Have you encountered this before: a pop-up pops and it looks like a window on your computer. Next thing a scan begins. It often grabs a screenshot of your “My Computer” window mimicking your computers characteristics then tricking you into clicking on links. The scan tells you that a virus has infected your computer. And for low price of “$49.95” you can download software that magically appears just in time to save the day. If you not to download and install the software, your computer goes crazy and pop-ups will invade you like bedbugs in New York City hotel.
Information Week reports those behind a new fake antivirus software have added a new social engineering element — live support agents. The rogue software comes equipped with a customer support link leading to a live session with the bad guy. Real scammers on the other end of chat have the ability to offer live remote access support instructed by support to click a link initiating remote access to their computer. Once connected remotely, the scammer can potentially retrieve documents to steal your identity.
Another new twist on the scam involves a popup in the form of a browser with a warning that looks like what your browser may present to you when you visit a page that might have an expired security certificate, malware warning or be a potential phishing site. The page is usually red with a warning: “Visiting This Site May Harm Your Computer” then it provides you with a link, button or pop-up that gives you the option of downloading security software or to update your browsers security.
The software is sometimes known as “AntiVirus2010” “WinFixer,” “WinAntivirus,” “DriveCleaner,” “WinAntispyware,” “AntivirusXP” and “XP Antivirus 2010” or something like “Security Toolkit”. These are actually viruses or spyware that infect your computer, or just junk software that does nothing of value.
What makes the scam so believable is there is actual follow through of the purchasing of software that is supposed to protect you. There is a shopping cart, an order form, credit card processing and a download, just like any online software purchase.
1. Use the most updated browser: Internet Explorer 8, Chrome or Firefox, download the latest and greatest. At least download whatever security updates there are for your exiting browser. Also keep Flash and Adobe Reader (Acrobat) up to date.
2. Usually by default, a pop-up blocker is turned on in new browsers. Keep it on. No pop-ups, no scare-ware.
3. If you are using another browser and a pop-up –pops-up, shut down your browser. If the pop-up won’t let you shut it down, do a Ctrl-Alt-Delete and shut down the browser that way.
4. Never click links in pop-ups. If the pop-ups are out of your control, do a hard shutdown before you start clicking links.
5. Persistence counts. Shutting off this pop-up is often difficult and any buttons you press within this pop-up could mean downloading the exact virus they warned you of.
6. Install the most recent versions of anti-virus and keep it set to automatically update your virus definitions.
7. Never click on links in the body of a “WARNING” webpage that is suggesting to download updates for your browser or suggesting to download security software. Don’t click the little red X in the upper right corner. Alt-F4 should close the pop-up window, and if it does not, then Ctrl-Alt-Del and use the Task Manager to kill the whole IE/FF browser etc (including any other running copies)
adapted via finextra.com.
The abundance of free/cheap and open Wi-Fi networks in restaurants, airports, offices and hotels is a great perk to the traveling user; it makes connectivity and remote access much easier than it used to be. But you need to be informed and understand the risks.
Unfortunately, most of those “Open” networks don’t employ WEP or WPA passwords to secure the connection between device and hotspot, every byte and packet that’s transmitted back and forth is visible to all the computers on the wireless LAN, all the time. While certain sites and services use full-time browser encryption (the ones that have URLs beginning with https:// and that show a lock in the browser status bar), many only encrypt the login session to hide your username and password from prying eyes. This, as it turns out, is the digital equivalent of locking the door but leaving the windows wide open.
Firesheep is a Firefox extension which makes it trivially easy to impersonate someone to the websites they log in to while on the same open Wi-Fi network. It kicks in when you login to a website (usually in a secure fashion, via HTTPS) and then the site redirects you to a non-secured page after login. Most sites that operate this way will save your login information in a browser cookie, which can be ‘sniffed’ by someone on the same network segment; that’s what Firesheep does automatically. With the cookie in hand, it’s simple to present it to the remote site and proceed to do bad things with the logged-in account. Bad things could range from sending fake Twitter or Facebook messages all the way up to, potentially, buying things on ecommerce sites.
