, learn about the various dangers yourself, and make sure you warn your kids. No kid is going to be able to resist “lol is this you?” or “lol funny video” followed by a shortened URL, unless someone tells him that such links lead only to malware.

Thirdly, obtain the burliest antivirus and firewall software you can afford, and pay the money to keep it updated. This is vital anyway, but if you’ve got kids clicking a mile a minute on Facebook and Twitter, you really need to take maximum precautions.

I suppose you could try to limit your kids’ access to the Internet, but you could also try to wrestle a grizzly bear while you’re at it. Good luck with that one.

Finally, consider getting your own computer or laptop that the kids aren’t allowed to even touch, and use that one for business and banking. At least your accounts will be safe(r), assuming you’re taking the necessary precautions on this computer as well.

Okay, does this post officially put me in the “old person complaining about young people” camp? It does sort of have that “I tell ya, the kids today, with their Facebooks and their Twitters,” flavor doesn’t it?

I don’t know, but I know it’s important to get your kids hip to the dangers of malware as soon as you can. Your own financial security may depend on it.

Ransomware: It’s a fake virus scanner, only more violent.

Last September, I wrote about fake virus scan pop-ups that you sometimes encounter while using a web browser, sometimes known as “scareware.”

What I didn’t cover was a class of malicious software known as “ransomware,” the fake virus scanner’s more violent cousin. The difference?

  • Scareware: tries to trick you into purchasing useless software and probably installs spyware, adware and other malware.
  • Ransomware: poses as a virus scanner, but locks up your computer and forces you to purchase useless software to unlock your computer. Also likely installs a bunch of other malware, in addition to the fact that you’ve just given criminals your credit card number.

It’s kind of the difference between a con artist and a mugger, I guess.

There’s no real way to tell offhand whether a fake virus scan pop-up window is scareware or ransomware. It doesn’t really matter—you don’t want it either way. The same rules for prevention apply in both cases.

Both start the same way: you visit a website and a window pops up that tells you your computer is infected with a virus. The pop-up almost always has an “OK” and a “Cancel” button. Do not click on either of these, because they both install the malware.

You can click on the “X” in the upper-right corner of the window, but I don’t even like to do that. I use “CTRL-ALT-DEL” to force the browser to close. I think the Mac version of “CTRL-ALT-DEL” is “Command-Option-Escape.”

After I’ve shut down the browser, I run a virus scan and a spyware scan. It’s sort of a pain and it takes a while, but too many people value convenience over security, and they end up paying for it. There are very few instances in which it’s not possible to find something else to do while your virus scanner runs. You don’t have to be on the Internet 24/7, you know.

Now, I’m not one to tell anybody what brand of web browser to use, but I will say one thing on the topic: since I switched from Internet Explorer to Firefox with the NoScript plug-in, I haven’t had a single scareware window pop up. I’m not telling you what to do. I’m just sayin’.

Also, I know it costs money, but you cannot afford not to do it: install some good antivirus software, keep it updated and keep your subscription current. Norton, McAfee, Kaspersky; I don’t care which one you use, just use something. No, it’s not super cheap, but if you’d rather shell out $79 to unlock ransomware than spend $69 on actual protection…well, in that case I think there’s just something the matter with you.

Finally, for an extra level of protection, install the excellent (and free!) Spybot Search & Destroy. Yes, right now. There is one annoying thing about this software, though, and it’s Microsoft’s fault: in Windows Vista and Windows 7, in order to run S&D properly, you can’t just click on the icon. You have to right-click the icon and select “Run as administrator.” You won’t be able to actually remove anything if you skip this step.

There’s a recent story about ransomware at MSNBC, with a video that shows the malware in action (and actually shows you how to unlock it with hacked registration codes).

Fraudulent Facebook email contains malware attachment.

There’s a new fake email message making its way around the web the last few months. This time, it targets Facebook users.

