[ May 2007 ] Dear all,
The past month has seen some significant movements around computing security so this bulletin contains a little security information for everyone - all in all, not a very technical edition but nonetheless important information that you should know.
May 2007
1. Chain emails
2. Social networking sites
3. Blog information
4. Identity Theft
5. Spam email - phishing and pharming
6. Winmail.dat ... again
| 1. Chain emails |
A new email is in circulation indicating that one should be careful using internet email services from the likes of Yahoo, Hotmail, etc. This information is allegedly provided by Microsoft and Norton, and relates to an attachment called 'Life is beautiful.pps'
Please note that this is an obvious hoax:
- Microsoft do not send general bulletins concerning viruses to the wider public
- Norton is not a company - it's a product
- Internet email companies such as AOL do not comment on virus infections
- The language of the email is that of a blatant chain email, items such as syntax, language and capitalisation give it away easily
It is wise not to propagate chain emails such like these as:
- they take up unnecessary bandwidth
- they can be carriers for viruses and malware themselves
- they can result in identity theft ( Trojans log information on your computer and send it on )
- they can cause additional problems for those you are sending it to
A copy of the email can be viewed at the following link at the Hoaxbuster's site
Before propagating information relating to email viruses, scams and chain emails, it is wise to do a search at:
http://hoaxbusters.ciac.org/
or
http://antivirus.about.com/od/emailhoaxes/l/blenhoax.htm
or
http://www.vmyths.com/
This will help you determine whether the threat is real or not. The first and best contact for information relating to viruses and malware should be your Anti Virus vendor.
| | 2. Social networking sites |
Social networking has become a buzzword in the last year as internet users go beyond blogs and personal content management. It has been around for some time on the internet ( non-internet use pre-dates this by some decades and the term was first coined in 1954 ) with the first major site being Classmates.com. A popular mechanism prior to this was called the web-ring - interlinked websites with a common theme. The idea is to provide a social infrastructure for information exchange surrounding a particular subject like music, movies or past contacts. Popular current social networking sites include Myspace.com and Facebook - these have vibrant communities ( numbering in the millions ) where people swap information, music, movies and other goods all the while expanding their personal community and interaction. It may be electronic but it still brings people together and provides for a rich environment for interaction. Last.fm for example, makes use of statistical information supplied by users' media players to give suggestions on other content and provides sharing based on common genres.
Like all good things, there are some downsides. Social networking sites are prime candidates for those of a predatory nature whether sexually motivated, financially or otherwise. Parents should monitor their children's use of such tools in the same fashion they would non-electronic social interactions. Social networks are also becoming increasingly involved in illegal music and film swapping and there have been a number of lawsuits surrounding the posting of material deemed to be copyrighted.
A list of sites are available here
| | 3. Blog security |
Blogs provide commentary or news on a particular subject such as food, politics, or local news; some function as more personal online diaries. A typical blog combines text, images, and links to other blogs, web pages, and other media related to its topic. The ability for readers to leave comments in an interactive format is an important part of many blogs. Blogs however suffer from 2 main issues.
- Regardless of the fact that it is disconnected physically from the person writing the blog, sometimes one is prone to say more that one would normally. Blogs are still subject to the laws of the country in which it resides and the blogger is subject to standard issues like defamation, libel, etc. So it is useful to edit one's content so as not to attract legal problems
- Blogs that provide the option for comments are always going to attract spam comments. Newer blogging software such Wordpress provide options for either checking comments before they are published or automatic spam checking. This is very useful on high volume blogs as the administration of a blog can quickly become overhwelming.
| | 4. Identity Theft |
Identity theft is sub-divided into four categories:
- Financial Identity Theft (using another's name and SSN to obtain goods and services)
- Criminal Identity Theft (posing as another when apprehended for a crime)
- Identity Cloning (using another's information to assume his or her identity in daily life)
- Business/Commercial Identity Theft (using another's business name to obtain credit)
The unlawful acquisition of legally attributed personal ID information is made possible by serious breaches of privacy. For consumers it is usually due to personal naivete in who they provide their information to or carelessness in protecting their information from theft (e.g. vehicle break-ins and home invasions). So how is your privacy breeched and your identity information compromised?
- stealing mail or rummaging through rubbish (dumpster diving)
- eavesdropping on public transactions to obtain personal data (shoulder surfing)
- stealing personal information in computer databases [Trojan horses, hacking]
- infiltration of organizations that store large amounts of personal information
- impersonating a trusted organization in an electronic communication (phishing)
- Spam (electronic): Some, if not all spam requires you to respond to alleged contests, enter into "Good Deals", etc.
- using another arguably illegal reason to victimize individuals who display their personal information in good faith, such as landlord-related fraud
Some of those that are victims of identity theft will not know about it until it is too late to do anything about it. Yet, it is easy for to you to catch something long before it gets to that serious of an issue. For example, if someone got a hold of your credit card information, you may think it would take you a month or more to know about it. Yet, if you manage your finances online, you can easily check out your credit card statement (with most banks) online without much hassle. If you do this just once a week, you can help to protect yourself.
There are many forms of identity theft and sometimes, there is not much that you can do to protect yourself from it. Yet, being a smart consumer is the first step. You should always know what should be on your credit cards and you should know what is on your credit report. If you do not know this, you are likely going to have to unwrap quite a tangled mess later on. Being a smart consumer is necessary here.
For more information, please see the reference library of the Identity Theft Resource Centre
| 5. Phishing and pharming
|
Phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords, credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay and PayPal are two of the most targeted companies, and online banks are also common targets. Phishing is typically carried out by email or instant messaging, and often directs users to give details at a website, although phone contact has been used as well.
Herewith follows an example of phishing:
You get an email purporting to be from Standard Bank's Internet Banking section. Everything looks fairly innocent but there are a couple of tests you need to do to make sure any links you click on are valid for this company
- most reputable institutions will never ask you to validate your personal information by sending you an email - these emails are a dead give-away
- check the site's security certificate to make sure it matches the site you are visiting - all browsers will display a little lock icon in the bottom information bar of the browser that you can click on to get information about the site's security
- check any links to requests for information carefully - the following link is bogus:
www.standardbank.co.za
If you hover your mouse over the above link, you will see the true destination for that link.
Pharming (pronounced farming) is a cracker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real addresses — they are the "signposts" of the Internet. Compromised DNS servers are sometimes referred to as "poisoned". The term pharming is a word play on farming and phishing.
Pharming is very difficult to protect against by using AV or Anti Spyware tools as the problem is not a local infection/issue on the user's computer. This does mean that one needs to look carefully at sites you are visiting to make sure they are valid.
Conclusion: To a certain extent, South Africa's relative electronic obscurity on the world stage in 80's/90's was a security blessing in disguise, but as we become more active on the Internet, we need to be far more vigilant about how we deal with electronic communications. Financial Institutions such as FNB and Standard bank have had a variety of phishing attacks aimed against them in the last year, so local companies are not immune at all. Learning to spot phishing and pharming attacks is the first step to ID protection and a safer Internet experience. For more information about phishing and pharming, please see the Anti-Phishing Working Group's website.
| | 6. Winmail.dat |
My last correspondence regarding the issue surrounding winmail.dat ( see issue 4 ) resulted in some confusion - some were wondering why this problem had suddenly cropped up in the last year or so. The reason is actually fairly straightforward; the default setting in MS Outlook email clients prior to the version provided with MS Office 2003 was to send email using plain text. As indicated previously, the problem does not occur when using plain text as there is no formatting information required to be added to the email. There has been a significant uptake of Office 2003 in the last year and its default is to send emails in HTML format. In addition, Outlook 2003 and later, use a proprietary method to include formatting information, resulting in broken emails for non-Outlook users. Therefore it's of benefit to all if Outlook 2003 users ( and later ) set the default formatting method to plain text. See Bulletin no. 4 for for more information on changing this setting.
|
a. if anyone has topics of interest they would like covered, please email your requests and suggestions to
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
b. please email
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
if you would not like to receive this bulletin
Robby Pedrica
|
