Security Corner


June 26, 2010  3:30 PM

Scam Alert: Thanks for Your Order!



Posted by: Ken Harthun
E-mail scam, OpenDNS, Phishing, spam

Nothing new about these phishing scams, but it seems they’ve gotten more frequent. I’ve gotten my share of them before, but now two in as many days. Here’s the first one purportedly about my amazon.com order that I never placed.

Several things are obviously wrong with this message; the scammers are either stupid or this is a randomly-generated message.

First off, the email is not addressed to my email address. Next, all the links point to the same .kr site. Finally, none of the numbers are consistent; for example, Subtotal of items $84.99, Total before tax $46.99, Total for this Order $68.99, The following item was ordered $36.99. Huh?

Here’s the other one I got the next day, purportedly from Buy.com for a laptop purchase.

This one is actually more accurate; at least, it came to the right email address. I didn’t order anything, of course. Again, all the links point to the same place; when I tested the link, I got this message from OpenDNS:

They just never give up.

By the way, if you’re not using OpenDNS by now, you should be. I’ll tell you why in an upcoming post.

June 25, 2010  1:01 AM

Physical Security: What is Lock Bumping?



Posted by: Ken Harthun
Lock Bumping, locks, physical security

Bump Key (Source: Wikipedia)

For many years, Locksmith Professionals have utilized several methods and tools to bypass pin and tumbler locks for legal purposes. One such technique is called “bumping.” Lock bumping, also referred to as key bumping is an attack technique using specially cut keys that can defeat conventional pin and tumbler locks. There’s nothing new about this but the Internet, in part, has popularized the subject. In fact, according to a Wikipedia entry, “a US patent first appears in 1928 by H.R. Simpson called a ‘rapping’ or bump-key. Then, in the 1970s, locksmiths in Denmark shared a technique for knocking on a lock cylinder while applying slight pressure to the back of the lock plug. When the pins would jump inside of the cylinder, the plug would be able to slide out freely, thus enabling the locksmith to disassemble the lock quickly.”

Search “lock bumping” on the Internet, and you’ll find plenty of how-to videos to tell you how to do it. Here’s one that’s particularly informative and has some good graphics (just ignore the misspelling of “shear line”): http://youtu.be/7xkkS2p7SuQ

These days, several manufacturers make bump resistant and bump proof locks, but if you have an older lock, you’re vulnerable. Consider changing over to newer technology. Why? According to statistics provided by the National Crime Prevention Council (NCPC) and the Department of Justice, nearly 2/3 of all break-ins occur with no sign of forced entry. How many of these break-ins can be attributed to lock bumping is uncertain, but it’s a good bet that at least some of them are.


June 23, 2010  1:12 AM

Scam Alert: Oh, No! My Domain is Expiring!



Posted by: Ken Harthun
Domain Registry of America, Scam

Every once in awhile, I get a letter from “Domain Registry of America” warning me that my domain is about to expire: “As a courtesy to domain name holders, we are sending you this notification. . . When you switch today,” etc., etc. And heck, they only want $50.00 (save $10!) for 2 years (Recommended). Better yet, they offer me 5 years for only $95.00 (save $55!) (Best Value). I pay $8.99/year for most of my domains. Some of them I got for $0.89 for the first year and $6.99/yr thereafter.

It’s the best legal scam on the Internet, duping the uninformed into parting with more money than they should. Yes, it’s a completely legal con as far as I can tell. Well, maybe; the FTC doesn’t like them: Court Bars Canadian Company from Misleading Consumers in Marketing of Internet Domain Name Service.

The Federal Trade Commission has requested that a federal district court enjoin Domain Registry of America, Inc., an Internet domain name re-seller, from making misrepresentations in the marketing of its domain name registration services and require it to pay redress to consumers. According to the FTC, the company told consumers that their domain registrations were expiring, leading many consumers unwittingly to switch their domain name registrar.

This was in 2003. Why are they still at it? They are still misleading consumers with their misrepresentations; unless the fine print on the back of the letter–which requires a magnifying glass to read and even then is hard on the eyes–covers them sufficiently.

I call it a scam. What do you think?


June 22, 2010  12:29 AM

Reader Survey: Please Give Us Your Feedback



Posted by: Ken Harthun
Feedback, IT Knowledge Exchange, Opinion, Survey

As you know, IT Knowledge Exchange is a community-based technical information portal that is dedicated to providing the highest quality IT news, technical support and commentary from your industry peers. What you may not know is that you are a vital part of how this community functions and what features are provided. With that in mind, I’d like you to participate in our first-ever, site-wide reader survey on IT Knowledge Exchange. The feedback from this survey is being used to decide how we build out the community, so your participation means more blog-related features in the future.

Please take five minutes out of your busy schedule and complete the survey. You’ll find it here: http://www.surveygizmo.com/s3/314286/ITKE-Member-Survey-June-2010.

As always, I invite you to comment on what I post here and I assure you that your voice is heard. Please take this opportunity to voice your opinions to management.


June 20, 2010  5:23 PM

A Thought for Father’s Day



Posted by: Ken Harthun
Father's Day

We’ll take a break from the regular security stuff today. Being a father myself, I want to pass this on to the rest of you fathers out there who read this blog. Hope you have a very Happy Father’s Day with your family.

Don’t know who the original author of this poem is, but it certainly struck a chord with me; roses are my gardening passion and I lost my father in 1991. This coming Friday, June 25th, would have been his 85th birthday.

Roses are traditionally used on Father’s Day: red to honor a living father; white to honor a deceased father. Hence, the white rose in this post

If your father is living, please, in whatever way you feel works for you, let him know how much he means to you; and, if your father is deceased, take a moment to remember and reflect on what he meant to you. My father is responsible for my never-ending curiosity and interest in all things scientific and technical and for always insisting that I use my abilities to the utmost.

I miss him.

Roses grow in Heaven. Lord, pick a bunch for me.
Place them in my Father's arms and tell him they're from me.
Tell him that I love and miss him and when he turns to smile,
Place a kiss upon his cheek and hold him for awhile.
Remembering him is easy. I do it every day.
There's an ache within my heart that will never go away.

Happy Father’s Day!


June 18, 2010  1:12 AM

Physical Security: Kwikset SmartKey Lock



Posted by: Ken Harthun
locks, physical security, security awareness, Security best practice

In late April, I posted  Physical Security: Master Lock 1500iD Speed Dial. Now, Kwikset has come out with its line of SmartKey Re-Key Technology locks, billed as “The only lock you can re-key yourself in seconds.” I call this a great innovation.

How many keys have you given out? Maybe you’ve even forgotten about one or two of them. It’s hard to keep track of all the keys you give out, but with this technology, it really doesn’t matter. A SmartKey lock can be quickly and securely re-keyed, so you can give a key to your neighbor, a contractor, whomever one day and render it completely useless the next. Kwikset also claims that their SmartKey locks are virtually unpickable due to their patented BumpGuard™ technology.

Re-keying the lock couldn’t be simpler than this:

  1. Insert the functioning key and rotate 1/4 turn clockwise to the horizontal position (“Learn” position)
  2. Insert the SmartKey tool fully and firmly into the SmartKey tool hole then remove the tool
  3. Carefully remove the key
  4. Insert new key and rotate 1/4 turn counterclockwise to the vertical position then remove key

Kwikset’s website has an interesting section called “Science of Security” that has some great security tips. Here’s an example of one that even I didn’t think about:

Valeting your car?

Good Idea: Do not keep your home address on anything found within your car.
Best Practice: Never give your house keys to a valet service, just your car ignition key.

Good stuff. I suggest you take a look.