The messages all have something to do with your Facebook password, using subject lines such as “Password Reset Confirmation Email.” They contain an attachment that is supposed to be your new password, but is actually a pretty nasty Trojan horse program that opens your computer up to a variety of attacks. One of these programs is known as Bredolab, and it’s just bad news all around. Below is the text of an example message from “The Facebook Team:”

Hey,
Because of the measures taken to provide safety to our clients your password has been changed. You can find your new password in attached document.

Thanks

The Facebook Team

There are other fake Facebook messages that try to lure victims with a “New Login System” message and contain a disguised link. In this case, it seems to be a pretty standard password-stealing attempt, but given the amount of malware that can be spread and the fraud that can be committed with a hacked Facebook account, it could lead to much worse problems than someone just messing with your Facebook page.

Facebook is never going to send you an email message with your password as an attachment. In fact, they’re never going to send you an attachment at all. If you get one of these messages, hold your cursor over the link (DO NOT CLICK) and you’ll see that the message actually takes you to a non-Facebook website (most likely hosted overseas).

Furthermore, Facebook isn’t going to “confirm” your request for a password reset unless you’ve actually requested it, and any links contained in these messages will be hosted at Facebook.com, not a website with just an IP address (numbers separated by periods, as in “123.45.678.90”), and not a website hosted overseas.

Once again, a new threat just goes to reinforce the old rules of thumb: never open an attachment in an email message you weren’t expecting, and never click on links in an unsolicited email message without verifying first that the message is legitimate.

What is the deal with Facebook and Twitter lately? It seems like they’ve both been targets of an awful lot of phishing, fraud and malware activity these past few months.

Both sites have astounding numbers of users—I recently heard that if Facebook was a country, it would be the fourth most populous in the world, just behind the U.S.—so I imagine it has to do with the sheer numbers involved. When you’ve got over 300 million potential victims, even a 0.1% success rate (1 in 1,000) is a pretty large number of people.

Email security: apparently, the “Preview Pane” isn’t instant death after all.

Several years ago, some nasty worms made their way around the Internet, spreading via email.

Some of these could apparently install themselves and propagate simply by viewing an infected message in Microsoft Outlook’s “Preview Pane.”

The Preview Pane is a quick way to view emails, in case you’re out of the loop here. When you open your version of Outlook or Outlook Express, if there are only two columns, that means you’ve got the Preview Pane turned off. You have to double-click any messages you want to read.

If the right-hand column (where new message subject lines appear) is divided horizontally, and you can view the contents of a message in the lower section simply by single-clicking in the message in the top window, you’ve got Preview Pane turned on.

Anyway, after these viruses cause a moderate amount of trouble (and a whole lot of panic), the call went out: whatever you do, never turn Preview Pane ON!

Well, that was several years ago, and occasionally things do get fixed when it comes to software. Basically, if you’re running Outlook 2003 or any later version, or are running Windows XP with Service Pack 2 installed, it’s not an issue anymore.

In other words, on these later versions of Outlook, when you use the preview pane to view a message, you’re not…opening opening the message, you’re just sort of looking at the text. Any embedded HTML or images will not appear, unless you’ve set the option to automatically do so.

The default setting is to not run HTML or pictures automatically, so unless you’ve messed around with your settings a whole bunch, you should be fine. If you get image-rich emails from places like Best Buy and Amazon that show nothing but a bunch of “red X’s” instead of pictures, and you have to tell the software to show them, you’re set up right.

If you still want to turn Preview Pane off, click “View” at the top of the screen, then select “Layout” from the menu. You can turn it off from there.

I turned Preview Pane back on just the other day, after about seven years of keeping it turned off. On my machine, Outlook always seems to take too long to open messages the other way, like the computer was thinking an awful long time just to open an email message, so I already prefer the new way. Or the old way. Whatever you’d call it.

Microsoft Internet Explorer vs. Mozilla Firefox: which browser is safer?

Just the other day, news of a pretty major hole in Internet Explorer versions 6 and 7 was made public (no word on whether or not the vulnerability applies to version 8, which is the latest one at this time).

