You might also like...

Tuesday, November 22, 2011

PSA: Be Safe On The Web



This is a public service post. Recently I have realized that there has been a flood of dodgy email messages and viruses spreading through emails and Facebook etc. With more than a decade of experience in IT I have had my share of such scam/viruses/trojans and phishing emails. I have learnt from them, having fallen for some of them and then avoiding the rest. I decided to give the benefit of my experience to anyone who might need it. Right at the outset I want to declare that I am not a security expert and not a hacker, my sole qualification is my firsthand experience with such things and my commonsense which has saved me in the past.

Disclaimer: The ideas and suggestions in this post are mine, based on my own intelligence, skill and experience. They work for me. I don't know if they will work for you or whether they will be good or bad for you. Therefore, I cannot take responsibility for anything you do with them. Read the post, consider the ideas, evaluate each suggestion with your own mind then do what you think is best for you. If you follow any suggestions from this post, you take the responsibility for all results. There, that's done!

There are so many types of such malware (things that want to do harm to you or your computer) around and so many variations on each that it would need a whole book not a blog post to cover them all. Therefore, I would just focus on the things that I think will provide the most benefit to the maximum number of people. I might do supplementary posts on the same topic later.

Attack type 1: Phishing
What is Phishing?
Phishing is simply an attempt to fool a person with fake data to get him to send you his(real) data. It can be done in various ways. Some of the ways are to send a fake official email or create a fake but official looking webpage.

Examples
You receive an email that claims to be sent by the bank NatWest. It tells you that your account has some issues and you should login to your account and check the account activity or something like that.

Another example could be when you by mistake type a URL incorrectly and land on another website which is reserved to trap people who mistype a well-known website, like typing 3 O's in Yahoo.com or an extra O in google.com. The resulting page would look almost exactly like the one you were going to visit but would be fake.

There are different variations of both these approaches including combining the two.

How to recognize the fake
Even though the fakes are getting better and better, it's still possible to recognize them with a few common sense precautions.

1. Check the source of the message. If you regularly receive messages from that source that'd be one thing but if this is the first time, be extra careful. When I say "source" I don't mean just the name of the sender. Dig deeper. On the internet it's ridiculously easy to make an email appear to have come from "NatWest Customer Support" when the email address it was sent from is info@natwestphishingscam.com.
So, when you check the source, look at the actual email address. There's usually a button on most email sites to expand the "To:" field and look at the email address not just the name of the sender. If you know how to check the email headers look at them as well, they tell the real story. (It's just a question of finding the button that say something like Full Headers).

2. Read the message carefully, the spelling and grammar on these emails is usually far from perfect. It used to be terrible, like an instruction manual translated from Japanese to English but it's been getting better. Still, the language would not be as letter perfect as it would be coming from a big corporate like NatWest.

3. Do NOT click on any of the links in the email. Instead, just HOVER your mouse pointer on the link. In most web browsers when you hover your mouse over the link you'd see its target address in the status bar at the bottom of the window. Just like the email address, it's extremely simple to make a link that looks like www.natwest.com/security when it actually it goes to a totally different address that has nothing at all to do with NatWest.

4. When looking at addresses pay attention to the DOMAIN name. In http://mail.yahoo.com the domain name is yahoo.com. In http://yahoo.scam.com the domain is scam.com and has nothing to do with Yahoo. Also understand that http://www.yahoomail.com may have nothing to do with yahoo.com. The address has to be literal not just similar to the correct address. It's not very hard to create a website called www.yahoosecurity.com and make it look like it belongs to Yahoo. A real address would be more like either http://security.mail.yahoo.com OR http://www.yahoo.com/accountsecurity. Get the drift?

(And please for God's sake do NOT go to any of the fake addresses I am using as an example. Not even to the yahoo ones, I am just making them up to make a point.)

What to do
1. First thing for you to remember is that you do NOT have an account at NatWest. Just delete the email. These emails are sent en masse to a huge number of people, on the assumption that some of them will have an account with NatWest. Another similar email may be sent to another million people purporting to be from HSBC.