June 17, 2010  1:45 AM

Farmville and Sex and the City 2 Used as Bait to Hijack Facebook’s “Like” Button



Posted by: Ken Harthun
click fraud, Facebook, Scam

According to PandaLabs, cybercriminals are hijacking the Facebook “Like” option in a wave of new scams that use messages related to the popular game Farmville, the “Sex and the City 2” movie and other eye-catching keywords.

This is a “clickjacking” attack and uses a malformed URL with embedded code to carry out the attack. Users are tricked into “liking” a page but they don’t realize that they are recommending it to all of their Facebook friends. Users should be wary of messages with striking subjects received from Facebook’s internal messaging system, and take all necessary precautions when clicking the “Like” button on external Web pages. Here’s an excerpt from a press release I got from Panda today:

[Panda Labs] has reported the proliferation of scams hijacking the Facebook “Like” option. The attack uses eye-catching messages related to the popular game Farmville, the “Sex and the City 2” movie or the keyword sex to grab the attention of logged-in Facebook users as they browse Web pages with the “Like” button, the Facebook wall feature or messaging system.

Clicking the link brings the user to a Web page containing photos and videos of the relevant topic. Upon visiting it, a message is displayed on the user’s Facebook profile indicating that they “like” it, with a text that is not controlled by the user. According to Luis Corrons, Technical Director of PandaLabs, “This distribution technique reminds us of computer worms, although this time there doesn’t seem to be any malware behind it (at least yet).”

While this one appears not to be malicious, it is a click-fraud scam because the real business stems from the pay-per-click system, which counts every click and generates revenue for affiliates.

Just be careful out there!


June 16, 2010  12:23 AM

Software for Secure Computing: Mozilla Plug-in Check



Posted by: Ken Harthun
Critical update, Firefox add-on, Insecure Plugins, Mozilla, Patch management

Plugins and add-ons, extensions, oh,my! If you use Firefox, chances are you have plenty of these things installed. I counted 15 on my installation. Of course, the plug-in check only checks plug-ins, but it serves to alert you to the possibility that other add-ons need attention.

To check your plug-ins, go to: http://www.mozilla.com/en-US/plugincheck/

I’ve checked both my systems at home and sure enough, I was out of date on at least one plug-in on each system.

Having to check several applications using different tools can be tedious, so I still recommend that everyone use Secunia’s Personal Software Inspector.

The Secunia PSI is a free security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly “popular” among criminals. I’ve written about this one before and I still recommend it.

Bottom line: whatever tool you use, keep your apps, plug-ins, scripts, whatever up to date.


June 12, 2010  1:13 AM

Craigslist Targeted Phishing Emails



Posted by: Ken Harthun
Email security, Phishing, Scam, Security, spam

A client received this email this morning and wanted to know if it was legit:

From: craigslist [mailto:noreplay@craigslist.org]
Sent: Thursday, June 10, 2010 8:53 PM
To: undisclosed-recipients
Subject: Your posting has been flagged for removal

Your posting has been flagged for removal.
Approximately 98% of postings removed are in violation of craigslist posting guidelines.

Please make sure you are abiding by all posted site rules, including our terms of use: htt p://www.craigslist.org/about/terms.of.use.html.

If you need help figuring out why your posting was flagged, try asking in our flag help forum. Include posting title, body, category, city, how often posted, any images, HTML markup, etc.

If you feel your posting was wrongly flagged down (2% of flagged ads are) please accept our
apologies and feel free to repost using the link below:

htt p://www.craigslist.org/about/ctd/repost.html.

Sorry for the hassle, and thanks for your understanding.

Date: 1257114516
PostID: 1447127268

Of course, the email isn’t legit, it’s a targeted phishing attack. Hence, my reply to his query:

It is indeed a hoax, perhaps better described as a targeted phishing attack. See: http://antifraudintl.org/showthread.php?t=38214. If you hover your mouse over the link, Outlook will show you the actual destination of the link. In this case, the link points to: http://home.comcast.net/~pollynopo/account-crg.org.html. This takes you to a page that purports to be a Craigslist account log in page, but is actually a fake designed to steal your credentials. Just for fun, I used a bogus email address from mailinator.com and a few choice words for the password. When I clicked the “Login” button, I was taken to the real Craigslist terms of use page. Some crook somewhere now has my fake “credentials” for Craigslist.

The URL does not contain a virus and is harmless except for the fact that if you did fall for it, the crooks or spammers who stole your credentials will use your account to spread their spam or scam and YOU will get banned from Craigslist for it.

Let me point out a few things you can do and some things to look for when you get one of these emails:

1. Take a close look at the link in the email. Often there are misspellings or other subtle errors. In this case the link appears to be legit, but look closely at the first few characters:htt p://www.craigslist.org/about/terms.of.use.html — there’s a space in there. It should be “http://,” not “htt p://.”
2. Hover your mouse over the link and note where the link is pointing. If what is shown doesn’t match the link exactly, it’s bogus.
3. Do a Google search on the email subject; you’ll probably find out it’s a hoax in the first few listings.
4. A good site to join and check regularly is http://antifraudintl.org.
5. When you get some negative action email like this, ALWAYS check it out before you act. Be proactive; the scammers are betting that you will have the “Omigod!” reaction and just click the link without thinking.

Hope this helps.

Have a great weekend.
Cheers!
Ken

Be careful out there, folks!


June 9, 2010  12:59 AM

Should Internet Services That Can Be Used As Terrorist Tools Be Shut Down?



Posted by: Ken Harthun
cyber security, Cyber warfare, National security, terrorism

I first addressed this question three years ago in my seldom-updated Geek Gripes blog in response to Deb Shinder’s editorial piece in Issue #285 of WXP News. With increasing evidence that terrorists are using our networks for nefarious purposes, the issue continues to be relevant. Shinder had this to say in her original piece:

Certainly none of us want to make it easier for terrorists to accomplish their missions – but I can’t help wondering where an all-out effort to do away with everything that might aid the bad guys will lead us. After all, it’s well documented that terrorists also use cell phones and email to further their plotting. Does that mean we should shut down those communications systems, as well?

If you think about it, it’s a slippery slope. Do you take away tools that have valuable legitimate uses by law abiding citizens just because criminals can use them to commit crimes? That’s the premise of gun control laws, but in the U.S., those laws have had dismal success records. Do we really want to extend that philosophy to Internet sites and services?

Deb is not proposing such action, of course (she’s way too level-headed to suggest such a thing); she’s asking the hard questions. But there are even harder questions to ask, questions that go well beyond restricting communication lines, and I’m not shy when it comes to speaking out against further restrictions to our liberty based upon some perceived threat. These questions may seem extreme, but use your imagination. How bad could it get?

Terrorists have to eat; do we refuse to sell food to anyone on a terrorist watch list? Does the government take over food distribution? Terrorists drive motor vehicles; does every driver have to be pre-screened before getting a license and then “approved” to buy a vehicle? Will farmers, who use nitrate fertilizers capable of being turned into explosives, be subject to purchase limits based on the number of acres they farm? After all, a terrorist posing as a farmer could buy tons of the stuff and then blow up half a town.

Anything a “normal” human being does or uses in the course of day-to-day living would also be done or used by a terrorist; they are, after all, human beings, too.

I’ll tell you where an all-out effort to do away with everything that might aid the bad guys will lead us: a total police state–your every move monitored, every purchase you make subject to scrutiny and/or approval, every communication medium you use monitored 24/7, everything you say subject to interpretation by Homeland Security. The whole country would be a prison, a guard at every street corner, dusk-to-dawn curfews in force, shopping and visits with friends and family monitored and subject to time limits.

Any atrocity you can imagine would be possible–and likely. It would make the dystopia depicted in George Orwell’s novel, “1984,” seem like utopia.

What do you think?


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: