A few years ago I began telling relatives that I would not give them technical advice if they didn’t bother to have basic antivirus software or sent me chain mail, jokes or any “look at this” email that didn’t explain in a sentence where I’d be sent, with a link. Any story, no matter how tear-jerking, if it didn’t have a link to its source, would be ignored.

I would even change political parties if my most loathed candidate from the other party would grant me the license to deny Internet access to anyone who sent out 3 debunkable hoaxes that could be found in a 4-word Google search where “Snopes” is one of the words, as in “Snopes microsoft cash”

But what’s getting my goat is just how gullible most well-meaning folks are and how clueless they are about their habits. Bruce Schneier discusses social phishing, and how it is more who sends you an email than its contents that determine whether you’ll go to where it directs you, no matter how dangerous.

Phishing Studies

Two studies. The first one looks at social phishing:

Test subjects received an e-mail with headers spoofed so that it appeared to originate from a member of the subject’s social network. The message body was comprised of the phrase “hey, check this out!” along with a link to a site ostensibly at Indiana University. The link, however, would direct browsers to www.whuffo.com, where they were asked to enter their Indiana username and password. Control subjects were sent the same message originating from a fictitious individual at the university.

The results were striking: apparently, if the friends of a typical college student are jumping off a cliff, the student would too. Even though the spoofed link directed browsers to an unfamiliar .com address, having it sent by a familiar name sent the success rate up from 16 percent in controls to over 70 percent in the experimental group. The response was quick, with the majority of successful phishes coming within the first 12 hours. Victims were also persistent; all responses received a busy server message, but many individuals continued to visit and supply credentials for hours (one individual made 80 attempts).

Females were about 10 percent more likely to be victims in the study, but male students were suckers for their female friends, being 15 percent more likely to respond to phishes from women than men. Education majors had the smallest disparity between experimental and control members, but that’s in part because those majors fell for the control phish half the time. Science majors had the largest disparity–there were no control victims, but the phish had an 80 percent success rate in the experimental group.

Okay, so no surprise there. But this is interesting research into how who we trust can be exploited. If the phisher knows a little bit about you, he can more effectively target your friends.

And we all know that some men are suckers for what women tell them.

Another study looked at the practice of using the last four digits of a credit-card number as an authenticator. Seems that people also trust those who know the first four digits of their credit-card number:

Jakobsson also found a problem related to the practice of credit card companies identifying users by the last four digits of their account numbers, which are random. From his research, it turns out people are willing to respond to fraudulent e-mails if the attacker correctly identifies the first four digits of their account numbers, even though the first four are not random and are based on who issued the card.

“People think [the phrase] ’starting with’ is just as good as ‘ending with,’ which of course is remarkable insight,” he said.

Another attack comes to mind. You can write a phishing e-mail that simply guesses the last four digits of someone’s credit-card number. You’ll only be right one in ten thousand times, but if you send enough e-mails that might be enough.

A virus that compromises my friends’ email address book compromises me. I want to take all email I get from my family and friends seriously, but if they’re sloppy and lax and add me to their To: and cc: lines in their email headers to spread around jokes and stories I last thought were funny in 1998, not only do they put me at risk, but everyone they know now has my legit email address.

Don’t be sloppy with the email addresses of your friends, relatives and business contacts.

Discover and learn to love your email’s BCC.

I really don’t want to have to say these words under oath… “And that’s when I started pummeling them with my cluebat, your honor…”

So the executive producer of TechTalk sends me this link from Fox News and asks me what I think.

Oy… more blog fodder. So I emailed him:

Do you want me to take a half hour to write something about this?

That the Linux folk are meeting at Google does not portend well for the consumer. There are fewer and fewer potential competitors for Google, and their Google’s dominance combined with their ability to profile users based on click/search activity is an enormous privacy threat.

Ultimately, operating systems and interfaces should become very portable, and almost invisible. In theory, if one had a 5GB thumb drive loaded with browser settings, passwords, etc, someone should be able to “jack in” to a thin client at a Starbucks or library which has a 21″ screen and a USB port and a broadband connection.