2. If you do happen to have an account with that bank, do NOT click on any of the links in the email. Think about whether that issue could really be true or you just used your account 2 hours ago and it was fine.

3. If you are really concerned that the problem might be real (it would seem really urgent and serious in the scam email) call the bank directly and ask them about it. Call the regular number you have called before or find it from directory assitance. Do NOT call any of the numbers in the scam email.

4. If for any reason you cannot call the bank and must use the web, do NOT click the links in the email. Instead, open a new browser window and type the bank URL yourself. And still be on the lookout for any suspicious behaviour.

5. For the second type of scam where the web page is fake, remember to type the URL correctly when it's something as important as your bank's online banking URL. Save a bookmark and use it every time if you are prone to tyop's.

6. Delete the scam email, of course. Remove it from the Trash folder as well.

Just this weekend I received an email from Homebase.co.uk that annoyed me. It said "Thank you for confirming your subscription to our weekly newsletter." That, of course, would annoy me since I didn't ask for any such subscription in the first place so how could I confirm it! I knew I would have to unsubscribe. There were a couple of helpful, conveniently-placed links in the email including an Unsubscribe link. Having never asked for this subscription, I was still suspicious although I had never had such a scam tried on me before.

I hovered my mouse over the links first and noticed that the link went to something like homebaselife.co.uk etc. etc. NOT to homebase.com or homebase.co.uk. Now, I don't KNOW of my own knowledge that homebaselife.co.uk is a bad site, but since the email pretended to be something else while being something else, I would NOT click on those links!

Trojans
What are trojans?
The term Trojan comes from the old, legendary Trojan Horse, the wooden horse which was a gift from Troy but had soldiers hidden inside. Trojans are like that as well. They claim to be some workable, usable piece of software but inside is a virus that would infect your computer and cause damage.

The software coule be as simple as a freeware photo viewing tool or as big as "MS-Office - cracked and registered". Yes, I mean illegally downloaded software from the net. No, I am not saying they are all infected, I am just saying that's how trojans are spread in the market.

How to avoid them?
1. Well, one way is to always buy software from known retailers and buy them on disks. Since disks are read-only, they cannot be infected, even if you put them inside an infected computer. That's how we reinstall Windows if a system is infected.

2. Install a good, reliable anti-virus and keep it turned on. In that case, it will catch the virus in any other software. If you try to download anti-virus from any but the authorised site, remember that it can also be infected. But there are some free anti-virus software available as well (yes, legally free), AVG and Avast are two of them. These are usually free versions of the full software which can provide you basic antivirus functionality.

3. Whatever software you download from the web, any software, scan it with your antivirus before installing it.

Keylogging
Some malware comes in the form of keyloggers. A keylogger is a little piece of software that can monitor, and store, all the keys your press on the keyboard then it can forward this data to someone else who can then have access to ALL your usernames and passwords. A really, really dangerous and damaging situation.

There is some more information on the link below about keyloggers, how they work and how to avoid being trapped by them.
http://www.securelist.com/en/analysis/204791931/Keyloggers_How_they_work_and_how_to_detect_them_Part_1

Hacking
This is a more active form of malicious behaviour and usually involves someone targeting a particular system or network actively. Although these are usually targeted at big websites and servers including industrial espionage, in some cases individual systems can be used as a victim or a pass-through. I would not go into the details of things like man-in-the-middle attack and Denial of Service attacks, but I would say that it's better to have a firewall running with all unused ports blocked. And a good, up-to-date antivirus system running.


Other threats
1. Downloading movies and videos. Some of the ways people download movies and TV shows are illegal while others are perfectly legal. I am not going to judge how people should do it, but I can give you a few hints that might be handy in any case.
When you download vidoes, be careful what other files are downloaded with the video files. AVI and JPG files are safe enough (at the time of this writing) but any other files like .htm, .html, .com, .exe, .js etc. can all be used to deliver viruses to your system. Delete these.

A really good way (for scammers) to infect your system is by including a "Media Player" software with the video. The media player will actually work but it would also infect your computer.

If the video comes with a text file of instructions and it tells you to go to a certain website, or download a certain software to play the file, do NOT do it. Simply delete the video and all the files it came with.

2. Do not click on links in emails without being extremely sure that they are legit even if the email is from someone you know.
These days there are several viruses that infect your system then send email to all the contacts in your mailbox with a link. Anyone who clicks on that link will be infected as well. And then the virus will send emails to all THEIR contacts with the link. Yes, it is like the Zombie M.O.

These emails used to be very dumb. Just a link in the otherwise blank message. So easy to spot. But these days they have become smarter. Now, there can be a paragraph of text before the link, talking about the link. At once glance it might seem like written by a human, but if you read through carefully, it's easy to spot that it's a fake.

3. An important variation on the above is an email with an attachment. These used to be dumb too, like the link emails, just an attachment with the email with no or little text in the message. Now these come with a message that describes the attachment.

The one I received 2 days ago purported to be from UPS telling me that the delivery of my package had failed, and details were in the attachment. Since I wasn't expecting any UPS delivery I deleted the email. However, if you are expecting a delivery, you can still go to the UPS website directly instead of downloading the attachment and see what it says when you enter your tracking number.

Real official emails are easy to spot if you know what to look for. For one thing, they would quote your name and order number as well as other details about your order. Secondly, the email would be formatted much more differently. Third and most important, you can hover your mouse on the links and check where it leads to BEFORE clicking it.

Best Practices
Firewalls
- Either install a firewall or at least turn on the Windows built-in Firewall.
- If you know how to do it, block all unused ports on your system by creating firewall rules.

Changing passwords
Banking websites and other security experts usually advise changing your password frequently. I don't.
I have my own philosophy about it. Again, it works for me, if you use it, it's at your own risk.
Here's my rationale behind it.
- Any time you type your password it can be captured by a keylogger.
- If the password is saved in the browser, it is encrypted and harder to get at.
- The frequent change can be useful only if you do the change very frequently, like every day. Then you have a risk of forgetting your own password or creating a pattern which can then be guessed by the hacker.

But if you use this method which I do, you need to follow some other guidelines, very, very carefully in order to stay safe.

Physical security
- NEVER, EVER leave your computer unlocked. Not even in your own home if you live with other people.
- Never write down your password. Instead use a memorable password. If you are afraid you'll forget it, write down a hint to the password but not the actual password. Write that hint in a personal code if you can.
- Guard against leaking your password by social engineering. What it means is, if you are talking to a stranger in a pub about computer security don't start giving examples of your own "very secure" passwords. Not even the process you use to derive your password.
- Use passwords that are easy to remember for you, but hard to guess for a computer. For example - "Monty Python is a hoot & and a 1/2". Still guessable but harder than the "1A82$590#" type crap that password generators spew out.

All this discussion about security has reminded me of a scene from "Enemy of the State".

Will Smith is being hounded by the FBI for reasons of their own. They are using all the technology at their disposal from tracking satellites to phone taps and physical cars on the road. Will meets Gene Hackman who knows all this security stuff. Gene gets Will to lose all his sensors that the FBI planted on him. Then he takes him with him. Gene stops at a store on the way to buy some food. Will uses the time to make a phone call to explain to his wife...never mind what. But his home phone is tapped and FBI pick up his lost trail from there.

Gene doesn't about the phone call. He takes Will to his secret hideout. It's a well-hidden cabin where Gene has no outside links, he has no phone, no power lines, he makes his own power and connects to the internet via hardware firewalls only when he needs to.

While they are talking the FBI arrive on the scene. Gene sees them via his monitoring cameras and asks Will, "What did you do?"

Will: Me? Nothing!
Gene: WHAT did you DO?
Will: I called my wife...
Gene: You idiot!

Gene takes the car and both Gene and Will get out in a hurry. Behind them Gene's cabin blows up in a big explosion. Will looks at Gene.

Will: Your cabin!
Gene: I blew it up!
Will: but..but why?
Gene looks at Will and says bitterly, "Because you made a phone call!"

The moral of the story is that it takes one leak, a single leak to ruin everything. So, don't be silly, don't make that phone call!




No comments: