Data security Archive

Malaysia Airlines air disaster–another event bringing out the online scams


Fake Malaysia Airlines links spread malware | CNET News

My Comments

Every time there is a major event that affects many people or brings out mass intrigue, a computer-security situation climbs on to that event’s tail.

What happens is that Websites with a questionable motive pop up like nobody’s business and links to these sites appear in spam emails or on the Social Web. The “link-bait” text draws people to these sites are laden with malware or set up to harvest Web-surfers’ personal or financial information for questionable purposes. The Malaysian Airlines air disaster drew out its own link-bait in the form of fake news links that purport to lead to video footage of the plane being discovered or survivors being found.

A proper practice is to keep the software on personal and other computer equipment “lock-step” with the latest software updates and patches and simply to “think before you click”. This is more so with anything that appears “too good to be true” or “out of the norm” for that situation.

Facebook users also have to be careful about the “fake events” which are being used as a spam-distribution vector. Here, as I previously covered, this causes notifications to appear in the user’s Facebook Notification list with your computer or mobile device popping up messages and sounding an audible alert to these notifications if a Facebook client is running. As well, if a user accepts these events, information appears on their Timeline about that event.

Send to Kindle

Vodafone Germany to provide SIM-based end-to-end encryption for smartphones


Vodafone Germany looks to provide end-to-end encryption with SIM signatures • The Register

My Comments

The SIM card could be the heart of corporate-grade end-to-end mobile data security

The SIM card could be the heart of corporate-grade end-to-end mobile data security

If a company or person wanted to have highly-secure data or voice communications on their smartphone or tablet, they had to install an “over-the-top” software package and establish a separate password or key for the secure path..

Now Vodafone Germany, who is part of the Vodafone mobile-telephony conglomerate, have worked on a SIM-based setup that they can easily provide as part of a value-added service. This is based around all the passwords and keys being part of the SIM card and software held on the handset making use of these keys along with native apps to provide the secure tunnel.At the moment, this is offered to larger corporate and government customers but could be offered to small business accounts especially as some of these businesses also provide goods and services to the large corporate and government user base

One reason I would suspect that Vodafone have worked on this concept is to provide an easy-to-deploy end-to-end encryption service for consumers and small business in the wake of the Snowden affair. At the moment, the setups would be designed to work with Android devices but with Blackberry and Windows Phone ports being considered. In the case of Windows Phone, this could allow for the concept to be taken further to Windows-based tablets, laptops and desktops which are used for a lot of business computing.

A limitation that I see with the SIM-based solution is that it is dependent on a device having an integrated 3G or 4G modem thus wouldn’t be considered truly “transport independent”. I see this as being of importance as people use Wi-Fi hotspots provided by many different venue hosts and not many of these are kept secure by the venue owners thus making the customers’ data vulnerable. Similarly, this will also be of concern for client-to-box VPN setups where the “other end” of the VPN tunnel connects to the Internet via a fixed WAN connection like cable, DSL or fibre-optic.

This could be a step for mobile carriers and telcos to provide the encryption needed for secure communications especially in the wake of some serious spying scandals.

Send to Kindle

A refresher article about those “fake malware” phone calls


Just Recorded A Scam Hoax Virus Call | Barb’s Connected World

Previous Coverage

Fake “Virus Infection” Phone Calls – Be Aware Of Them

My Comments

I have previously covered the issue of home and small-business computer users receiving “virus-alert” phone calls and am refreshing this topic with a reference to a recording of one of these calls that a tech blogger had done and published to keep it alive in your memories. These purport to be from Microsoft, a desktop-security software firm or similar entity stating that your computer is infected with a virus.

Typically they require the user to head to a particular Website and either supply email-address or personal banking details or download software of questionable provenance. This leads to the user being at risk of a spam attack, wire-fraud incident or malware / spyware infection.

When you receive these calls, immediately hang up on these callers. You also have to remember that the typical situation with handling computer troubles is that you take the effort to seek help. This help would be provided by a computer-expert neighbour, friend, relative or acquaintance, your business’s IT department (if it has one) or an IT contractor whom you are dealing with.

Sometimes demanding their business-registration or tax-registration details to prove they can legitimatiely do business in your jurisdiction can effectively put them on notice as one friend has done when he received one of these calls.

As well, keeping your computer’s operating system, application software and desktop-security software up-to-date is a wise data-housekeeping practice so you are protected against the malware. I would even extend this to keeping the firmware on your home-network devices up-to-date so as to protect against software exploits that take advantage of bugs in older firmware.

Send to Kindle

Make sure you properly log off Web services when you are finished with a shared computer

Log out properly of GMail by clicking "Sign Out"

Log out properly of GMail by clicking “Sign Out”

A common situation that affects most home users is the existence of a desktop, laptop or tablet computer used by many people of the household. This computer may not just be used by members of the household but also by the household’s guests. I was infact talking about this with someone who had come in from overseas and was using a commonly-used iPad to work a few Web-based services like his GMail and Facebook accounts. Here, he and I were underscoring the need to properly log out of these services when done with them as well as clearing Web-browser history on these devices.

Log out properly of Facebook by clicking "Log Out" in Settings

Log out properly of Facebook by clicking “Log Out” in Settings

But as one operates their Web-based email, social-networking and other services using these computers, it can be easy to leave a session of these services going especially if you are called away for some reason. This could lead to other members of the household snooping around your account or doing something on that account in your name like playing a practical joke.

A wise practice with these computers is to make sure you log off your Web-based services as soon as you have finished with these services and before you leave the computer. To do this properly, you have to click or tap the “logout” or “sign out” button on the Web-based service’s user interface, which causes the service to log you out as far as it is concerned while cleaning up any cookies and other data held on your machine relating to that session.

Familiarise yourself with the option to remove your Web-browsing history on your browser

Familiarise yourself with the option to remove your Web-browsing history on your browser

Similarly, clearing your Web browser’s history especially when finished using these commonly-used computers is also a wise practice. This avoids other users “tracking back” in to previous sessions for Web-based services or having people snoop on what previous users been browsing the Web for. The latter situation could either cause some nasty gossip to float around or, at worst, put the user in danger.

Use of multiple logins

Some operating systems like Windows and Android 4.2+ tablet implementations allow for the creation of separate accounts on that system so that each user can have their own operating environment. This can be beneficial because you can avoid the situation where someone can “snoop” around your Web history or someone’s Web email or social-network session that hasn’t been logged off properly.

Here, you could use one login as a “common-user” login while creating separate logins for the computer’s regular users. The regular users then use their own logins when they use the computer so they don’t have to worry about this kind of issue. Similarly, the separate logins can be personalised with wallpapers, “favourite Website lists”, customised colour schemes and the like as well as supporting application-level links to various social-network and other sites.

Windows 8 and 8.1 also implement a login setup which can be ported and synced across multiple computers thus allowing you to carry your computing environment between, say, a desktop and a laptop or to operate your computing environment on both your personally-used machine and a commonly-used machine.

Here, it is still a good practice to log off these accounts or enforce a lockout on them when you have finished at the computer so you can keep them private and less at risk of being meddled with.

Once you get in to the habit of logging off Web-service or user accounts on commonly-used computers and clearing Web history lists on these computers, you can avoid placing yourselves in a vulnerable position with your Internet use.

Send to Kindle

Computer security is about trusting your instincts


Festive season security myth: "If there are no links in an email, it can’t be a phish." | NakedSecurity Blog

My Comments

I have seen this happen as part of educating people about computer security is to think before you click. Here, it is about being careful about responding to emails and Websites of doubtful provenance so you don’t become a victim of a scam or find your computer full of malware.

For example, phishing scams initially used links in the email as a hook to get people to “verify” their accounts or take similar action. But they are now using “loaded” attachments with the copy of the email not having any links or HTML to avoid being rejected by security tools that are part of email clients or the populace not taking to the bait due to the public education about phishing scams.  The hook in these situations are the attachments that are crafted to take advantage of weaknesses in the software or carry links to Web resources as mentioned below.

PDF files represent their own dangers because they can either be crafted maliciously or contain links to Web resources. This is compounded by the problem that not all PDF reader software handles Web links in a manner similar to a Web browser. For example, a lot of these programs don’t show the URL when you hover over or dwell on the link before you click.

I would personally like to see PDF and similar document viewers support the ability to link with “website-reputation” engines like what Symantec and other security-software vendors offer and show graphics that indicate if a link you are hovering on is safe or not. Similarly, search engines, website reputation agents, security scanners and similar tools could also examine PDF files for abnormal construction and questionable links.

Instead, we have to do a “reality check” regarding these emails. For example, are the emails from a company whom you have had business with or part of ongoing business with that company? Are you expecting an email to come through with attachments? Do they contain a lot of poor spelling or grammar or aren’t commensurate to the language they are meant to be written in? Do they reflect the tone of what the business and its industry is about? Simply, does the context sound too “out of this world” to be real?

This also applies to any offers provided through instant-messaging or social-network channels including the Facebook “fake-event” scams that are popping up as I have mentioned before.

But for the moment, are you sure that the link or attachment you are to click on is kosher before you click on it?

Send to Kindle

Facebook Events–a new vector for distributing spam

Facebook event spam notification in Notifications list - comes from a Friend

Facebook event spam notification in Notifications list – comes from a Friend


Spammers Using Facebook Events to Trick Users | ReadWrite

My Comments

Ever since its early days, scammers have used Facebook as a place to spam users with their shady schemes. Previously this was through running a message with a tantalising link surrounded by tantalising text on users’ Walls and this link would pass through to some unscrupulous site.

This has failed to work now that Facebook has achieved critical mass with users subscribing to different Groups, Pages and Personal Profiles including those that represent their interests. This situation leads to the News Feed, the user’s default view in Facebook, being full of various pieces of information from different sources.

But, over the years, Facebook introduced a notifications mechanism for events beyond potential Friend requests or comments left on a Status Update and users are more likely to check on what has been added to the Notifications list. Here, it also introduced the Event which a Facebook user can invite their Friends or Followers to depending on its settings and this allows the user to register whether they are attending or not.

Event page for spammy Facebook event

Event page for spammy Facebook event

This bas become a new path for distributing link-bait spam because these Events don’t come often in a user’s interaction with Facebook. Similarly, the default setup has it that Facebook treats the Events as something to generate a Notification about and it effectively shows up the red “Notifications” flag in the Web view while causing native clients to show a distinct alert message and audio prompt when these come in. For example, the mobile clients for iOS and Android would list the event in the mobile operating system’s Notifications tray while causing the phone to sound a distinct ringtone or the Facebook Windows clients will “pop up” a message on the Desktop with your computer sounding an audible chime.

As well, if you “accept” these Events, they will appear as a Status Update on your Wall (Timeline). Of course, it will require the user to click through to the Event page and this will show a URL for you to click through to for more details, most likely along with some tantalising pictures. These URLs are where the trouble occurs because it could lead to installation of malware on your computer or other questionable practices taking place and some of these URLs are infact obfuscated using URL-shortening services like .

If these “event spam” notifications come from one of your Facebook Friends, don’t click on anything to do with the Event page. Rather, let your friend know that they are the victim of a spammer and suggest they change the password on their Facebook account and run a malware scan on their computer.

Send to Kindle

Firmware updates to be available to fix D-Link router vulnerability


D-Link to padlock router backdoor by Halloween | PC World Business

D-Link plans firmware update to disable backdoor | The Register

From the horse’s mouth


Update On Router Security Issue

My Comments

Recently, the computer press was awash with articles pointing to an exploit in some of the popular D-Link routers. Here, this has a computer on the local network pushing through a malformed URL to the router’s Web management page to bypass the login screen for the router’s management dashboard. This is more vulnerable with improperly-setup Wi-Fi network segments hosted by these routers or computers on the local logical network that are loaded with malware that takes advantage of this vulnerability.

Now D-Link are working towards offering revised firmware that fixes the exploit for each of the router models that are affected by this issue and is releasing this on their product support pages.

But of course, it is important to make sure that the wireless network segment that is part of your home or small-business network is secure with WPA2-Personal security and a random passphrase along with an SSID that doesn’t reflect the make or model of the router. Similarly, it is good practice not to enable remote administrative access on these routers and confine administrative tasks to the local network only.

This is in addition to other good computer housekeeping practices like running anti-malware software on your regular computers and being careful what you click on.

For that matter, I would encourage people to keep the firmware on their routers or other network hardware up-to-date in the same way we would keep operating systems and application software up-to-date.

Send to Kindle

Hacking incident with the hallmarks of distraction burglary


‘Bogus IT guys’ slurp £1.3m from Barclays: Cybercops cuff 8 blokes • The Register

Barclays Bank computer theft: Two men in court over £1.3m haul | BBC News London

From the horse’s mouth

Metropolitan Police (London)

Press Release

Barclays Bank

Press Release

My Comments

KVM switch and 3G router attached to the bank's computer to hack the system (Metropolitan Police London press image)

KVM switch and 3G router attached to the bank’s computer to hack the system

Very often, I have heard and read crime-prevention articles touching on the issue of “distraction burglary”. This is where a person gains access to someone’s home or business under the pretext of a legitimate reason such as to read the meter or do some inspection and takes advantage of this to commit or facilitate crimes, typically burglaries.

The material often encouraged people to check that the visitor is real and legitimate and has a legitimate reason to visit before admitting them to their premises. One of these campaigns that I considered notable was the “Stop Chain Check” campaign in the UK that was ran by various UK police forces in concert with TV Licensing and other utilities where older residents were to have the door chain on before they opened the front door and to verify the credentials of that visitor.

Even IBM ran an awareness campaign through the 70s targeting Selectric typewriter owners who had equipment-maintenance contracts with them warning them of bogus service representatives. Here the bogus repairmen to claim that the customer’s Selectric needed workshop attention and would take the machine away for “repair”. Similarly, businesses had to be careful about people showing up as official telephone-company representatives to perform work on their telephone equipment because of this being used as a cover for planting bugs or phone taps.

Recently, there was a hacking incident targeted at Barclays Bank in Swiss Cottage, London where someone gained access to the bank branch’s IT equipment under the pretence of doing IT support work for the bank. Here, they attached a KVM-over-IP switch and a 3G mobile-broadband router to a computer at that branch and used this setup to commit a very large fraud against Barclays.

The hallmarks of this fraud was an unannounced service call by people pretending to be the bank’s IT staff or contractors. It was very similar to the aforementioned distraction burglaries with the criminals acting like the fake meter readers who were gaining access to people’s homes. There is also another similarity to the new practice of “spear-phishing” which is similar to the classic “phishing” attacks where official email from a bank or similar organisation is used to siphon confidential data from customers, but the attack is targeted at a particular employee of a particular company for access to highly-confidential business material.

A good practice for businesses who have IT-service contracts is to maintain a single point of contact between the business and the contractor. Here, you have an ability to pre-arrange any work that needs to be done on the equipment and be aware of any impending work, whether to rectify a fault or improve the IT system. As well, people in the business or similar environment need to know what equipment is currently in service or available for service.

Also we have to be suspicious if someone is forcing upon you the installation of hardware or software, the modification of existing hardware or software or the removal of hardware especially if the work hasn’t been arranged previously. This is more so if the work isn’t explained, the equipment’s owner or organisation’s management aren’t kept in the loop or at worst they insist that no-one is in the office while the work is underway.

In conclusion, even if you do have your house in order when it comes to Internet-based security threats, you also need to be sure of what is going on if someone visits you to work on your computer equipment.

Send to Kindle

The newly-discovered security risk in all-platform runtime environments


The recent security scare with the Apple Macintosh platform and its exposure to the Flashback malware was centered around the use of Java on this platform, rather than being targeted directly using native code. But there have been similar risks targeted at this platform but this time using the Adobe Flash runtime environment.

Previously the typical computer’s operating system, desktop-productivity software and default Web-browsing environment has been targeted by malware writers. This has been more so with software that is used by many people, like Microsoft’s Windows XP operating system and Internet Explorer Web browsers.

But Microsoft, Apple and the open-source community have been working lately on hardening their operating-system, desktop-productivity and Web-browsing software against malware. This has been done through releasing software patches that fix vulnerabilities as soon as they are discovered and having such patches delivered using automated software-maintenance systems like Windows Update.

So malware authors are now turning their arrows towards the multi-platform runtime environments like Oracle’s Java and Adobe’s Flash and Air environments. These typically have a runtime component that is user-installed on most computing platforms, or this component is rolled in to some computing platforms.

These runtime environments have appealed to mainstream software developers because they can create their software in a “write once, run anywhere” manner without needing to port the software to the different platforms they want to target. This situation also has appeal to malware authors due to the ability to target multiple platforms with little risk as well as finding that these runtime environments aren’t patched as rigorously as the operating systems.

One main problem – Java and how it is maintained on the Macintosh

The Java runtime environment used to be delivered with the Windows platform until 2004 due to a legal agreement between Sun and Microsoft regarding an anti-trust issue. Now Windows users pick up the runtime code from Oracle’s Java website now that Oracle have taken over the Java environment from Sun.

But Apple still delivers the Java runtime environment to their Macintosh users, either with the operating system until “Snow Leopard” or as a separate download from their Website for subsequent users.

For both platforms, the Java runtime survives operating-system updates, even major version upgrades. As well, it, like the Adobe Flash runtime, has to be updated separately.

Windows and Linux users still have the advantage of going to the Oracle Website to install and update the Java Website and they can set up the Java installer software to implement the latest version automatically or let them know of updated Java runtimes. But Apple don’t pass on new updates for the Java runtime to MacOS users as soon as Oracle release them.

What Apple should do is pass on the Java runtime updates as soon as Oracle releases these updates. This could be involving Apple ceding the management of the MacOS X Java runtime to Oracle and writing any necessary integration code to support co-ordinated maintenance of this runtime the the Macintosh platform.

What users can do with these runtime environments

Users can keep their runtime environments for Flash, Java, Adobe Air and other “write once, run-anywhere” platforms by looking for updates at the developer’s Website. They can also enable automatic deployment of critical updates to these environments through various options offered by the installer.

But do you need to keep any of these runtime environments on your regular computer? You could do without it but some vertical, enterprise and home software requires the use of these runtime environments. In some cases, some developers write parts of their software in native code for the platform the software is to run on while using “write once, run anywhere” code that works with these environments for other parts.

For example, YouTube,  most browser-hosted games or file-transfer interfaces for Websites implement Adobe Flash Player while programs like OpenOffice, Adobe’s Creative Suite and some enterprise / vertical software require Java.

If you are not likely to running any programs that depend on a runtime environment regularly or can avoid needing that particular environment, you could avoid installing the environment at all to keep your computer secure and stable.

What can the industry do

Use of computer security software to protect against runtime-environment attacks

A question that could be raised is whether it is feasible for a computer-security program to be written so that it can inspect the software that is intended to be run in these environments.

This is more so as these environments become ubiquitous for delivering software to multiple computing environments. In the case of Java, this environment is being implemented as a baseline for the Android platform and as the language for writing interactivity in to Blu-Ray Discs.

This could be achieved through the use of plug-in modules for current desktop and appliance-level security applications; or for modules that connect to the runtime environments, observing for abnormalities in the way they handle computer resources.

Development of enhanced runtime environments that work with the host operating system’s security logic

It can also be feasible for the runtime environments to work tightly with the operating-system’s user access management and prevent the programs that work behind them from using resources unless they are explicitly allowed to. This could involve use of sandboxes or privilege levels that mimic the operating system’s privilege levels thus working at the lowest level unless they have to work higher.

Consistent and responsive updating of the runtime environment across all platforms

Adobe, Oracle and others who develop “write-once, run-anywhere” platforms could implement a consistent and responsive update policy for these platforms in response to any discovered bug or exploitable software weakness. The developers of these platforms have to be sure that the updates are delivered as soon as possible and across all platforms that the runtime environment is targeted at.

This includes development of a strategy so that access to the targeted platforms is guaranteed by the runtime-environment developer. For example, it may include immediate propagation of firmware updates for devices or the use of the developer’s own installation routines for all regular computing environments.

Allow design-time native-binary compiling for desktop Java

Another improvement that I would like to see is for software that is written in the Java language to be able to be compiled to native binary (.EXE) code during development. Here, this could allow a desktop-software project that has routines written in Java as well as routines written in other languages like C++ and targeted to one platform to be able to run quickly and securely on that platform.

It will then avoid the need to require the installation of the Java runtime when a program like Adobe’s Creative Suite software is deployed to the end user. It can also allow the developer to deliver the software to many platforms in a binary form that is native to each target platform, thus allowing for efficient use of system resources.


Once we adopt proper standards concerning the management and maintenance of “write-once, run-anywhere” software-development platforms and make them to the same standard as regular-computer operating systems, this can reduce the chance of these platforms being exploited by malware authors.

Send to Kindle

Apple has now released a software fix for the Flashback trojan


A look at Apple’s Flashback removal tool | MacFixIt – CNET Reviews

Apple releases fix for Flashback malware | Engadget

Downloads – Apple’s support Website

Java Update for MacOS 10.6

Java for MacOS Lion

My Comments

Apple has reacted to the groundswell of concern about the recent Flashback malware and have issued updates to its Java runtime environment for both MacOS Snow Leopard and Lion.

Here, they have implemented a check-and-remove routine for this Trojan as part of the installation routine for the new Java runtime environment. For most Macintosh users, this will simplify the process of removing any existence of this malware as well as keeping this runtime environment up-to-date.

The CNET article also gave a detailed review of what goes on as well as how to fix situations if the installation takes too long and the procedure hangs. As I have posted previously, Apple could improve on the issue of providing system maintenance and desktop security software so that Mac users can keep these systems in good order.

Send to Kindle