Ask the Expert

Questions sent to expert@securiteam.com fall under this category.

Review of “cloud drives” – Younited – pt 1

I’m trying out various “cloud drives”–or “file transmission services” as my little brother likes to call them, so as not to sully the name of cloud storage–and thought I’d mention a few things about F-Secure’s Younited first.

The reasons it is first are because a) F-Secure is a highly respected antivirus firm and based beyond the reach of the NSA in Finland, b) they are promoting the heck out of the new service by making it practically invitation only and asking that people tweet and blog about it, and c) it is really starting to annoy me.

Supposedly you can access it via the Web or through apps you install on your computer or device.  I have been able to upload a few individual files onto it, and access them on other devices.  Except for the MacBook.  The app seemed to install fine, but then it wouldn’t open anymore.  On the theory that, like SkyDrive, it wouldn’t install on my copy of Snow Leopard (and at least SkyDrive had the decency to tell me that), I upgraded to Maverick (which has created its own problems).  That hasn’t fixed it.  Next step is probably to throw it in the trash and reinstall.

I decided to give it a bit of an acid test tonight, and upload a set of directories.  First off, it seemed to load everything, willy-nilly, into a standard set of folders for “Pictures,” “Videos,” “Music,” etc, regardless of the directories they came from.  At least, that what the app showed.  The Web browser, if you accidentally hit the right button (and I’m darned if I can find out how to get it back) showed the directories–but they were all empty.  A web browser on another machine shows nothing at all.

(A gauge of progress for uploads has been saying “Transferring 635/6475” for the last several hours, regardless of what else has gone on.)

I thought maybe I might have to create and populate a directory at a time.  That’s when I realized that I can’t make directories.  If you get past the initial level of “Help” FAQs (which don’t have a lot of helpful detail) you can find the “community.”  Do a search on “folders,” and a number of listings come up, included an article on how to organize your files.  This says that, in order

“To create a folder

  1. Go to the younited_folder.PNG younited folder.
  2. Select Create_folder.PNG Create folder.
  3. Type a name for the older and select OK.”

Only problem is, when you click on the younited icon, the “create folder” option or icon never appears.  Other entries are equally “helpful.”  (What is the icon for sarcasm?)

I will, undoubtedly, learn more about the system and how to use it, but, at the moment, it is frustrating in the extreme.

CyberSec Tips: Follow the rules – and advice

A recent story (actually based on one from several years ago) has pointed out that, for years, the launch codes for nuclear missiles were all set to 00000000.  (Not quite true: a safety lock was set that way.)

Besides the thrill value of the headline, there is an important point buried in the story.  Security policies, rules, and procedures are usually developed for a reason.  In this case, given the importance of nuclear weapons, there is a very real risk from a disgruntled insider, or even simple error.  The safety lock was added to the system in order to reduce that risk.  And immediately circumvented by people who didn’t think it necessary.

I used to get asked, a lot, for help with malware infestations, by friends and family.  I don’t get asked much anymore.  I’ve given them simple advice on how to reduce the risk.  Some have taken that advice, and don;t get hit.  A large number of others don’t ask because they know I will ask if they’ve followed the advice, and they haven’t.

Security rules are usually developed for a reason, after a fair amount of thought.  This means you don’t have to know about security, you just have to follow the rules.  You may not know the reason, but the rules are actually there to keep you safe.  It’s a good idea to follow them.

 

(There is a second point to make here, addressed not to the general public but to the professional security crowd.  Put the thought in when you make the rules.  Don’t make stupid rules just for the sake of rules.  That encourages people to break the stupid rules.  And the necessity of breaking the stupid rules encourages people to break all the rules …)

CyberSec Tips: Email – Spam – Fraud – example 4

Sometimes it’s pretty easy to tell a fraud.  Some of these guys are just lazy:

> From:               “PINILLA, KARINA” <pinillak@friscoisd.org>
> Subject:
> Date sent:          Mon, 2 Dec 2013 22:05:05 +0000

> Do you want your X-mas money and bonus for gift,if Yes contact me at this email:
> david.loanfinancialcomany12@gmail.com

You don’t know this person.  No subject for the message.  No explanation of why they are going to give you money.  (Although the name chosen for the email would seem to indicate that they want to emulate a pay-day loan company–which are pretty much rip-offs anyway.)  Poor grammar and spelling.

A while back someone seriously theorized that this lack of care might be deliberate.  Only stupid people would fall for a “come-on” like this, and it would be easier to defraud stupid people.  Unfortunately, as the song says, the world is full of stupid people …

CyberSec Tips: Email – Spam – Phishing – email accounts – example 1

Sometimes phishers are after more than your bank account or credit cards.  These days a lot of them want your email account.  They can use it to send spam, to your friends, and those friends will trust a message from you.  (That’s a more reliable form of social engineering to get them to install malware on their computers.  Or give up their bank accounts and credit card numbers …)

> Dear user
> Your email has exceeded 2 GB, which is created by Webmaster, you are currently
> running at 2.30GB, you can not Send or receive new messages until you check your
> account.Complete the form below to verify your account.

Sometimes the email phishers will send you this “over quota” message.  Other times it may be that you are, supposedly, sending out malware or spam yourself.

> Please complete the details below to confirm your account
>
> (1) E-mail:
> (2) Name:
> (3) Password:
> (4) Confirm Password:

Here they just flat out ask you for your user name and password.

Spam isn’t the only thing they can do with your account.  These days Web based email accounts can be linked to storage space and other functions.  Google accounts are very valuable, since they give the phishers access to Google+ (with lots of personal information about you), YouTube, and Google Drive (which still has Google Docs in it, and can be used to set up phishing Websites).

Again, watch for telltale signs in the headers:

To:                 Recipients <web@epamig.br>
From:               HELP DESK<web@epamig.br>
Date sent:          Sun, 01 Dec 2013 14:01:47 +0100
Send reply to:      647812717@qq.com

It isn’t “to” you, and the “reply” isn’t the same as the “from.”

CyberSec Tips: E-Commerce – tip details 1 – search engines

Our local paper, like just about everyone else, recently published a set of tips for online shopping.  (They got them from Trend Micro Canada.)  The tips are mostly OK, as far as they go, but I figured they could use a little expansion.

“Don’t rely on search engines to find a shopping site.

“Search results can lead to malicious websites that will take your credit card and other confidential data or infect your computer with a virus. Instead, bookmark reliable online shopping sites.”

As a general rule, it’s best to be careful whenever you go to a site that is new or unknown to you.  However, I’d have to take this tip with a grain of salt.  I did a (Google) search on London Drugs, a chain in Western Canada (widely known in the tech community for their computer departments) (about which I have written before), and the first five pages gave results that were all from, or legitimately about, that company.  Quick checks on other retailers got similar results.

It makes sense to bookmark a “known good” link if you shop someplace regularly.  But if you are going to a new site, you can get into just as much trouble by guessing at a domain name, or even just fumbling typing the URL.  Fraudsters will register a number of domain names that are very similar to those of legitimate companies; just a character or so off; knowing that slipping fingers will drive people to their sites.  Some of those malicious sites look very much like the real thing.  (Others, promoting all kinds of questionable services and deals, are obviously false.)

Always be careful, and suspicious.  If anything seems off, get out of there, and maybe do a bit of research before you try again.  But don’t just avoid search engines as a matter of course.

CyberSec Tips: Email – Spam – Fraud – example 3

This one is slightly interesting, in that it contains elements of both 419 and phishing.  It’s primarily an advance fee fraud message.  First off, the headers:

> Subject: Dear Winner!!!
> From: CHELPT <inf8@hotline.onmicrosoft.com>
> Date: Thu, 28 Nov 2013 17:45:06 +0530
> Reply-To: <morrluke@careceo.com>
> Message-ID: <XXX.eurprd01.prod.exchangelabs.com>

Again, we see different domains, in particular, a different address to reply to, as opposed to where it is supposed to be from.

> Corporate Headquarters
> Technical Office Chevrolet promotion unit
> 43/45 The Promenade…
> Head Office Chevrolet motors
> 43/45 The Promenade Cheltenham
> Ref: UK/9420X2/68
> Batch: 074/05/ZY369
> Chevrolet Canter, London, SE1 7NA – United Kingdom

My, my, my.  With all that addressing and reference numbers, it certainly looks official.  But isn’t.

> Dear Winner,
>
> Congratulations, you have just won a cash prize of £1,000, 000, 00. One million
> Great British Pounds Sterling (GBP) in the satellite software email lottery.
> On-line Sweepstakes International program held on this day Satur day 23rd
> November 2013 @05:42.PM London time. Conducted by CHEVROLET LOTTERY BOARD in
> which your e-mail address was pick randomly by software powered by the Internet
> send data’s to;
> ——————————————————————————–
> Tell: +44 701 423 4661             Email: morrluke@careceo.com Officer Name: Mr.
> Morrison Luke. CHEVROLET LOTTERY BOARD London UK
> ——————————————————————————–

As usual, you have supposedly won something.  If you reply, of course, there will start to be fees or taxes that you have to pay before the money is released to you.  The amounts will start out small (hey, who wouldn’t be willing to pay a hundred pound “processing fee” in order to get a million pounds, right?) but then get larger.  (Once you’ve paid something, then you would tend to be willing to pay more.  Protecting your investment, as it were.)  And, of course you will never see a cent of your winnings, inheritance, charity fund, etc, etc.

> Below is the claims and verifications form. You are expected to fill and return
> it immediately so we can start processing your claims:
>
> 1. Full Names:
> 2. Residential Address:
> 3. Direct Phone No:
> 4. Fax Number
> 5. Occupation:
> 6. Sex:
> 7. Age:
> 8. Nationality:
> 9. Annual Income:
> 10. Won Before:
> 11. Batch number: CHELPT1611201310542PM
> 12: Ticket Numbers: 69475600545-72113
> 13: Lucky numbers: 31-6-26-13-35-7

But here, they are starting to ask you for a lot of personal information.  This could be used for identity theft.  Ultimately, they might ask for your bank account information, in order to transfer your winnings.  Given enough other data on you, they could then empty your account.

> We wish you the best of luck as you spend your good fortune thank you for being
> part of our commemorative yearly Draws.
>
> Sincerely,
> Mrs. Susan Chris.
> CHEVROLET LOTTERY PROMOTION TEAM.

Oh, yeah.  Good luck on ever getting any of this money.

CyberSec Tips: Email – Spam – Phishing – example 2

Some of you may have a BarclayCard credit card.  You might receive a reminder message that looks like the one below.  (Actually, the only credit card company I know that actually sends email reminders is American Express, which I think is a black mark on their security record.)

> Subject: Barclaycard Payment is due
> From: “Barclaycard” <barclaycard@card.com>
> Received: from smtp.alltele.net

If you look at the message headers, you might note that this message doesn’t come from where it says it comes from, and that’s something of which to beware.

> Your barclaycard payment is due
>
> Visit your card service section below to proceed
> hxxp://www.equivalente.it/rss/re.html

You might also note that, it you do have a BarclayCard, it’s probably because you live in the UK.  And the server they want you to visit is in Italy: .it

CyberSec Tips: Email – Spam – Phishing – example 1

Phishing is pretty constant these days.  One of the tips to identify phishing messages is if you don’t have an account at that particular bank.  Unfortunately, a lot of people who are online have accounts with Paypal, so Paypal is becoming a favourite with phishers.  You’ll probably get a message something like this:

Subject: Your account access has been limited
From: service@paypal.co.uk <notice@paypal6.co.uk>

(You might think twice if you have an account with Paypal in the United States, but this domain is in the UK.)

> PayPal is constantly working to ensure security by regularly screening the
>accounts in our system. We recently reviewed your account, and we need more
>information to help us provide you with secure service. Until we can
> collect  this information, your access to sensitive account features will be
> limited. We would like to restore your access as soon as possible, and we
> apologize     for the inconvenience.

>    Why is my account access limited?

>    Your account access has been limited for the following reason(s):

> November 27, 2013: We would like to ensure that your account was not
> accessed by an unauthorized third party. Because protecting the security of
> your account is our primary concern, we have limited access to sensitive
> PayPal account features. We understand that this may be an inconvenience but
> please understand that this temporary limitation is for your protection.

>    Case ID Number: PP-197-849-152

>You must click the link below and enter your password for email on the following page to review your account. hxxp://dponsk.ru/wp-admins/.pay/

> Please visit the hxxp://dponsk.ru/wp-admins/.pay Resolution Center and
> complete the Steps to Remove Limitations.

Sounds official, right?  But notice that the URLs given have nothing to do with Paypal.  Also notice, given the .ru domain, that they are in Russia.  Don’t click on those links.  Neither Paypal of anybody else is going to send you these type of messages these days.