USE SSL/HTTPS only if the website supports it — is quite simple: after you connect, the site should keep your session secure using SSL or https. Some sites, including most banking sites, already do this. However, encryption requires more overhead and more server muscle, so many sites (Facebook, Twitter, etc.) only use it for the actual login. Gmail has an option to require https and has made it the default setting, but you should make sure that it’s enabled if you use Gmail (Google Apps has a similar feature). This also doesn’t necessarily help if you’re using an embedded browser in an iPhone or iPad app, where the URL is hard-coded.
Protecting yourself from Firesheep if you use Firefox or Chrome is possible with extensions like the EFF’s HTTPS Everywhere, Secure Sites or Force-TLS. These work by forcing a redirect to the secure version of a site, if it exists. The obvious problems with these solutions are: a) you have to install one for each browser (and we have not yet found one for Safari), and b) it only works if a secure version of the site exists.
A) Don’t use open networks.
B) Use a SOCKS proxy and SSH tunnel.
C) Use a VPN.
adapted via tuaw.com
Without a doubt the largest threat to the security of your computer and consequently your identity, and bank account is YOU, followed closely by ScareWare. The best firewalls and most effective antivirus won’t help a bit if you, the user, click on Rogue Security Software and fake warnings. Known also as Scareware, this thief is fooling you big time. When it knocks, do not open the door.
Every day we have people describing ScareWare that has taken over their system. They are unable to run their antivirus because they can’t get to the sites they need. The Rogue AntiVirus has hijacked their browser and will not let them near a site that could help. Not being able to access a site or download a removal program is the work of the infection. The user receives a warning, clicks on a link to download an update and BAM! They’re infected.
What Do I Look For?
Any warning or suggestion that you are somehow infected is to be treated as possible scareware. You can be casually surfing the web or simply working with a program on your system when these false warnings arrive. Don’t click on them. Just because they’re knocking, don’t let them in. The same is true for any popup suggesting you need to download the latest version of a program or video player. Treat them all as suspect.
Looking for security software? You better know the software your reviewing. Even something as simple as a Google search can produce the very Rogue you are trying to avoid. Just because it shows up in a Google search doesn’t mean it’s safe. If you don’t know it, don’t let it in the door.
How Does It Hurt Me?
The most obvious damage but also the least troublesome, is that it prevents you from using your computer. It wastes your time looking for a way to rid yourself of the pest and get where you want to go. Consider yourself lucky if you realize you are infected and are successful removing it.
The next obvious damage is a little more frightening. It simply steals your money by duping you into buying the rogue program. Your immediate monetary loss may only be a few bucks but do you really think that is the end of it? Do you really want your credit card in the hands of people who duped you to begin with? Do you think they will keep your information safe? Just the thought of it is enough to make me shiver.
adapted via PCpitstop.com
You can easily find out where people live, what kind of things they have in their house and also when they are going to be away.
Security experts and privacy advocates have recently begun warning about the potential dangers of geotags, which are embedded in photos and videos taken with GPS-equipped smartphones and digital cameras. Because the location data is not visible to the casual viewer, the concern is that many people may not realize it is there; and they could be compromising their privacy, if not their safety, when they post geotagged media online.
Very few people know about geotag capabilities and the only way you can turn off the function on your smartphone is through an invisible menu that no one really knows about.
Indeed, disabling the geotag function generally involves going through several layers of menus until you find the “location” setting, then selecting “off” or “don’t allow.” But doing this can sometimes turn off all GPS capabilities, including mapping, so it can get complicated.
Because of the way photographs are formatted by some sites like Facebook, geotag information is not always retained when an image is uploaded, which provides some protection, albeit incidental. Other sites like Flickr have recently taken steps to block access to geotag data on images taken with smartphones unless a user explicitly allows it.
But experts say the problem goes far beyond social networking and photo sharing Web sites, regardless of whether they offer user privacy settings.
You need to educate yourself and your friends but in the end, you really have no control, protecting your privacy is not just a matter of being aware and personally responsible. A friend may take a geotagged photo at your house and post it.
ICanStalkU.com provides step-by-step instructions for disabling the photo geotagging function on iPhone, BlackBerry, Android and Palm devices.
adapted via nytimes.com
A spam attack that is sent as an IM on Facebook, mentioning a cartoon that had been created.
ESET, an anti-virus and threat protection firm, has revealed that a new worm or spam attack may be circulating on social networking website Facebook. The attack begins as an Instant Message coming from a Facebook friend.
It is reported that the IM contains a link that directs to a website which allows users to upload their picture and they will change it in a cartoon for a fee.
Hence, users are advised not to click on a link blindly. They should always check with their friend that whether they have actually sent some link or not. If the friend says “no”, then the user should understand that there must be some problem.
The loss of a smartphone wouldn’t be so bad if it ended with merely a bit of embarrassment. Since many people now use smartphones for online banking, travel reservations, and storing sensitive business documents, however, a great deal of very private data ends up on the device.
Much of this data is safe behind password-protected applications, but a large portion of it dangles out in the open in e-mail messages, text documents, images, and other files.
What are smartphone users doing to protect the precious data in their pricey handsets?
Apparently not much, according to some industry experts. And that’s surprising, given the number of apps and phone features available for safeguarding data. According to experts, you’re 15 times more likely to lose your cell phone than your laptop computer.
Another danger: A lost smartphone may soon be the high-tech equivalent of a lost wallet.
New wireless-transaction services will soon allow a smartphone to replace cash or a credit card at a store’s point of purchase. Though the convenience of cell-phone-enabled purchases may be attractive, the danger of losing a cash-enabled phone to a thief is obvious.
Lost or Stolen?
Phones are often lost by accident, but waves of cell phone thefts are nothing new in major cities. Though crime stats in New York have declined in recent years, cell phones and iPods lead the way among the types of items stolen. Transit authorities now make regular announcements–in addition to posting signs on platforms and in trains–warning riders not to flash electronic gadgets unnecessarily.
Are You Protected?
Locking a smartphone’s screen with a password offers a good first layer of protection–a simple process that, unfortunately, phone owners often fail to undergo.
The next layer could come in the form of an add-on phone-tracking application such as Microsoft’s free My Phone for Windows Mobile or Apple’s Find My iPhone app, which works on iPhones and iPads but requires a $99 annual subscription to Apple’s MobileMe data-syncing and backup service. The $15 Theft Aware for Android is one of several apps that can help you locate your missing Droid.
What else can you do to protect your cell phone’s data?
adapted from pcworld.com
Wi-Fi has become virtually a staple in our technologically-enhanced lives. Its convenience increases productivity in countless industries, academics and even the family home. Retail establishments such as Panera Bread, McDonald’s and Barnes & Noble offer free Wi-Fi in their stores as an amenity to get customers to browse and buy their products. While “free Wi-Fi” might seem like a no-brainer, customers should keep in mind the inherent risks of free Wi-Fi.
What’s the Big Deal? It’s free
Since it’s free, most establishments do not use Wi-Fi encryption to secure their respective networks thus offering hackers a way to steal your usernames and passwords. Some explained the reason for using unencrypted 802.11g was to ensure maximum compatibility between communication devices.
A Hacker’s Hotspot
“Wardriving” is the idea of driving around town and looking for a Wi-Fi network that is unencrypted or has weak encryption and can be easily cracked. With zero or minimal security, a Wardriving Hacker can intercept, unscramble and figure out the information being sent between a customer’s laptop to the Wireless Access Point of an establishment. Another tactic that can easily swipe your login credentials is a Rogue Access Point. In this case, a hacker can set up a Wireless Access Point that imitates the true Access Point. If your notebook connects to this Rogue Access Point, you won’t see any difference as the hacker can duplicate the log-in screen with near 100% accuracy. This is like phishing, where you receive an alert email from your bank or credit card company asking you to click on their link and “verify” your account is okay by logging in.
What You Can Do
There are a few steps you can take to minimize the chance of your information getting stolen:
By knowing the risks associated with free Wi-Fi service, you can minimize the chance of a security breach and possible identity theft.
Adapted via Geeks.com
Phishing scams threaten our Internet security and can be hard to detect. They can lead to identity theft, viruses, or the need for computer repair. To help protect your Internet security, we offer five tips for detecting phishing scams.
1. Avoid Action – Phishing scams work when you take action. An email that requests you reply with information or features clickable links only may be an attack. Generally legitimate emails include cut and past style links to verify instead of clicking. If there are only clickable links, the email may likely a phishing scam.
2. Beware of Overly Technical Words and Phrases – Phishing frequently uses highly technical words and phrases within their emails to scare you into believing them. An email that discusses your security in great detail, or sounds as if it was written by a computer tech, is probably a phishing scam. Legitimate businesses send out emails that can be read and understood by typical people, not just computer specialists.
