Monday, June 29, 2009
Warriors of the Net
Warriors of the Net is a Swedish group that creates educational material in form of animations and illustrations that explains technical or abstract concepts. They have some excellent movies on how the Internet works. It is easier if you download the clips to your computer and watch them from there.
Saturday, June 27, 2009
Voice Mail Telephone Fraud
Photo: higetiger
The FCC tells of an ongoing scam can hit people who don’t change the default password on their voicemail boxes. Most people receive a voicemail box when they sign up for phone service. Many times people leave the default password on the box instead of changing it.
The hackers call into voicemail systems and search for boxes with the default password or easily guessed ones like 1-2-3-4. They then change the greeting to something like - “Yes, yes, yes, yes, yes, operator, I will accept the charges.” Then, they places a collect call to the number. When the (automated) operator (which is usually programmed to “listen for” key words and phrases like “yes” or “I will accept the charges”) hears the outgoing “yes, yes, yes, yes, yes, operator, I will accept the charges” message, the collect call is connected.
The hacker then uses this connection for long periods of time to make international calls. Sometimes they take over the number completely and set up a forward to another number. This is usually targeted over weekends or holidays, when people don’t check their voicemails for long periods of time. Most of the calls go overseas and can rack up big charges.
To counter this:
To avoid falling prey to this scam, the FCC recommends voice mail users do the following:
· always change the default password from the one provided by the voice mail vendor;
· choose a complex voice mail password of at least six digits, making it more difficult for a hacker to detect;
· change your voice mail password frequently;
· don’t use obvious passwords such as an address, birth date, phone number, or repeating or successive numbers, i.e. 000000, 123456;
· check your recorded announcement regularly to ensure the greeting is indeed yours. Hackers tend to attack voice mailboxes at the start of weekends or holidays;
· consider blocking international calls, if possible; and
· consider disabling the remote notification, auto-attendant, call-forwarding, and out-paging capabilities of voice mail if these features are not used.
The hackers call into voicemail systems and search for boxes with the default password or easily guessed ones like 1-2-3-4. They then change the greeting to something like - “Yes, yes, yes, yes, yes, operator, I will accept the charges.” Then, they places a collect call to the number. When the (automated) operator (which is usually programmed to “listen for” key words and phrases like “yes” or “I will accept the charges”) hears the outgoing “yes, yes, yes, yes, yes, operator, I will accept the charges” message, the collect call is connected.
The hacker then uses this connection for long periods of time to make international calls. Sometimes they take over the number completely and set up a forward to another number. This is usually targeted over weekends or holidays, when people don’t check their voicemails for long periods of time. Most of the calls go overseas and can rack up big charges.
To counter this:
To avoid falling prey to this scam, the FCC recommends voice mail users do the following:
· always change the default password from the one provided by the voice mail vendor;
· choose a complex voice mail password of at least six digits, making it more difficult for a hacker to detect;
· change your voice mail password frequently;
· don’t use obvious passwords such as an address, birth date, phone number, or repeating or successive numbers, i.e. 000000, 123456;
· check your recorded announcement regularly to ensure the greeting is indeed yours. Hackers tend to attack voice mailboxes at the start of weekends or holidays;
· consider blocking international calls, if possible; and
· consider disabling the remote notification, auto-attendant, call-forwarding, and out-paging capabilities of voice mail if these features are not used.
Friday, June 26, 2009
Kids Flying Solo
Photo: Ma1974
Rick Seaney has some excellent tips for kids flying by themselves. The airlines call the kids UM for Unaccompanied Minors (usually considered ages 5-11 or 5-14). There has been a rash of children being put on the wrong flight and ending up in the wrong city. Both of the recent cases involved Continental and were caused mainly by the airlines using the same gate for two different flights.
As Rick states to reduce the risk of having the airlines “losing “your child is not to have him or her fly alone. By having a family member fly with the child you reduce the probability of a loss occurring to zero.
However, this is not possible all of the time so here are some tips from Rick’s site to reduce the chance of a loss.
1. Cell Phone: Give your child a cell phone. Practice with them on how to use it. Have all important numbers preprogrammed inside. Make sure they have a charger with them in their carry on bag.
2. Write a Note: Have them carry a note with their name, telephone number, destination and flight number. Have them show it (but not give it) to any airline employee who asks. Rick suggests pinning a note on the shirt of younger ones stating that they are flying to “Hartford.” While I think this is okay, do not put their name on their shirt. This could be used to lure them by a predator.
3. Ask THE Question: Train them to ask if this is their flight to “Harford” or wherever they are going. They should ask their escort, the person at the gate and the attendant once they get on the airplane.
4. Don’t Wander: Train your child when they disembark from the airplane, they should go to the gate agent and tell them who they expect to meet. Tell them not to wander from the gate without an escort.
5. Strategic seating: Request a seat close to the galley so flight attendants are always within view.
As Rick states to reduce the risk of having the airlines “losing “your child is not to have him or her fly alone. By having a family member fly with the child you reduce the probability of a loss occurring to zero.
However, this is not possible all of the time so here are some tips from Rick’s site to reduce the chance of a loss.
1. Cell Phone: Give your child a cell phone. Practice with them on how to use it. Have all important numbers preprogrammed inside. Make sure they have a charger with them in their carry on bag.
2. Write a Note: Have them carry a note with their name, telephone number, destination and flight number. Have them show it (but not give it) to any airline employee who asks. Rick suggests pinning a note on the shirt of younger ones stating that they are flying to “Hartford.” While I think this is okay, do not put their name on their shirt. This could be used to lure them by a predator.
3. Ask THE Question: Train them to ask if this is their flight to “Harford” or wherever they are going. They should ask their escort, the person at the gate and the attendant once they get on the airplane.
4. Don’t Wander: Train your child when they disembark from the airplane, they should go to the gate agent and tell them who they expect to meet. Tell them not to wander from the gate without an escort.
5. Strategic seating: Request a seat close to the galley so flight attendants are always within view.
Tuesday, June 23, 2009
Snooping on Keyboards
While I don't consider a particular danger for the average person, I thought it might be interesting to see how powerful spy versus spy and business intelligence gathering capabilities are. Here is a study on detecting the electromagnetic waves that are emitted by wired and wireless keyboards.
They were able to retrieve keystrokes from keyboards up to 20 meters (sixty feet) away. They were even able to distinguish between different keyboards in the same room.
The reason I don't believe that the average person has much risk is due to the specialized nature of the equipment necessary. A national espionage organization or a large business concern definitely would have access to such equipment. One scenario that I could think of is a setting up in a hotel room next door to the intended target.
Monday, June 22, 2009
Shred your Documents
It’s a good idea to shred any document that has your name or any other sensitive information on it. All the credit card applications that make it to my house go through the shredder before being thrown out. Simply ripping it in half is not good enough. Some credit card companies have accepted applications torn up and taped back together.
Invest in a decent machine. Cross cut shredders are far better than the cheap ones that only cut the paper into strips. It is possible to piece the long strips back together. Just ask the people from the US Embassy in Iran almost thirty years ago. I would also invest in a shredder stout enough to handle credit cards and CDs/DVDs. Office supply stores offer lubricating sheets that you run through every once in awhile to keep it in good working order.
Invest in a decent machine. Cross cut shredders are far better than the cheap ones that only cut the paper into strips. It is possible to piece the long strips back together. Just ask the people from the US Embassy in Iran almost thirty years ago. I would also invest in a shredder stout enough to handle credit cards and CDs/DVDs. Office supply stores offer lubricating sheets that you run through every once in awhile to keep it in good working order.
Saturday, June 20, 2009
TSA Going to More Stringent Name Requirements
As part of the Secure Flight program, travelers are now required to provide the name to the airlines that they will use while traveling. Before Secure Flight, airlines themselves were responsible for matching passenger information to the federal watch list. As Secure Flight is implemented, TSA will begin to assume responsibility for the security program. What this means is that when you purchase an airline ticket your name will be compared to the “No Fly” and “Selectee” lists, which are distilled from the FBI’s terrorist watch list.
Also when you present an ID at screening it needs to match the name on the ticket. There has been a lot of discussion on different websites as to what will constitute and not constitute a match. The general consensus is that the first and last names should be the same on both the IDs and the ticket, e.g James Doe on both, not Jim Doe and James Doe. Middle names shouldn’t matter according to TSA. I would not advise taking any chances with grumpy TSA screeners and make sure the ticket and ID match exactly.
The next part of Secure ID comes in August when domestic airlines will be required to collect (and passengers will be required to provide) date of birth and gender in addition to name. The idea behind this is to eliminate the six year olds from being identified as being on the terrorist watch lists.
The Transportation Security Blog has a good discussion of this.
Also when you present an ID at screening it needs to match the name on the ticket. There has been a lot of discussion on different websites as to what will constitute and not constitute a match. The general consensus is that the first and last names should be the same on both the IDs and the ticket, e.g James Doe on both, not Jim Doe and James Doe. Middle names shouldn’t matter according to TSA. I would not advise taking any chances with grumpy TSA screeners and make sure the ticket and ID match exactly.
The next part of Secure ID comes in August when domestic airlines will be required to collect (and passengers will be required to provide) date of birth and gender in addition to name. The idea behind this is to eliminate the six year olds from being identified as being on the terrorist watch lists.
The Transportation Security Blog has a good discussion of this.
Thursday, June 18, 2009
Schneier - The Psychology of Being Scammed
Schneier has a good article on the Psychology of Being Scammed. I come from the report "The psychology of scams: Provoking and committing errors of judgment" was prepared for the UK Office of Fair Trading by the University of Exeter School of Psychology. Schneier does a good analysis and points out some interesting aspects that it appears that victims tend to over analyze the scam and then hide their participation in the scam.
...it was striking how some scam victims kept their decision to respond private and avoided speaking about it with family members or friends. It was almost as if with some part of their minds, they knew that what they were doing was unwise, and they feared the confirmation of that that another person would have offered. Indeed to some extent they hide their response to the scam from their more rational selves.
...scam victims report that they put more cognitive effort into analysing scam content than non-victims. This contradicts the intuitive suggestion that people fall victim to scams because they invest too little cognitive energy in investigating their content, and thus overlook potential information that might betray the scam. This may, however, reflect the victim being 'drawn in' to the scam whilst non-victims include many people who discard scams without giving them a second glance.
This points to the fact that they intuitively know that something is wrong but disregard the prompting to stay away. This goes back to my theory that you need to trust your instincts. If you feel it isn’t a good deal or is even dangerous, stay away.
...it was striking how some scam victims kept their decision to respond private and avoided speaking about it with family members or friends. It was almost as if with some part of their minds, they knew that what they were doing was unwise, and they feared the confirmation of that that another person would have offered. Indeed to some extent they hide their response to the scam from their more rational selves.
...scam victims report that they put more cognitive effort into analysing scam content than non-victims. This contradicts the intuitive suggestion that people fall victim to scams because they invest too little cognitive energy in investigating their content, and thus overlook potential information that might betray the scam. This may, however, reflect the victim being 'drawn in' to the scam whilst non-victims include many people who discard scams without giving them a second glance.
This points to the fact that they intuitively know that something is wrong but disregard the prompting to stay away. This goes back to my theory that you need to trust your instincts. If you feel it isn’t a good deal or is even dangerous, stay away.
Sunday, June 14, 2009
Chain Letters and Hoaxes
I don't get particularly upset about spam email. I just delete it and move on. Chain letters and hoaxes can fall into this category. Lot's of times you also get them from well meaning people you know. These are dire warnings about devastating new viruses, Trojans, and malicious software. Often you get messages about free money, children in trouble, and other items designed to grab you and get you to forward the message to everyone you know. You have to be careful not to perpetuate a hoax, especially when that tells you to do something, especially something that might damage your computer.
Here are some tips from an old Computer Incident Advisory Capability (CIAC) website story that I had in my files.
How to Recognize a Hoax
Probably the first thing you should notice about a warning is the request to "send this to everyone you know" or some variant of that statement. This should raise a red flag that the warning is probably a hoax. No real warning message from a credible source will tell you to send this to everyone you know.
Next, look at what makes a successful hoax. There are two known factors that make a successful hoax, they are:
(1) technical sounding language.
(2) credibility by association.
If the warning uses the proper technical jargon, most individuals, including technologically savvy individuals, tend to believe the warning is real. For example, the Good Times hoax says that "...if the program is not stopped, the computer's processor will be placed in an nth-complexity infinite binary loop which can severely damage the processor...". The first time you read this, it sounds like it might be something real. With a little research, you find that there is no such thing as an nth-complexity infinite binary loop and that processors are designed to run loops for weeks at a time without damage.
When we say credibility by association we are referring to who sent the warning. If the janitor at a large technological organization sends a warning to someone outside of that organization, people on the outside tend to believe the warning because the company should know about those things. Even though the person sending the warning may not have a clue what he is talking about, the prestige of the company backs the warning, making it appear real. If a manager at the company sends the warning, the message is doubly backed by the company's and the manager's reputations.
Recognizing a Chain Letter
Chain letters and most hoax messages all have a similar pattern. From the older printed letters to the newer electronic kind, they all have three recognizable parts:
· A hook.
· A threat.
· A request.
The Hook
First, there is a hook, to catch your interest and get you to read the rest of the letter. Hooks used to be "Make Money Fast" or "Get Rich" or similar statements related to making money for little or no work. Electronic chain letters also use the "free money" type of hooks, but have added hooks like "Danger!" and "Virus Alert" or "A Little Girl Is Dying". These tie into our fear for the survival of our computers or into our sympathy for some poor unfortunate person.
The Threat
When you are hooked, you read on to the threat. Most threats used to warn you about the terrible things that will happen if you do not maintain the chain. However, others play on greed or sympathy to get you to pass the letter on. The threat often contains official or technical sounding language to get you to believe it is real.
The Request
Finally, the request. Some older chain letters ask you to mail a dollar to the top ten names on the letter and then pass it on. The electronic ones simply admonish you to "Distribute this letter to as many people as possible." They never mention clogging the Internet or the fact that the message is a fake, they only want you to pass it on to others.
Chain letters usually do not have the name and contact information of the original sender so it is impossible to check on its authenticity. Legitimate warnings and solicitations will always have complete contact information from the person sending the message and will often be signed with a cryptographic signature. Many of the newer chain letters do have a person's name and contact information but that person either does not really exist or does exist but does not have anything to do with the hoax message.
It is best not spread chain letters and hoaxes by sending copies to everyone you know. Sending a copy of a cute message to one or two friends is not a problem but sending an unconfirmed warning or plea to everyone you know with the request that they also send it to everyone they know simply adds to the clutter already filling mailboxes.
Here are some tips from an old Computer Incident Advisory Capability (CIAC) website story that I had in my files.
How to Recognize a Hoax
Probably the first thing you should notice about a warning is the request to "send this to everyone you know" or some variant of that statement. This should raise a red flag that the warning is probably a hoax. No real warning message from a credible source will tell you to send this to everyone you know.
Next, look at what makes a successful hoax. There are two known factors that make a successful hoax, they are:
(1) technical sounding language.
(2) credibility by association.
If the warning uses the proper technical jargon, most individuals, including technologically savvy individuals, tend to believe the warning is real. For example, the Good Times hoax says that "...if the program is not stopped, the computer's processor will be placed in an nth-complexity infinite binary loop which can severely damage the processor...". The first time you read this, it sounds like it might be something real. With a little research, you find that there is no such thing as an nth-complexity infinite binary loop and that processors are designed to run loops for weeks at a time without damage.
When we say credibility by association we are referring to who sent the warning. If the janitor at a large technological organization sends a warning to someone outside of that organization, people on the outside tend to believe the warning because the company should know about those things. Even though the person sending the warning may not have a clue what he is talking about, the prestige of the company backs the warning, making it appear real. If a manager at the company sends the warning, the message is doubly backed by the company's and the manager's reputations.
Recognizing a Chain Letter
Chain letters and most hoax messages all have a similar pattern. From the older printed letters to the newer electronic kind, they all have three recognizable parts:
· A hook.
· A threat.
· A request.
The Hook
First, there is a hook, to catch your interest and get you to read the rest of the letter. Hooks used to be "Make Money Fast" or "Get Rich" or similar statements related to making money for little or no work. Electronic chain letters also use the "free money" type of hooks, but have added hooks like "Danger!" and "Virus Alert" or "A Little Girl Is Dying". These tie into our fear for the survival of our computers or into our sympathy for some poor unfortunate person.
The Threat
When you are hooked, you read on to the threat. Most threats used to warn you about the terrible things that will happen if you do not maintain the chain. However, others play on greed or sympathy to get you to pass the letter on. The threat often contains official or technical sounding language to get you to believe it is real.
The Request
Finally, the request. Some older chain letters ask you to mail a dollar to the top ten names on the letter and then pass it on. The electronic ones simply admonish you to "Distribute this letter to as many people as possible." They never mention clogging the Internet or the fact that the message is a fake, they only want you to pass it on to others.
Chain letters usually do not have the name and contact information of the original sender so it is impossible to check on its authenticity. Legitimate warnings and solicitations will always have complete contact information from the person sending the message and will often be signed with a cryptographic signature. Many of the newer chain letters do have a person's name and contact information but that person either does not really exist or does exist but does not have anything to do with the hoax message.
It is best not spread chain letters and hoaxes by sending copies to everyone you know. Sending a copy of a cute message to one or two friends is not a problem but sending an unconfirmed warning or plea to everyone you know with the request that they also send it to everyone they know simply adds to the clutter already filling mailboxes.
Wednesday, June 10, 2009
Street Smarts for Travelers
When traveling out of town and you don't know the area, you need to take extra precautions. Plan your routes out of your hotel to your destination. When going out, tell a friend where you're going and the approximate time you expect to return. Whenever possible, travel with a friend, or better still, with a group of friends.
Think about these items when out and about:
-If you think you are being followed, walk towards areas with other people and well lit areas.
-Trust your instincts. Get out of situations you don't feel comfortable in.
-Walk with confidence on the street and at a good, steady pace. Keep your head up and observe your surroundings, don't look down at the ground. Your attitude and posture repel trouble.
-Don't respond if someone calls out to you.
-Don't hesitate to join a grop of strangers is you feel threatened.
-Don't walk around with an Ipod or headphones on because it distracts you.
-Don't use ATMs at night.
-Don't enter public transportation, elevators, etc if the occupants don't look safe.
Have a plan of action. It is always best to try to think ahead of how to handle situations before you actually encounter them.
If someone threatens you, don't provoke them. Try to speak gently, but firmly, never weakly. Keep calm, don't show fear. Back away from trouble. Don't scream, it tends to make the situation worse. Try to carry a whistle or a personal siren. If you need help, yell "Call 911!" and then start to describe the situation and the attacker(s).
If you are being robbed, give them what they want and get away. Money or possessions are not worth your life.
Don't let anyone corner you. Flee to a crowded area. Only strike and flee as a last resort.
Most importantly, remember to trust your instincts. If it doesn't feel right, it isn't right. Get out of the situation and back into crowds of people. You can travel safely but keep your head about you.
Monday, June 8, 2009
Seattle Times - Software targets password pickle
The Seattle Times has a good article on managing passwords. I particularily like their password tips:
1 Use at least seven or eight characters, with numbers, symbols and letters. Random arrangements are stronger than words you can find in the dictionary.
2 Think of a phrase or sentence that you'll remember but others won't know and then take the first letter of each word and substitute numbers or symbols for some of them. "My favorite jacket is at the cleaners" becomes MFJIATC or MFJ1@TC.
3 If you really want to use your dog's name, save it for news sites or accounts that don't contain sensitive information. Use a stronger password for more critical accounts or financial services.
4 If you store your passwords, use an encrypted file or password manager. Don't leave them on your hard drive in an open file labeled: "passwords.doc."
There is a good discussion on password managers available to include browser password managers, OpenID, information cards, CardSpace, and others. I happen to like an application called RoboForm. RoboForm manages passwords, identities, generates random passwords and quite a bit more. One key is to make sure that you do use a master password, otherwise all of your information is open if someone gets access to your computer.
Saturday, June 6, 2009
Travel Safety
Travel should be a fun experience whether for business or for pleasure. Travelers are, however, sometimes victimized by crime and violence, or experience unexpected difficulties. Criminals, terrorists and the run of the mill thugs are all dangers when traveling. There are certain actions to take which can minimize your risk.
Appearance- You want to look your best, but you don’t want to attract attention. Jewelry and flashy clothes attract criminals. Don’t wear provocative clothes, either sexually or with hot button political statements on them.
Jewelry – Stick with the weeding band. If you wear other rings, turn them band side up in risky areas. Wear inexpensive watches. The rule is to keep it simple.
Be inconspicuous - Don’t look like a tourist. Don’t flash cameras, maps, travel brochures.
Shoes – Wear comfortable shoes that you can run away in if needed.
Bags – Wear bags across your body so they can’t be yanked off your shoulder. Backpacks are better.
Don’t wear headphones – Be aware of your surroundings. Thieves look for distracted people.
Home address – Hide your address tags on your luggage. Use tags that require being taken off of the bags to be read. Thieves often will call accomplices in your home town to sack your house while you are away.
Laptops – Carry your laptop in a backpack. It is more inconspicuous and easier to carry meaning that you will have a harder time forgetting it somewhere.
Appearance- You want to look your best, but you don’t want to attract attention. Jewelry and flashy clothes attract criminals. Don’t wear provocative clothes, either sexually or with hot button political statements on them.
Jewelry – Stick with the weeding band. If you wear other rings, turn them band side up in risky areas. Wear inexpensive watches. The rule is to keep it simple.
Be inconspicuous - Don’t look like a tourist. Don’t flash cameras, maps, travel brochures.
Shoes – Wear comfortable shoes that you can run away in if needed.
Bags – Wear bags across your body so they can’t be yanked off your shoulder. Backpacks are better.
Don’t wear headphones – Be aware of your surroundings. Thieves look for distracted people.
Home address – Hide your address tags on your luggage. Use tags that require being taken off of the bags to be read. Thieves often will call accomplices in your home town to sack your house while you are away.
Laptops – Carry your laptop in a backpack. It is more inconspicuous and easier to carry meaning that you will have a harder time forgetting it somewhere.
Hotel Safety
Hotel Security Features - Look for magnetic cards, instead of keys. Keys are harder to control and usually have the room number on them. Refuse the room if it doesn’t have a phone, deadbolt, and window locks. Make sure everything is in working order.
Hotel Room Safety – Make your room always look occupied -Always put out the do not disturb sign, play the TV when away and never put out the maid service requested sign.
Hotel Personal Safety- When checking in, ask the bellhop to escort you to the room. Check the closets, under the bed and in the bath to make sure it is empty. If the bellhop is not available, prop the door open with your bag and check the room. When someone knocks on your door, be sure of their identity. Ask for a receipt under the door if room service or a delivery. Call the front desk if not sure.
Always remember; never feel foolish when asking for verification. If it doesn’t feel right, it probably isn’t right. Trust your instincts.
The US Department of State has more good tips for when traveling abroad.
Image: FreeDigitalPhotos.net
Tuesday, June 2, 2009
Dangerous Web Search Words
ZDNet has an interesting article on words that are dangerous to search on. The top one is “screensavers.” By searching on this word, you have the greatest chance of stumbling on a malicious or fradulant website. “Lyrics” or anything with “free” in it is run a close second and third. The safest searches are associated with health related topics.
The idea behind the study is that blackhats (people intent on doing harm over the Internet) use Search Engine Optimization (SEO) to direct their attacks on those most likely to either fall for fraud or open their computers up to exploitation. They will use current topics to direct traffic to their sites. For example, the swine flu epidemic triggered related key words to bring up sites preying on people worried about the pandemic.
The idea behind the study is that blackhats (people intent on doing harm over the Internet) use Search Engine Optimization (SEO) to direct their attacks on those most likely to either fall for fraud or open their computers up to exploitation. They will use current topics to direct traffic to their sites. For example, the swine flu epidemic triggered related key words to bring up sites preying on people worried about the pandemic.
As the article states, in reality there are thousands of malicious sites and even legitimate ones can be hijacked and carry harmful code. The best protection is to not wander around in the “dark reaches of the Internet” and keep your computer up to date with virus protection, anti malware and updates.
Subscribe to:
Posts (Atom)