No, I do NOT want to use iGoogle or My MSN or other web-based bookmark aggregators designed to enable their owners to send advertising my way and profile my search and click behavior. Nor do I want to keep my addressbooks and business files online so that a disgruntled employee or outsourced foreign programmer too remote for extradition can compromise my privacy.

If you like Vista, fine. If you like OS X, fine. If you like Linux, fine. If you’re still plugging away on an Amiga, more power to you. Just as a vehicle can run on Shell, Exxon or ARCO gas, a thin client terminal will reduce the number of breakable parts to almost none. Let the user be preoccupied with his experience and tweak his thumbdrive from home.

I hate operating systems. I hate the attitudes of OS developers even more. I hate how the press portrays Microsoft as the ultimate technical evil while ignoring Google’s greater dangers to our personal liberties. Yes, Microsoft is evil, but its evils are limited to monopolistic avarice, and that’s hardly the worst evil. Google really wants to control you.

People may portray Microsoft as Gulliver and Linux as poor vulnerable Lilliputians. But most people never read ALL of Jonathan Swift’s Gulliver’s Travels and have never heard of Brobdingnag, which I liken to Google, or at least what Google aspires to be compared to Microsoft (Gulliver) at its greatest.

I think we’ll look back on a day, as we do at the Ma Bell phones, and lament how we bashed Microsoft into history in favor of telling Google our most private thoughts. Yeah, Microsoft is bad, but it’s not the worst bad.

Howard said “post what you just emailed me”.

Howard is kinda sneaky. He gets me to blog stuff even when I don’t want to work and just want to cantankerously vent.

Ars Technica reports:

A new report puts Google in last place when it comes to privacy protection. Despite recent moves to anonymize server logs and other pro-privacy gestures, Privacy International called the company “an endemic threat to privacy.”

Only Google earned the dismal “black” color bar from the group, which has just issued a report on Internet privacy that took six months to assemble (see the rankings [PDF]). The current report is preliminary; final results will be released in September.

See earlier TechTalk report Google, Do No Evil?

If you notice tomorrow that your inbox is a little less crowded, it might be because a Seattle jail cell is a little more full.

Federal authorities today arrested Robert Alan Soloway for mail fraud, wire fraud, e-mail fraud, aggravated identity theft, money laundering, and impersonating the licentious wife of a Nigerian oil minister. (okay, we made that last one up) But they did slam him with a 35 count indictment.

The young internet entrepreneur alledgedly crossed over to the dark side when he used hijacking viruses to take over the computers of unsuspecting internet users. Hunting down vulnerable pcs on local cable networks and DSL, he would (alledgedly) load a remote email module which could be activated at his discretion. This allowed him to steal bandwidth from various ISPs, cable companies. etc. and use their networks to distribute his marketing materials. In his scheme, he not only stole bandwidth, time, attention and resources of his recipients, but also the network resources of his unconscious slave mailers.

“He’s one of the top 10 spammers in the world,” said Tim Cranton, a Microsoft Corp. lawyer who is senior director of the company’s Worldwide Internet Safety Programs. “He’s a huge problem for our customers. This is a very good day.”

Soloway pleaded not guilty Wednesday afternoon to all charges after a judge determined that — even with four bank accounts seized by the government — he was sufficiently well off to pay for his own lawyer.

He has been living in a ritzy apartment and drives an expensive Mercedes convertible, said prosecutor Kathryn Warma. Prosecutors are seeking to have him forfeit $773,000 they say he made from his business, Newport Internet Marketing Corp.

He continued his activities even after Microsoft won a $7 million civil judgment against him in 2005 and the operator of a small Internet service provider in Oklahoma won a $10 million judgment, prosecutors said.

U.S. Attorney Jeff Sullivan said Wednesday that the case is the first in the country in which federal prosecutors have used identity theft statutes to prosecute a spammer for taking over someone else’s Internet domain name. Soloway could face decades in prison, though prosecutors said they have not calculated what guideline sentencing range he might face.

The investigation began when the authorities began receiving hundreds of complaints about Soloway, who had been featured on a list of known spammers kept by The Spamhaus Project, an international anti-spam organization.

