Super Bowl scamday: survey scammers target Twitter

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Filed Under: Featured, Twitter

With less than 16 hours to go, internet con men are taking advantage of the largest yearly event in sport. The American Super Bowl contest has garnered extra attention this year because the coaches of the opposing teams are brothers.

As usual, internet fraudsters are capitalizing on the spectacle and luring unsuspecting NFL fans into completing a survey. The purveyors of this survey are not who you think.

The scam begins with someone being silly enough to send or retweet a tweet with the words "Super Bowl."

Immediately the auto-responder bot attempts to trick the person who sent the tweet with a lure. The account doesn't appear to be that different from any corporate brand:

If you aren't paying attention you might click on the profile and view the link. It leads to a garden variety survey scam. Many brands create special Twitter accounts and this acclimates everyday users into thinking these accounts might be legitimate.

Anyone who clicks on this offer is not getting a fan pass. No, they are simply having their personal details sold off to the highest criminal bidder.

While it is easy to get caught up in the excitement of a major sporting event, you should only trust information from official and trusted sources.

I don't care much for football, but I will be watching for the commercials. What I won't be doing is clicking unsolicited ads or dreaming about my "free" anything.

I might be a Grinch, but I learned a long time ago that nothing worth any real value is free.

http://twitter.com/chetwisniewski

View the original article here

Facebook Class Action email - it looks like a phish but it's the real deal

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The news that Facebook is turning facial recognition back on in photo tagging has a silver lining.

Many of our readers have been inspired to revisit their privacy settings and to make sure those settings really are what they intended.

Reviewing what the cyberlifestyle gurus call your security posture is something well worth doing once in a while.

Like regular trips to the dentist, or routine prostate examinations, it can save you a lot of unexpected grief in the future - but it doesn't leave you numb in body, mind or wallet.

This, in turn, has led a number of you to ask about a Facebook-related email that's doing the rounds lately.

It certainly has some of the hallmarks of a phish:

There's an arresting headline:

NOTICE OF PENDING CLASS ACTION AND NOTICE OF PROPOSED SETTLEMENT

There's the assurance that this email is lawful, objective, legitimate and, indeed, important:

A federal court authorized this Notice. This is not a solicitation from a lawyer.

There are millions of dollars up for grabs, if only you are willing to join in:

Facebook will pay $20 million into a fund that can be used, in part, to pay claims of Class Members who appeared in a Sponsored Story.

Got your attention? Good. Because there are some worrying things, too.

Like the sender's email address, which seems unusual for something with the imprimatur of a federal court:

From: legalnotice

Or the online call to action, asking you to click a link the in the email:

Please visit www.xxxxxxxxx..com (if clicking on the link does not work, copy and paste the website address into a web browser)

If you're worried about web links in unsolicited emails (and you should be!), you can fall back to the good old telephone.

But you have to a phone number given by the sender, which is usually a no-no.

That number is always going to terminate where the sender wants it to, so a bogus sender can answer to make you believe you've reached a company with any name they like:

You may also contact Class Counsel, Robert S. Axxx of the Axxx Law Firm, by calling 1-555-555-5555

Or you can send an email, though interestingly to an address quite different from the already-unusual one used by the sender.

Oh, and there's just a touch of bait-and-switch, if you read carefully:

Each participating Class Member who submits a valid and timely claim form may be eligible to receive up to $10.

That's it, I'm afraid.

That $20 million pot will give you a maximum return of $10.

If you dig further, you might find even more curious facts that aren't immediately obvious. You'll need to click the link and drill down into a number of documents, including a 46-page PDF entitled:

PLAINTIFFS MOTION AND MEMORANDUM OF LAW IN SUPPORT OF MOTION FOR ATTORNEYS' FEES AND COSTS AND CLASS REPRESENTATIVES' SERVICE AWARDS

The bottom line, roughly speaking, is that the lawyers are hoping to claim approximately $8 million in fees. So there'll be $12 million left to pay all the possible claimants.

? You'll get $10 if there are 1.2 million claimants or fewer. But if there more than 2.4 million claimants, your share would be below $5, and the court might decide that it's too hard and expensive to distribute that many payouts. In that case, a named charitable fund may end up scooping the whole pot. After the lawyers' fees.

Fact is, however, that this isn't a phish.

It's a genuine class action, with a genuine proposed settlement for Facebook's disputed Sponsored Story system.

So the lawyers are entitled - indeed, I suspect they're probably obliged - to try to contact you to advise you of your involvement (whether you expect it or wish it), because your own legal rights are affected by this matter.

There isn't a simple opt-in here.

You can opt in, and you might get $10, but you waive the right to sue Facebook independently if you do. You can opt out, get nothing now, but maintain the right to take your own legal action later.

Or you can do nothing. Then you automatically waive your right to sue Facebook later, as well as any claim on that $20 million mountain of moolah.

Since this is the default, "neither in nor out", you can see the legalistic purpose of the initial email.

And, to be fair to the lawyers, there probably isn't any other reasonable way they could contact you, since most Facebook users are little more than an email address, at least as far as Facebook can reliably tell.

In short, this email, and others like it against other internet companies, aren't phishes. They're lawful communications that couldn't be done in an efficient, timely and effective fashion any other way.

First problem is, I think they look sufficiently phishy to teach us bad standards once we realise they're legitimate. If this one's OK, why not similar emails that are utterly bogus?

Second problem is, I can't think up a way they could be made clearer from a security point of view without making them ineffective in getting the underlying message across of what your options are, and why.

How would you approach this sort of communication in order to make it set higher security standards without losing clarity and completeness?

Share your ideas in the comments below...

Follow @duckblog

View the original article here

Apple (again) washes its hands of the Java mess

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Apple's thrown in the towel on the Java mess and has, for the second time in two weeks, blocked all versions of Java on OS X 10.6 (Snow Leopard) and later.

The new block applies to the plugin for Java 7 update 11 version 1.7.0_11-b22, which, like last time, is one build ahead of the current version 1.7.0_11-b21.

According to The Register, the blockade was first noted by the French blog MacGeneration.

Apple issued the update to its XProtect malware-handling system in OS X early Thursday morning. XProtect is a rudimentary anti-malware system built into recent releases of Mac OS X that Apple updates periodically to blacklist certain malware.

The update now blocks all versions of the Java Web plug-in before version 1.7.11.22 (previously the limit was version 1.7.10.19).

The move is likely due to issues outlined in Oracle's latest security alert regarding its Java problem child.

In that most recent Java headache, which came out in mid-January, Oracle's CVE-2013-0422 security alert concerned Java applets being able to escape from Java security and infect PCs with malware.

Within weeks of that security advisory hitting the airwaves, the Polish researcher Adam Gowdiak, who specializes in Java leakage, poked two new holes in it.

Apple's not the only one shunning Java. On Tuesday, Mozilla announced an end to auto-loading of plug-ins for Firefox.

If you haven't already booted Java out of your browser, consider following our simple steps on how to turn off Java in your browser.

Forgive me if it's cavalier to casually suggest unhooking the Java catheter.

It's obviously hard for large, heterogeneous networks to adapt a complex change. As Paul Ducklin notes, sysadmins are complaining that it's just not easy to ditch Java suddenly, and it's thoughtless of Naked Security to suggest it.

Unfortunately, as he also points out, the problem(s) with Java security don't look like they're going away anytime soon, legacy systems or no.

I welcome input from sysadmins on how you're dealing with the Java issue, beyond, presumably, tearing your hair out.

Follow @LisaVaas
Follow @NakedSecurity

View the original article here

Another Java update! Oracle brings Patch Tuesday forward to close in-the-wild hole...

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

I'll keep this one short, but I feel I ought to tell you.

"Yet another Java update! Get it while it's hot."

In calmer times, this update would have appeared on 19 February 2013.

Oracle's Critical Patch Updates for Java normally come out on the Tuesday closest to the 17th day in every fourth month. (Yes, I find that a little Byzantine, too.)

But Oracle brought its February 2013 Java patch forward, noting the "active exploitation 'in the wild' of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers":

Oracle isn't saying which of the RCE (remote code execution) holes is the one that's actively being exploited, but bringing the patch forward is probably a good idea anyway.

According to the latest Oracle Risk Matrix there are 50 fixes, 49 of which might be remotely exploitable. That means merely visiting a web page might be enough to infect your computer.

The quick way to grab the latest version is to head over to Java.com and click the big red Free Java Download button.

That should work out your operating system and offer you the latest-and-greatest version. On my Mac, for example, I get this:

If you don't actually have Java installed, of course, you may not want to install it for the first time right now, but whether you're updating or installing for the first time, you need to remember that Java has two main functions on your computer:

1. Java lets you run applications that you install and download just like regular Windows or OS X software packages. Java applications don't run natively, so you need the Java system installed first.

There is no particular reason why a Java application puts your computer at any greater risk than an application based on Windows .EXE files or OS X native binaries.

Some Java applications you might have heard of are: Eclipse, a powerful IDE (integrated/interactive development environment) for programmers; Weka, a data mining and machine learning toolkit; and Tomcat, a web server platform.

2. Java lets you run applets that are delivered in web pages, directly into your browser. There's obviously a huge security risk here, so applets run in controlled environment called a sandbox to contain that risk.

The Java sandbox has suffered from numerous holes over the years. These have allowed malicious applets to escape from your browser and install malware on your computer without your knowledge or permission.

As a result, cybercrooks have especially targeted Java as a vehicle for infection. Java is inherently cross-browser and cross-platform, so attacking it is a high-yield exercise for the Bad Guys.

Ironically, however, browser-based software these days tends to use a mixture of JavaScript (which is not related to Java at all, despite the name), Flash and HTML5 to achieve the sort of results that would have needed Java a decade or more ago.

Fortunately, you can have Java installed so you can run applications, but shut the door on applets by disabling it in your browser.

Our recommendations are therefore simple:

Don't install any software you don't actually need or use. That includes Java.By all means, install Java if you want or need to. But keep it up-to-date.Turn Java support off in your browser, unless you are sure that you need it and cannot manage without it.

Some Naked Security readers who need Java applets, but only occasionally, install two browsers and enable Java support in one, but not the other.

This adds complexity, since there is more to update, but it means that simply by making the non-Java-enabled browser your default, you greatly reduce the risk of innocently ending up in harm's way when you spend time on the web.

The latest official updates are Java 7 Update 13 (the latest-and-greatest flavour), and Java 6 Update 39 (the previous version, still needed by some applications).

As I said, "Grab it while it's hot."

Follow @duckblog

Apple OS X 10.6 (Snow Leopard) users who have Apple's own version of Java should use Apple Menu | Software Update...

Confusingly, Apple's latest update is called Java for Mac OS X 10.6 Update 12.

The "6" refers to OS X 10.6, not to Java 6, and the "Update 12" refers to Apple's internal sequence numbering. It isn't one short of Oracle's Update 13.

Indeed, Apple's latest Update 12 takes OS X 10.6 users to Java 6 Update 39, if that doesn't leave you even more bewildered.

View the original article here

IE 10 is more secure, so here's a Microsoft tool to prevent you updating by mistake

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

An alert writer over at the The Register has spotted a funny thing.

Microsoft just released a free tool to stop you upgrading to Internet Explorer 10 on Windows 7 and Server 2008 R2:

"Big deal," you say. "There is no IE 10 for Windows 7, so it doesn't sound like much of a tool to me."

Except, as The Reg points out, the availability of the tool is a sort of omen: it surely means that IE 10 for Windows 7 must be nearly ready to drop for real.

Ironically, then, Microsoft is making sure that as soon as IE 10 is ready, you're already ready to avoid it.

Sounds rather odd, but sysadmins in any but the smallest organisations tend towards trepidation over Internet Explorer updates, in case some legacy business application should go pear-shaped.

And there's the real irony: that Microsoft should need to produce a one-off anti-update tool to help you sidestep a forthcoming automatic update, as a way of discouraging you from turning off automatic updates altogether.

A sort-of "lesser of two evils" solution for change control conservatives.

Microsoft has been there before, with IE 6 staying on the shelves so far past its use-by data that the company came up with iecountdown.com, an entire website devoted to weaning people off from IE6 with an unrepentant clarion call of, "Friends don’t let friends use Internet Explorer 6."

The technique for suppressing IE 10 is pretty straightforward. Here's an excerpt from the batch-language version:

set REGBlockKey=HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\10.0set REGBlockValue=DoNotAllowIE10REG ADD "%REGBlockKey%" /v %REGBlockValue% /t REG_DWORD /d 1 /f

Even with this magic registry value set, you can manually install IE 10 (or manually force an update with WSUS) if you want to override the block.

When you're ready to let Windows Update push out IE 10 entirely automatically, you just remove the DoNotAllowIE10 registry value:

set REGBlockKey=HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\10.0set REGBlockValue=DoNotAllowIE10REG DELETE "%REGBlockKey%" /v %REGBlockValue% /f

If you want someone's word other than Redmond's that IE 10 is more secure that earlier browsers, consider the prizes on offer at this year's PWN2OWN competition for browser hacking.

IE 10 is worth $100,000 for a successful exploit; IE 9 will only fetch you $75,000:

So when will IE 10 drop onto unblocked Windows 7 PCs?

Sadly, we can't tell you that. For users not afraid of upgrading their browser, the sooner the better!

Follow @duckblog

View the original article here

Facebook is turning facial recognition back on - so here's how to check your "photo tagging" settings

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Facebook's controversial flirtation with facial recognition is back in the spotlight.

At the end of 2010, the tell-us-all-about-yourself social networking service announced that it would be using facial recognition to make it easier for you to tag other people in your photos.

Just in case you didn't know the names of all of the "friends" in photos you'd uploaded, Facebook's plan was to help you out.

Although it didn't try to do anything you couldn't have done yourself, and merely suggested a name and awaited your approval, there was no provision for the person whom Facebook thought it had recognised to get involved in the approval process.

Facebook would tell you that you had been tagged, in case you wanted to opt out. But it wouldn't let you choose in the first place, even though it was claiming to know who you were.

That caused not a few people (including me) to reach for the word "creepy". It certainly made it much more likely that you'd end up identified online without your consent, since people you didn't know well were now more likely to know or to find out who you were.

This whole facial recognition saga has been through a series of on-again, off-again machinations since then.

Last year, Facebook temporarily suspended the feature "to make some technical improvements," in its own words. But now it's back:

As we announced last year, we temporarily suspended our photo tag suggestion feature to make some technical improvements. Today, we're re-enabling the feature in the United States so that people can use facial recognition to help them easily identify a friend in a photo and share that content with them. This is the same feature that millions of people previously used to help them quickly share billions of photos with friends and family.

Like before, it's reappearing first in the US.

And bad luck if you're one of the 90% of Naked Security readers who said they'd prefer Facebook to be entirely opt-in last time we asked:

You're not going to be asked if you want this feature turned back on, notwithstanding that it's different. The decision will be made for you.

With this in mind, it's probably worth revisiting your Facebook privacy settings relevant to tagging. You can dig the answer out of Facebook's own help page with a little bit of work:

Be sure to read on, though, to make sure you realise how much value Facebook puts on you leaving this feature enabled:

Before you opt out of using this feature, we encourage you to consider how tag suggestions benefit you and your friends. Our tagging tools (including grouping photos that look similar and suggesting friends who might be in them) are meant to make it easier for you to share your memories and experiences with your friends.

Convinced? Have you made your mind up now?

OK, here's a visual summary of how to manage photo tagging on your Facebook account.

You start by clicking on the gear icon at the far right, and choosing Privacy Settings from the menu:

Then go to the menu at the far left, and choose Timeline and Tagging:

And now review your settings, including the all-important Who sees tag suggestions when photos that look like you are uploaded:

And that's how to do it. Take care out there!

If you are on Facebook and want to keep yourself informed about the latest news from the world of internet security and privacy, join the Sophos Facebook page where more than 200,000 people regularly discuss these issues and best practice.

Follow @duckblog

View the original article here

Ticketmaster says goodbye to CAPTCHA

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Human? Not a robot? Says you! Take this test to prove it:

What's at times essentially illegible, fuses characters together into melted blobs of unrecognizable goo, and occasionally tells you to go f**k yourself?

If you answered "CAPTCHA", congratulations - you're made out of carbon!

Because of this, it's unlikely you will robotically buy up reams of tickets and sell them at vicious markups, and therefore, Ticketmaster, the world's largest online ticket retailer, will be happy to sell to you.

Now, though, Ticketmaster is going to sell tickets without torturing your eyeballs with the use of CAPTCHA.

According to the BBC, Ticketmaster has dumped the reviled challenge-response test and put in its place software created by Solve Media, which achieves the same robot-screening ends by asking for well-known phrases, descriptions of brands, or with simple multiple-choice questions.

CAPTCHA came out of Carnegie Mellon University and stands for "Completely Automated Public Turing test to tell Computers and Humans Apart".

The tests are designed to be hard for robots, easy for humans.

They typically consist of typing letters and/or digits from a distorted image. Or messages, as noted, to go pleasure yourself. Or, then again, mathematical problems that make your brain bleed.

Or, as with the Civil Rights Defenders group, a multiple-choice test to prove you're not a homophobic creep. Or, sometimes, a tricky extra character or two.

For some reason, people don't like these CAPTCHA tests.

Lord Teapot, a commenter on the BBC story, said that he or she finds these tests so distasteful, he or she gives up and buys from another site after the first failed attempt:

Lord Teapot
30TH JANUARY 2013 - 15:57
I will generally attempt a CAPTCHA once. After that I seek another site to purchase/view/etc the material I was seeking. Some of the CAPTCHA images are essentially illegible, tend to contain multiple characters that seem to be fused together into unrecognizable masses, and other nonsense that makes the entire scheme a complete [hassle]. Find a legitimate way to ID humans, or we find other sites.

Revenue-harming disgust caused Ticketmaster to rethink the use of CAPTCHA.

According to the company's executive vice president of e-commerce, Kip Levin, preliminary trials show customer satisfaction is ticking up, and security hasn't suffered.

He told the BBC:

"We're starting to see an uptick in fan satisfaction."

"We're happy with what we've seen from a security standpoint as well."

Levin also told the BBC that the new system has halved the time users take to puzzle out an answer: average time to solve a CAPTCHA puzzle was 14 seconds, while the new system took users an average of 7 seconds.

As far as security goes, it's time for us to find a better method. Back in 2008, spammers were achieving a CAPTCHA success rate of 30% to 35% for Microsoft's Live Mail service and a success rate of 20% against Gmail.

But, as Sophos's Graham Cluley noted this past fall, nowadays, spammers are simply outsourcing the cracking of CAPTCHAs to impoverished workers in the third-world, to whom they pay a pittance for completing thousands of puzzles each day.

And there's no reason to believe that such a technique won't work just as well against Ticketmaster's new system.

Follow @LisaVaas
Follow @NakedSecurity

Frustrated computer user image courtesy of Shutterstock

View the original article here

Arsenal Lotto scam spammed out via PowerPoint file

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The scammers must be getting more and more desperate to get their claws on our money.

Their criminal business model is messed up somewhat by anti-spam filters blocking their fraudulent messages from reaching potential victims.

What's a bad guy to do?

Well, they could do what this scammer has done - wrap their scam email up into a format that anti-spam software might not look at so closely.

Subject: Please quote your !
From: Arsenal
Attached file: Arsenal.ppt

Message body:
Please find attachement

The scammer doesn't give away much information in the email itself, but only the attachment (a PowerPoint file) and you'll read that Arsenal Football Club have awarded you a £2,350,000 prize in their lottery.

All you have to do is contact their representative in China, a Dr Cheng Dingxiang, with your personal information (presumably he will request your bank information soon and an administration fee) and before you know it riches will be yours!

Clearly the scammers are getting desperate.

Hopefully no-one IT-savvy would fall for such a scam - and be instantly suspicious that the communication arrived not only via email, but within a PowerPoint file as well.

But always remember that there may be vulnerable people out there who *do* fall for scams like this, and are at risk of ending up out of pocket as a result. Always be on the lookout to help vulnerable friends and family avoid scams like this - however ridiculous they may appear to you.

You might want recommend to your friends and family that they grab a copy of the Sophos Threatsaurus, where we explain the facts about threats to your computers and to your data in simple, easy-to-follow language.

Here'a one-minute video that tells you more:

Follow @gcluley

View the original article here

Twitter ordered to unmask hate speakers

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Months after hate speech was taken down from Twitter, a French court has ordered the company to hand over details of users who posted anti-Semitic content.

The court, in Paris, issued the order on Thursday in response to a request from the French Jewish students' union (UEJF) and others.

According to Le Monde, Twitter has 15 days following service of the order to unmask users.

If it fails to do so, it will be subject to fines of €1,000 (£850/$1,346) per day.

Twitter has refrained from commenting beyond telling news outlets that it's studying the decision.

Le Monde in October published this collection of anti-semitic jokes on Twitter, after the tag #UnBonJuif (a good Jew) started to make waves.

Other Twitter tags associated with hate speech that have been making the rounds in France include #SiMonFilsEstGay (if my son is gay) and #SiMaFilleRamèneUnNoir (if my daughter brings home a black guy).

Twitter deactivated the accounts in question in October.

In the US, hate speech is protected by the First Amendment unless it incites violence.

In countries such as France and Germany, however, laws ban hate speech.

As IT Pro Portal describes, that conundrum led Twitter to announce, a year ago, that it would block tweets whose content was restricted by certain countries.

Twitter first blocked content in October, suspending access to an account run by a neo-Nazi group in Germany.

Twitter in general has resisted handing over users' details, but courts have forced its hand: once when New York authorities got a court order for data about a user who threatened to kill people at a Manhattan theater, and again in September, when it turned over the tweets of an Occupy Wall Street protester.

As IT Pro Portal reports, a lawyer for Twitter earlier this month pointed to the company's US location as being a sticking point in forcing it to hand over data. Since the data is collected in the US, the French order should be authorised by a US judge, the lawyer said.

The French court disagreed, responding that the US's First Amendment protection doesn't apply in France.

Twitter will likely be brought to its knees again in this case, forced to take away the anonymity that's cloaked people who publish pretty vile content.

It's a good reminder that that invisibility cloak is illusory. It can be shredded by court dictate.

That invisibility cloak can also be stripped by the content platform itself.

Take Google as an example: In June 2012, it started to nudge users toward real-name usage on YouTube.

What's now merely a polite request could well blossom into a requirement as Google attempts to drain what is now a racist, ignorant, creepy, underage, psychotic, incoherent and/or homophobic swamp.

Therefore, it only makes sense to spout hatred if you truly believe that it's worth saying so publicly, and if you believe in such statements so sincerely, that law-ordered punishments aren't enough to dissuade you.

Are these demands for transparency an erosion of individuals' online privacy?

Sure. But that's the trade-off for not having cowards protected by cloaks of anonymity behind which they can safely hurl trash.

Follow @LisaVaas
Follow @NakedSecurity

Hooded person image courtesy of Shutterstock

View the original article here

Convicted sex offender let off the hook for child abuse image collection

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Just because a neighbor saw titles for child abuse image files on an unsecured wireless network doesn't justify the law barging in and searching for the images, ruled an Oregon judge in the US.

The decision reversed the judge's previous conviction of John Henry Ahrndt, who, it turns out, was already a convicted sex offender.

In a ruling filed January 17, Senior District Judge Garr M. King said that Ahrndt's Fourth Amendment rights ensuring protection against unreasonable searches had been blown when a deputy got the go-ahead from his supervisor and clicked on one of the titles:

There is no evidence [Ahrndt] intentionally enabled sharing of his files over his wireless network, and there is no evidence he knew or should have known that others could access his files by connecting to his wireless network. [The deputy's] action of clicking on the image in [the neighbor's] iTunes directory to open the image violated Ahrndt’s Fourth Amendment rights.

Here's how the files were discovered in the first place: In February 2007, one of Ahrndt's neighbors - a woman identified as "JH" in court documents - got onto his unsecured wireless network when her own network went down.

Ahrndt's network was coming off a Belkin 54G router with a default setting of "no security".

JH opened up iTunes and noticed another user's library, called "Dad's LimeWire Tunes", available for sharing.

She then opened the folder and saw file names that got her on the phone with her local sheriff's office, pronto.

Some of the titles were very sexually explicit. Some other titles were used in conjunction with acronyms indicating age, such as "5yoa" and "8yoa".

Washington County Deputy John McCullough responded to JH's call a little less than an hour later. He wasn't sure whether he could legally open the files, so he called his supervisor, who gave him the go-ahead.

McCullough later recalled seeing the words "getting raped" and "being raped" in those file names.

Deputy McCullough opened a file and did, in fact, find images of child abuse - a search that Judge King last week deemed unreasonable, finding the evidence unsubmittable.

It's interesting to note the trail of evidence that a group of documents such as these leave on a computer.

According to Judge King's filing, Arnhdt admitted to downloading child abuse images as recently as eight months prior to law enforcement obtaining warrants and searching his home and computers. He'd subsequently deleted the files, though, he said.

Arnhdt told agents that he'd used LimeWire, a peer-to-peer file-sharing application, to download the images. If agents were capable of recovering deleted files, they'd find the images, he told them - specifically, on external hard drives that he'd converted from hard drives of old computers.

Investigators did, in fact, recover traces of the files, including:

Advertising pages located in an "orphan" file - e.g., one whose parent file had been deleted. Images located in a Google Hello "scache" indicating the images had been sent or transmitted. (For a detailed look at how forensics experts find such images, check out this white paper by J. Curl: "Forensic Investigation of Google's "hello" [PDF].)An .mpg movie that had been viewed in Windows Explorer or by using a My Computer thumbnail or filmstrip view. A deleted file recovered from Ahrndt’s computer.Deleted files recovered from his USB flash drive.

Will Judge King's decision be upheld?

A commenter on The Wall Street Journal's coverage of the case thinks not:

joe doaks: … I believe that historically, you are free to look at any ambient electromagnetic radiation you are able to receive and decode. A couple decades back, an over-the-air HBO provider with not-very-sophisticated encryption, found this out the hard way.

I'm no legal expert, but I'd suggest that this argument misses the mark, given that it's not the legality of JH's unauthorized accessing of Arnhdt's network that was in question.

Rather, it was Deputy McCullough's opening of one of the files without a warrant that rendered the evidence unsubmittable.

Regardless of the legal technicalities, it's a good reminder that unsecured wireless networks render files sharable and readable.

This ruling is just one in many that get handed down in child abuse and unreasonable search cases.

I wouldn't count on the courts letting you off the hook if you're up to something reprehensible on an unsecured wireless network.

Follow @LisaVaas
Follow @NakedSecurity

View the original article here

Not-so anonymous Anonymouses head off to prison over PayPal DDoS

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Four young Englishmen who went on an Anonymous rampage back in 2010 weren't as anonymous as they might have hoped.

They were traced, identified and arrested.

We wrote at the end of 2011 that they'd been released on bail after being charged with running Distributed Denial of Service (DDoS) attacks against a number of high-profile payment processing companies.

PayPal, Mastercard and Visa ended up under the pump in the attacks, which were carried out in revenge for those companies refusing to process donations to controversial whistle-blowing outfit Wikileaks.

The fact that the DDoS might have prevented many other not-for-profit organisations from receiving donations as a side-effect didn't seem to worry the attackers.

Interestingly, the judge who granted them bail didn't ban them from using the internet during their temporary freedom, but he did place them under an unusual restriction: they weren't allowed to use their online handles, or nicknames.

That probably wasn't too onerous for Christopher Weatherhead, now 22, who had to stop going by "Nerdo", nor for Ashley Rhodes, 28, who could no longer strut his stuff as "NikonElite". But it might have been tricky for 24 year old Peter Gibson, who was apparently banned from calling himself "Peter".

(It's not clear if he had to go by the rather formal "Mr Gibson" instead, or if, paradoxically, he was permitted to adopt a pseudonym, provided it was one he hadn't used before.)

All four pleaded guilty. Three have now been sentenced: Nerdo got 18 months, NikonElite got seven and Peter, also known as Peter, got a six month suspended sentence.

The fourth hacktivist, whom we now know to be Jake Birchall, was just 16 at the time of the offence and will be sentenced separately. He too was banned from using his nick while on bail, but the court never told us what it was.

You'll find widespread reports suggesting that this attack alone cost PayPal £3.5 million (about $5.5 million), if you're wondering just how harmful a DDoS can be for an online business.

You need to take this sort of damage figure with a pinch of salt - it seems to include the cost of precautions taken after the attack by PayPal that were an investment to protect the company into the future, so it seems a little counter-intuitive to include this in the retrospective cost of recovering from an attack.

But there is little doubt that the hacktivist quartet did, and intended to do, as much damage as they could. They're said to have bragged on IRC, saying:

We have probably done some million pound of dmg to mc

(The word dmg, of course, means damage, while mc is shorthand for Mastercard.)

Now they get to regret.

Follow @duckblog

View the original article here

CAN-SPAM spammers with a sense of humor

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The CAN-SPAM act, passed in the United States in 2003, hasn't done much to deter the spammers here. Although India took the crown as the spammiest nation in 2012 the USA is back on top so far in 2013.

Occasionally in the flood of spam that passes through SophosLabs there are messages that make us take a second look.

Today brought just such a message to our spamtraps. In fact it brought several.

The offers themselves were pretty standard stuff for spam. Training to be a nurse or learning the secrets of 17 fat-busting foods aren’t going to turn research heads.

However, the obligatory small print at the bottom of the email showed a little more flair than the average CAN-SPAM mandated message.

This message was optimized to be viewed on awesome computers such as the one you're probably using. However there are so many ways to view emails these days that our message may be displayed differently for you. Perhaps you're laying in bed using a tablet or you're taking a bath while using your laptop (not recommended), and hopefully you're not viewing this message on a smartphone while dodging traffic or your neighbor's dog Spike. If you'd like to let us know which device you use to read your mail please send us that comment here. We'll be happy to make your offer viewing experience that much easier.

Do these offers not tickle your fancy? We're sorry to hear that, please go ahead and unsubscribe."

Opt-out is not the correct method for managing annoyances like spam. Opt-in is much preferred but it has been a while since anyone offered me such a polite opt-out.

In case you are wondering, that feedback link really does take you to a page that asks which device you read your email on and for any other comments.

I was tempted to leave a comment but "If you can’t say something nice don’t say anything at all".

http://twitter.com/SophosLabs
http://twitter.com/NakedSecurity

Spam word cloud image courtesy of Shutterstock.

View the original article here

Anatomy of a phish - how crooks hack legitimate websites to steal your details

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Old-school phishing is where cybercrooks lure you into logging in to your bank account on one of their websites.

When you enter your personally identifiable information (PII), as you would on the bank's real site, it gets uploaded to the crooks instead of to your bank.

The idea, of course, is that they then use the credentials they just stole to start draining your account.

So phishing is still worthwhile to the crooks, even though it doesn't seem to be quite as successful as it used to be. Many of us have learned to take great care when we're banking online, and to check for the "vital signs" of a scam before we trust a website with our usernames and passwords.

Nevertheless, the phishers are still giving it all they've got. By combining simplicity with accuracy, they're creating banking scams that are much more believable than the crude and misspelled emails and websites that were common a few years ago.

If you pick your moment, or just get lucky, there's still money to be made.

In Australia, for example, today (at least in Sydney) has been a very wet and gloomy public holiday.

Just the sort of morning to loaf on the couch with your laptop or your iPad and goof off online, where you might have received an email like this one:

Many banks now have a closed cloud-style email service built into their internet banking sites. The idea is that you'll get into the habit of logging in securely to read important messages, rather than believing what arrives in insecure emails.

The bank still sends you emails, but they don't contain any detail - they just give you an overview (e.g. "your statement is ready"), and advise you to read the full message on the secure site. A bit like the message here, in fact.

But what your bank won't do is to invite you to click a link to get to the secure site. They rightly leave you (indeed, they urge you) to find your own way to the banking portal, so you're not at the mercy of the URL embedded in the email.

So the link here is certainly phishy - it shouldn't be present at all - but it doesn't look like the sort of obvious phishing nonsense you often see.

You probably know what I mean: weird and unlikely domains such as really.your.bank.wefljdrsecxr.example.org that are an instant giveaway of bogosity.

In fact, this phish links to a government website in .cn (that the People's Republic of China, or PRC):

The government site seems to have had a security lapse, allowing the crooks to add a small and simple web page called nabau.html.

This page silently redirects your browser elsewhere by using this HTML:

The redirect takes you off to another hacked site, specified in the URL as an IP number rather than as a domain name.

This presents you with a bogus login page hosted on a web server (it looks like part of the Computer Science department) at a Colombian university:

Ironically, this bogus page helpfully advises you to keep up to date with anti-virus, firewall software and the latest patches, and urges you to report phishing scams to NAB.

When you click Login to submit the form, the POST request (HTTP's name for an upload) goes to yet another hacked web property. This one is a student vacation site in the USA, apparently with some insecure plugins in its blogging subdirectories.

You never get to see the site's main page, which is unexceptional:

Instead, the web upload that is linked to from from the Colombian university page gives the crooks their first page of login data.

Then you're shuffled back to the server in Colombia to face a request for another page of PII:

The POST request on this page uploads your formful of data to the same place as before: the US student vacation site.

This time, the vacation site bounces you back to Australia, rounding off the phishers' journey.

You end up unremarkably on National Australia Bank's own site, albeit that you're on the regular main page, not amongst the internet banking pages:

Let me be quick to say that you ought not to fall for this sort of phish:

NAB wouldn't have put a link in the email, so you ought not to have clicked it.None of the so-called banking sites referenced a nab.com.au URL.None of them used secure HTTP, also known as HTTPS.

(HTTPS is the protocol that puts a tiny padlock in the address bar at the top of your browser's screen.)

Nevertheless, this phish didn't take you to any sites that would have stood out, under normal circumstances, as part of the cybercriminal underworld.

It relied on three unremarkable and legitimate servers, owned by legitimate organisations and operated by unsuspecting sysadmins, in three different countries: PRC, Colombia and the USA.

That's why even self-proclaimed "safe surfers" - people who back themselves not to wander off into obviously-shady parts of the web - should consider themselves at risk.

Be careful out there. And that applies whether you're browsing or running an online business.

The crooks want to redirect your browser into harm's way, and they want to use your servers to help them do so.

Follow @duckblog

Running a web server at home?

Why not try out the free Sophos UTM Home Edition?

You get web and email filtering, web application firewall, IPS, VPN and more for up to 50 IP addresses. You can also protect up to 12 Windows PCs on your network with Sophos Anti-Virus!

(Note: registration required.)

View the original article here

Wow. Mickey Rourke has died snowboarding, just like Sylvester Stallone, Jim Carrey, Christian Slater...

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Before anyone gets the wrong idea - let me make this really clear.

Despite what you may have read on the internet, Mickey Rourke has *not* died in a snowboarding accident.

If the award-winning actor had been killed, it would have been a crazy coincidence - because it's just days since there were claims on Facebook and Twitter that Sylvester Stallone had died in a snowboarding accident.

And let's not forget Jim Carrey's fatal snowboarding accident and the one that killed Christian Slater a year ago.

All of the celebrities mentioned above are, at the time of writing, alive, kicking and - I'm guessing on this next bit - probably not snowboarding.

There are some pretty tasteless practical joke websites out there which allow you to generate fake news stories about the deaths of anyone you choose.

And that's exactly what has happened in Mickey Rourke's case.

Actor - Mickey Rourke Dies In Snowboard Accident

THIS STORY IS STILL DEVELOPING...
Actor Mickey Rourke is reported to have died shortly after a snowboard accident earlier today - January 24, 2013.

The actor & novice snowboarder was vacationing at the Zermatt ski resort in Zermatt, Switzerland with family and friends. Witnesses indicate that Mickey Rourke lost control of his snowboard and struck a tree at a high rate of speed.

Mickey Rourke was air lifted by ski patrol teams to a local hospital, however, it is believed that the actor died instantly from the impact of the crash. The actor was wearing a helmet at the time of the accident and drugs and alcohol do not appear to have played any part in his death.

Additional details and information will be updated as it becomes available. This story is still developing

About Zermatt Ski Resort - While neighboring Gstaad is one of the world's top resorts with its three five-star hotels and St. Moritz is more popular, most rank Zermatt as Switzerland's top resort. A remarkably peaceful getaway, the village is peaceful thanks to its car-free environment. Amazingly picturesque, Zermatt holds the world's second biggest lift-served vertical drop and receives huge snowfalls thanks to its altitude.

As an experiment, I went to the same website - using my name in the URL rather than Mickey Rourke's. Sure enough, it tells me that I've died in a snowboarding accident:

Trust me - I've never been on a snowboard.

If you share the link with unsuspecting friends via social media, the fake news report can easily be spread in the blink of an eye.

Before you know it, internet users are unwittingly forwarding the message without checking their facts, and the tasteless website is earning itself some cash from the increased impressions its adverts are receiving.

If someone famous like Mickey Rourke had really come to a sticky end, you would be able to read about it on a legitimate news website like BBC News Online or CNN.

Just imagine the harm that could occur if there was malware lying in wait at the end of that salacious news story link?

So please, check your facts before sharing breaking news with friends - and remember not to believe everything you read on the internet.

Follow @gcluley

View the original article here

Do programmers understand the meaning of PRIVATE?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Filed Under: Featured, Privacy

You've probably heard of public-key cryptography, because it's the basis of HTTPS, the system that puts the padlock in your browser.

The mathematical detail behind public-key crypto is a little abstruse, but you don't need to be a mathematician to understand the principles that make it work.

Here's the story.

Traditional encryption (before 1970, at any rate) relies on the digital equivalent of a padlock. Turn the key clockwise to lock; turn the key anticlockwise to unlock.

If you want to share data securely with someone else, you have to make a duplicate of the key and send it to them. So you have to find a secure way of sharing the key first, typically with a face-to-face meeting, or through a trusted courier.

This is known as symmetric encryption, because you use the same key to encrypt and decrypt.

It doesn't scale very well, and it doesn't lend itself to online security, where you want a secure way of communicating with someone you've never met, and probably never will.

Public-key encryption (invented in the 1970s) relies on a funkier sort of padlock. You have two keys, either of which can be used for locking. But once the padlock is locked, only the other key can unlock it.

Choose one of the keys to be a public key, and let anyone who wants make a copy of it. Publish it online if you like.

Keep the other key private.

Now, anyone who wants to send you data securely simply locks it with their copy of your public key. Once it's locked, no-one (not even the person who locked it) can open it, since the private key is needed for that purpose.

Originally, public-key cryptography was called non-secret encryption. That name was meant to denote that the public key didn't need to be kept secret, so face-to-face meetings or trusted couriers were no longer needed for key exchange. But it's not a very good name because it implies an overall lack of security.

It is now universally known as public-key encryption, or asymmetric encryption. It's asymmetric because different keys are used to encrypt and decrypt.

You've probably realised that the key to public-key encryption, so to speak, is that only your public key is ever made public.

The secrecy of the system depends entirely on the secrecy of your private key, which is why it's called a private key.

A surprising number of people, including many who should know better, don't seem to realise that, which is why fellow Naked Security writer Julian Bhardwaj emailed me this morning with a mixture of amusement and alarm when he saw this tweet from Stackoverflow co-founder Jeff Atwood, better known as @codinghorror:

(Stackoverflow is a question-and answer-site for professional and enthusiast programmers; Github is a popular online source code repository for that same community.)

The link in the tweet, by the way, expands to a search URI something like this:

https://github.com/search?p=BEGIN+RSA+PRIVATE+KEY

The search reveals cases where coders have generated a public/private key pair for secure communication with Github, and then uploaded the wrong key.

Julian suggested:

Whilst this search now returns no results (kudos to Github for a fast response), just over an hour ago it was returning 80 pages of people's private keys...perhaps time for a quick reminder about keeping private keys private?

Indeed!

If you are determined to produce your own key pairs, do yourself a favour and be watchful which one you give out and which one you keep. (The names public key and private key are supposed to make it easy to remember!)

Most key generation programs try to help you get it right by annotating the key files to make their content really obvious.

With SSH, for example, you use the ssh-keygen program, like this:

Your private key looks like this:

Or like this if you used a passphrase (you ought to, unless you plan use the key in an automated process when you won't be around to type in the passphrase):

Your public key, which is the one you're supposed to upload to Github, looks like this:

Things are much the same with SSL keys. Private keys are clearly labelled like this:

Or like this if they are passphrase-protected:

Public keys are similarly annotated. You don't get passphrase-protected public keys (they're supposed to be public, after all) so they all look something like this:

Not too tricky, is it?

For all the software you're likely to use, such as OpenSSH, OpenSSL and GPG, private keys are labelled with the text PRIVATE KEY.

And that's the one you're supposed to keep private!

You're welcome.

Follow @duckblog

View the original article here