Why did the “hacker” in question make this information public? Some people might assume he or she wants to cause widespread chaos, but I actually think it’s good to publicly post things like this. This forces Microsoft to come up with a patch for the problem as soon as possible.

However, I recently decided I’m sort of done with always waiting for Microsoft to patch browser software that has more holes than a hunk of Swiss, and made the switch to Mozilla Firefox.

I can’t really give you the tech-head reasons why I feel Firefox is the better, safer browser (mostly because I’m not much of a tech-head), but a large portion of the Internet-savvy population agrees that it’s the way to go.

For one thing, Firefox is “open source” software. A whole community of programmers is constantly making improvements to it. Should the rare security vulnerability come to light, it’s fixed in record time.

Microsoft is at a disadvantage here. Being a huge corporation with shareholders’ interests as their primary concern, they have multiple levels of bureaucracy to work through before they can release anything. I’m sure even a simple security patch is met with resistance—”This will mean publicly admitting a weakness, which could hurt share prices!”

I’m not saying Microsoft couldn’t release a great browser right out of the box, I just think that with their deadlines and the need to think about profitability above all else, they tend to rush releases before everything is ready.

The cool thing about Firefox is that there are all kinds of plug-ins (or “add-ons”) available. Right now, I run the latest version of Firefox with a plug-in called “NoScript.” This nifty little program starts you off by blocking ALL Flash, Java and JavaScript programs. As you visit websites, you get to choose whether or not to allow it to run all, some, or none of the scripts embedded in the site.

For example, if you visit Facebook, it will start by blocking every script. Then you can select “Allow facebook.com” to run scripts. There will usually be several different websites per page running scripts, so you can select whether or not you trust them. If you don’t like the look of one of the URLs, simply don’t allow that site to run code, or search for it on Google to find out what it is (for example, I don’t let Fastclick.net run scripts. Ever).

There are some other good plug-ins, most of which I haven’t looked at. Some block pop-ups, some probably don’t work too great at all. The Firefox site has a big list of available add-ons.

There are a million better articles than this one about “Internet Explorer vs. Firefox” (just do a Google search), but if you’re ready to switch now, go download Firefox here and get the NoScript plug-in here.

Your biggest security vulnerability, according to the World’s Greatest Hacker

Kevin Mitnick was a hacker before hacking was even illegal. He was famous for having broken into the computer networks of some really large companies. He didn’t make a single dime from his activities; he just wanted to prove it could be done. He was eventually arrested, convicted and given a harsh five-year sentence, served in solitary confinement because the judge was convinced Mitnick could “start a nuclear war by whistling into a pay phone” (source: Wikipedia).

Later, he was released from prison and started a security consulting business (Mitnick Security Consulting, LLC), and now gets paid by companies to break into their computer systems and tell them what they need to fix.

Since he’s no longer dangerous (many argue that he was never all that dangerous, in the “this guy wants to destroy the world” way the prosecution claimed), Mitnick has also become a popular conference speaker. He knows the single biggest security flaw in every single commercial or private computer system, including yours:

It’s the people.

Time and again, Mitnick bypassed high-tech means of hacking (using software to force his way into a system) in favor of low-tech hacks: calling people on the telephone and asking for information.

It’s called social engineering, and it amounts to tricking people into giving away information simply by talking to them.

Mitnick concentrates on corporate network security, teaching businesses how to keep their data safe. However, the same goes for your own personal online safety: you are the weak point. How public have you made the names of your pets, your birthdate, your children’s names and birthdates, or the school(s) you attended? (I’m looking at you, MySpace and Facebook users.) All of this information can be used to steal your identity, by providing a would-be thief with enough information to talk you into accidentally revealing too much information.

Mitnick’s business card, a miniature lock-picking set, has become quite famous these last few years. Look at his website again, under the “Get Kevin’s Business Card” section. It says “Send your IP address and password to:” and his address. It’s obviously meant as a sly inside joke, but I wonder how many people actually mail this information to him.