The Spamhaus Project rejoiced at his arrest.

“Soloway has been a long-term nuisance on the Internet — both in terms of the spam he sent, and the people he duped to use his spam service,” organizers wrote on Spamhaus.org.

Our own Aaron G. has volunteered to serve on the Jury, but will likely be declined due to his regular calls for the death penalty for spammers

Tune in for our upcoming broadcast segment on protecting YOUR PC from zombie overlords.

I’m No Luddite, but… is this an example of a corporate model of “do no evil“? (see #6)

… ambition to maximise the personal information it holds on users is so great that the search engine envisages a day when it can tell people what jobs to take and how they might spend their days off.

Or is it an example of their doing Jeeves better than Ask did? Or Big Brother?

 Loading …

Long before he voiced South Park’s Chef, Isaac Hayes was probably most famous for his theme song to the classic 70’s movie Shaft. Pardon the parody, but the Advanced Access Content System (AACS), the consortium of companies that oversees DVD copy protection, would not like us to sing this tune:

You see this HD DVD encryption shafting is a bad mother–
(Shut your mouth)
But I’m talkin’ about shafting HD DVD encryption
(Then we can digg it)

Go read Social networking gets major challenge at Digg

Oh, and as of today, there are 1.7 million sites that Google sees mentioning 09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-+63-56-88-c0

This spin on an old tactic brings me to my college days in the early 1980’s where a common “hack” was to program one of the terminals in the computer room to look like a login screen. One by one, students would walk up, try to log in with their account ID and password and give up after a few tries, going to another open terminal… unaware that they had just entered their account and password into a password stealer.

The Los Angeles Times reports that hackers’ latest tactic is to steal information is setting up fake hotspots that users unwittingly use to access Internet.

March 16, 2007

As Los Angeles and hundreds of other communities push to turn themselves into massive wireless hotspots, unsuspecting Internet users are stumbling onto hacker turf, giving computer thieves nearly effortless access to their laptops and private information, authorities and high-tech security experts say.

It’s an invasion with a twist: People who think they are signing on to the Internet through a wireless hotspot might actually be connecting to a look-alike network, created by a malicious user who can steal sensitive information, said Geoff Bickers, a special agent for the FBI’s Los Angeles cyber squad.

It is not clear how many people have been victimized, and few suspects have been charged with Wi-Fi hacking. But Bickers said that over the last couple of years, these hacking techniques have become increasingly common, and are often undetectable. The risk is especially high at cafes, hotels and airports, busy places with heavy turnover of laptop users, authorities said.

“Wireless is a convenience, that’s why people use it,” Bickers said. “There’s an axiom in the computer world that convenience is the enemy of security. People don’t use wireless because they want to be secure. They use wireless because it’s easy.”

For Mark Loveless, just one letter separated security from scam.

Logging on to his hotel’s free wireless Internet in San Francisco last month, Loveless had two networks to choose between on his laptop screen — same name, one beginning with a lowercase letter, one with a capital. He chose the latter and, as he had done earlier that day, connected. But this time, a screen popped up asking for his log-in and password.

Loveless, a 46-year-old security analyst from Texas, immediately disconnected. A former hacker, he knew an attack when he saw one, he said.

Most Internet users do not.

About 14.3 million American households use wireless Internet, and this figure is projected to grow to nearly 49 million households by 2010, according to JupiterResearch, which specializes in business and technology market research.

“There’s literally probably millions of laptops in the U.S. that are configured to join networks named Linksys or D-Link when they are available,” said Corey O’Donnell, vice president of marketing for Authentium, a company that provides security software. “So if I’m a hacker, it’s as easy as setting up a network with one of those names and waiting for the fish to come.”

Linksys and D-Link are two of the many commercial brands of wireless routers, products that allow a user to connect to the Internet using radio frequency.

As the field of wireless connectivity expands, so too does a hacker’s playground. More than 300 municipalities across the country are planning or already operating Wi-Fi service.