3. Check the Links (URLs) – Phishing scams violate your security by providing links to apparently legitimate sites. Protect your security by checking the URLs of all links. The URL is the address of a website, www. some website.com for example. If you move the cursor over the link in an email, the URL that link connects to will be displayed at the bottom of the web browser. Make sure the URL corresponds to what it’s claiming to be. Otherwise, your security may be at risk.
4. Read Carefully – Emails from legitimate businesses are screened carefully, so mistakes can be signs of phishing. Many of these mistakes are small, like spelling “reset password” as “reset possword”, for example – and hard to notice. Read carefully to protect your security. A poorly written email is a indication of phishing.
5. Verify – If you worry that phishing emails might be real. Overcome this fear by contacting the “sender” directly, NOT by replying to the email or call a phone number in the email, however by only using an known, published, and good web address or phone number, DO NOT give them any personal information.
Again, a rogue adware installer Facebook apps are trying to get victims, but with a twist this time.
If you click on the bad link, instead of just being taken to the app page, it first takes you to a FAKE login page. But remember that you are already logged into Facebook.
If you are not paying attention, you get phished as well as nailed by the app. Double trouble!
No matter what credentials you put in, you are then taken to the app page, where it asks you to shoot yourself and your friends in the foot by opening your profile…
It is not managing to get far (so far) because FB shut down the first wave pretty quickly, but as of about 3pm EST, it had started up again.
Bottom line is still that if you ever have to install something to watch a video, don’t. DON’T DO IT… NEVER… NEVER!
AND if ever you’re asked to login to Facebook (or anywhere else for that matter), please pay attention to the address bar in the browser, and make sure you’re at the right place.
Be safe out there.
Web Coupons Know Lots About You, and They Tell. For decades, shoppers have taken advantage of coupons. Now, the coupons are taking advantage of the shoppers.
A new breed of coupon, printed from the Internet or sent to mobile phones, is packed with information about the customer who uses it. While the coupons look standard, their bar codes can be loaded with a startling amount of data, including identification about the customer, Internet address, Facebook page information and even the search terms the customer used to find the coupon in the first place. And all that information follows that customer into the store.
Using coupons to link Internet behavior with in-store shopping lets retailers figure out which ad slogans or online product promotions work best, how long someone waits between searching and shopping, even what offers a shopper will respond to or ignore. The coupons can, in some cases, be tracked not just to an anonymous shopper but to an identifiable person.
Using coupons also lets the retailers get around Google privacy protections. Google allows its search advertisers to see reports on which keywords are working well as a whole but not on how each person is responding to each slogan. Google has built privacy protections into all Google services and report Web site trends only in aggregate, without identifying individual users. The retailers, however, can get to an individual level by sending different keyword searches to different Web addresses. The distinct Web addresses are invisible to the consumer, who usually sees just a Web page with a simple address at the top of it.
While companies once had a slim dossier on each consumer, they now have databases packed with information. And every time a person goes shopping, visits a Web site or buys something, the database gets another entry. None of the tracking is visible to consumers. The coupon can also include retailers’ own client identification numbers (Jill Jones might be client No. 67543289), then the retailer can connect that with the actual person if it wants to, for example, to send a follow-up offer or a thank-you note.
The companies argue that the coupon strategy gives them direct feedback on how well their marketing is working. Once the shopper prints an online coupon or sends it to his cellphone and then goes to a store, the clerk scans it. The bar code information is sent and analyzed. Many say they avoid connecting that number with real people to steer clear of privacy issues, but you the consumer can not make that match.
The retailer can also make that connection when it is offering coupons to its Facebook fans. The coupon efforts are nascent, but coupon companies say that when they get more data about how people are responding, they can make different offers to different consumers.
Already, there is no lack of examples where people have fallen prey to “too-good-to-be-true” offers. One case in point was an iPad scam which promised users they could sign up as iPad testers and keep the device for free thereafter. The scammers were, in fact, harvesting mobile numbers for subscription to a premium-rate cellphone service.
Companies can “offer you, perhaps, less desirable products than they offer me, or offer you the same product as they offer me but at a higher price,” said Ed Mierzwinski, consumer program director for the United States Public Interest Research Group, which has asked the Federal Trade Commission for tighter rules on online advertising. “There really have been no rules set up for this ecosystem.”