Los Angeles Mayor Antonio Villaraigosa last month announced plans for citywide Wi-Fi in 2009. USC already offers free wireless, and by the end of March, Los Angeles International Airport will officially offer wireless at all its terminals under a new contract with T-Mobile.

Some airlines already offer Wi-Fi at LAX. “There are no signs for any service at all, so if any passenger is accessing a free wireless service … they should be cautious,” said Nancy Castles, an airport spokeswoman.

A survey at Chicago’s O’Hare Airport by Authentium revealed 76 peer-to-peer networks, or access points that are connected to via another user’s computer, with 27 of them advertising access to free Wi-Fi — a trademarked term for the technical specifications of wireless local area network operation. The company also found that three of the networks had fake or misleading addresses, one sign the hotspots could be hackers.

“At a busy place like O’Hare, in one hour a bad guy could get 20 laptops to connect to his network and steal the users’ account information,” said Ray Dickenson, vice president of product management at Authentium, who conducted the survey last September.

Corporate networks are sometimes the most vulnerable, as employers push for a more mobile workforce without always educating its users on the security risks of wireless Internet.

Many workers rely on corporate firewalls in the office and an automatic default network setting that links them to their corporate networks. Outside the office, the firewall is no longer in place. That means the computer is unprotected. Once hackers have “got a toehold in a network, it’s pretty much game over,” Bickers said.

Most laptops are configured to search for open wireless points and common wireless names, whether or not the user is trying to get online. That leaves people open to hacking.

In two new attacks, called “evil twin” and “man in the middle,” hackers create Wi-Fi access points titled whatever they like, such as “Free Airport Wireless” or an established, commercial name.

In the “evil twin” attack, the user turns on a laptop, which may automatically try to connect. When it does, it is connecting to a fake access point, or “evil twin,” and the hacker gets into personal files, steals passwords or plants a virus.

The hacker can become a “man in the middle” when he funnels the user’s Internet connection through this false access point to a true wireless connection. The unsuspecting Wi-Fi surfer may then proceed to enter credit card information, access e-mail or reveal other sensitive data that can be tracked by the hacker. Meanwhile, the session appears ordinary to the user.

Although the FBI has been aware of this kind of attack for about five years, its use has increased in the last couple of years and is being seen as a “huge threat,” Bickers said.

“The actual tools you need, the software, the hardware, etc., to mount this sort of attack has become insanely easy to acquire,” Bickers said. “You need a laptop, wireless radio and the ability to download a free tool and run it. It literally is child’s play.”

The creation of the access point itself is not generally considered criminal; it’s what happens next — tracking people’s Internet use — that can cross the line.

These hacking techniques are considered to be “tantamount to a computer intrusion and illegal interception of wireless communication that can be prosecuted under federal law,” Bickers said.

But computer evidence and statistics are hard to come by, said Arif Alikhan, a former federal prosecutor and former chief of the cyber and intellectual property crimes section for the U.S. attorney’s office in Los Angeles. People can unwittingly compromise their computers in a multitude of ways, and often there’s no trace.

“You can tell how many burglaries occur because you’re victimized, and someone knows they’re victimized,” Alikhan said. “People don’t always know if someone is using their wireless network, and it’s very difficult to tell unless you trace back every single connection…. It happens more than I think we all realize.”

The U.S. attorney’s office will not comment on pending investigations; however, wireless hacking cases are relatively new, and few if any current cases involve “evil twin” or “man in the middle” attacks, law enforcement authorities said.

“This is a classic case of law and law enforcement being a little behind the technological curve,” Bickers said.

Other types of wireless-related Internet hacking cases have recently popped up across the country.

Nicholas Tombros was found guilty in 2004, under the federal Can-Spam Act, of “war-spamming.” He drove around the Venice Beach area with his laptop and used unprotected wireless access points to send spam. He could receive up to three years in federal prison at his sentencing next month.

He is the only defendant who has been charged in a case involving wireless hacking by the Greater Los Angeles section of the U.S. Department of Justice’s cyber and intellectual property crimes division since it was established in October 2001, according to Assistant U.S. Atty. Wesley L. Hsu, deputy chief of the section.

“They are technically difficult cases…. They’re difficult cases to put together, so law enforcement is having to sort of catch up,” Hsu said.

On Sept. 30, Gov. Arnold Schwarzenegger signed into law the Wi-Fi User Protection Bill, which aims to block unauthorized sharing of open Wi-Fi networks and inform users of the dangers of unsecured networks. Starting in October, warnings and tips will be required on all wireless home-networking equipment sold in California.

The law specifically addresses “piggybacking” — or the use of another person’s wireless network to access the Internet — a problem that security experts say has been a concern for years.

Do you have any Hotspot Horror Stories? Tell us in the comments, below.

You probably didn’t notice, but the Internet suffered a set of attacks on its infrastructure today stronger than anything seen since 2002.

There are 13 primary “Root” servers that serve as the authoritative domain name to IP address naming devices for the whole Internet. All other Domain Name System (DNS) Servers update their mapping tables from these root servers either directly or indirectly through some number of intermediaries. 3 of the 13 root servers were pounded Tuesday and temporarily overwhelmed. The attack was focused on boxes serving public domain spaces like .org and the US Department of Defense (apparently .mil but unclear from the wire reports).

The 12 hour attack was reported as a reasonably straightforward denial of service attack, but was remarkable mostly in scope and volume of data slamming down the pipes into 3 key servers. More on ZD News, the BBC or more interestingly on LittleGreenFootballs where the back and forth comments are much more fun to read.

Here’s the story:

WASHINGTON - Hackers briefly overwhelmed at least three of the 13 computers that help manage global computer traffic Tuesday in one of the most significant attacks against the Internet since 2002.

Experts said the unusually powerful attacks lasted as long as 12 hours but passed largely unnoticed by most computer users, a testament to the resiliency of the Internet. Behind the scenes, computer scientists worldwide raced to cope with enormous volumes of data that threatened to saturate some of the Internet’s most vital pipelines.

The motive for the attacks was unclear, said Duane Wessels, a researcher at the Cooperative Association for Internet Data Analysis at the San Diego Supercomputing Center. “Maybe to show off or just be disruptive; it doesn’t seem to be extortion or anything like that,” Wessels said.

Other experts said the hackers appeared to disguise their origin, but vast amounts of rogue data in the attacks were traced to South Korea.

The attacks appeared to target UltraDNS, the company that operates servers managing traffic for Web sites ending in “org” and some other suffixes, experts said. Officials with NeuStar Inc., which owns UltraDNS, confirmed only that it had observed an unusual increase in traffic.

Among the targeted “root” servers that manage global Internet traffic were ones operated by the Defense Department and the Internet’s primary oversight body.

Check it out, with comments from the forces of truth, goodness and the American way at LittleGreenFootballs.com.

Wikipedia news points to an article DDoSers bombard Military root server (and more) on The Register.

This week TechTalk is focused on data security and information security, and we couldn’t have picked a better week. Every day you read another piece about a corporate data security breach. As more info moves into digital form and finds its way into databases, the opportunities to use that info as a business tool grows, but the risks of exposing that data to nasties increases.

So who’s hot in info security? Who are the players?

InfoSecurityProductsGuide named its picks for hot players in the security market this week. It includes old standbys like Novell, 3Com, PGP, PortAuthority, but also lots of up and comers like IPlocks.

Selected from an industry analysis of more than 500 prominent information security vendors, winners of this prestigious honor are chosen based upon a stern selection criteria of 4Ps. Nominees are evaluated on Products, People, Performance and Potential..

Check out the list

Here are a few choice picks:

IPLOCKS:

Ncircle:

nCircle is the leading provider of enterprise-class security risk and compliance management solutions. Global enterprises and government agencies rely on nCircle’s proactive security solutions to identify, measure, manage, and reduce security risk and automate compliance on their worldwide networks. nCircle has won numerous industry awards for growth, innovation and technology leadership and has been ranked among the top 100 best places to work in the San Francisco Bay Area. nCircle is headquartered in San Francisco, CA, with regional offices throughout the USA and in London, Toronto and Tokyo. Additional information about nCircle is available at http://www.ncircle.com