Graham Cluley’s blog
From anti-flappertanknibbles to zombies. Get inside the head of a computer security expert. If you like.
Free virus scan - Download the Threat Detection Test
Congressman Twitters secret trip to Iraq
Was a US delegation's security threatened by careless use of Twitter?
All computer users need to be aware of the far-reaching consequences associated with the irresponsible use of social networking sites like Twitter, following news that a high ranking member of the US House Intelligence Committee tweeted details of a secret congressional visit to Iraq.
According to reports, Representative Peter Hoekstra tweeted his arrival in Baghdad via his BlackBerry with the following post: "Just landed in Baghdad. I believe it may be first time I've had bb service in Iraq. 11th trip here."
Hoekstra had announced the trip in advance via his Twitter page and continued to post details about the party's itinerary every few hours, until the morning of Friday 6th February. His last post read: "Moved into green zone by helicopter Iraqi flag now over palace. Headed to new US embassy Appears calmer less chaotic than previous here [sic]."
It seems to me that this was a serious security blunder by the US government - the Republican congressman is not only putting himself at risk with his careless Twittering, but also the people tasked with protecting him.
Although sites like Twitter are evolving into great networking tools, security and common sense is crucial: even more so when you are a high ranking government official. In Hoekstra's case, a foolish security breach like this had the potential to be a deadly gift for criminals.
Users must be more savvy about the content of their posts and the way in which they use these social networking sites - with sensitive information like this in the public domain, who knows what could have happened.
Although it's unclear whether Hoekstra broke any laws by revealing the information, the fact remains that the congressional delegation's visit to the war zone last week should probably have been kept secret for obvious security reasons. Even US media outlets, like the Congressional Quarterly, that knew of the trip agreed to keep information under wraps until the party left Iraq.
Posted on February 9th, 2009 by Graham Cluley, SophosFiled under: Data loss, Web 2.0
Hacked road sign warns of British invasion
First there was a warning that there were zombies on the road ahead, now another hacked road sign is spreading news that the British are invading America.
According to media reports, an electronic road sign being used by construction workers in Lubbock, northern Texas, was hacked on Friday to display the message: "OMG THE BRITISH R COMING. THEY R WATCHING YOU."
My guess is that this is a copycat attack, inspired by the high amount of media coverage received by the hack of another road sign in Austin, Texas, in late January, which warned "Caution! Zombies Ahead!" and "Nazi Zombies! Run!!!"
Hacks like this might seem like harmless fun and I don't want to sound like a killjoy, but you can imagine how messing around with road signs could actually lead to a dangerous accident - either for the people doing the roadside hacking or for innocent motorists.
The companies putting these signs by the roadside need to take better care to secure them (both physically and with hard-to-guess software passwords) before the craze of road sign hacking becomes an epidemic.
Posted on February 9th, 2009 by Graham Cluley, SophosFiled under: Oddball
Have you patched your printer?
HP has issued a security bulletin urging owners of certain LaserJet printers to apply a firmware update.
According to the company, the security vulnerability potentially allows hackers to gain unauthorised access to files stored on the printer via its web administration console.
This probably isn't the most serious vulnerability that the world has ever seen, but you can imagine that many IT departments will treat patching a printer as a very low priority compared to desktop computers and servers. The danger is that some companies will never find the resources to tackle the lower priority security issues, potentially leaving them in a risky state for the future.
This security bulletin also underlines the importance for all departments responsible for securing their companies against threats to maintain an eye on bulletins from not just operating systems vendors like Microsoft and Apple, and software companies like Adobe and Mozilla. A much broader view must be taken as to where vulnerabilities may be present, and what might be the security hole that brings your firm into difficult waters.
The affected printers are said to be the HP LaserJet 4345mfp, HP Color LaserJet 4730mfp, HP LaserJet 9040mfp, HP LaserJet 9050mfp, HP 9200C Digital Sender, HP Color LaserJet 9500mfp, HP LaserJet 2410, HP LaserJet 2420, HP LaserJet 2430, HP LaserJet 4250, HP LaserJet 4350, HP LaserJet 9040 and HP LaserJet 9050.
Posted on February 6th, 2009 by Graham Cluley, SophosFiled under: Data loss, Malware
Guest blog: Security has to strike a balance
Rich Baldry, a product manager based in our Vancouver offices, has put his pen to paper (actually that's a lie, he's used his fingers and a keyboard) and written the following guest blog post. Over to you Rich..
IBM's X-Force recently revealed that 55% of all vulnerabilities discovered in software last year were in web applications.
Not a big surprise - web apps are complex, tying together a smorgasbord of software components with an all-you-can eat buffet of different programming languages.
Web apps are also by definition public-facing. They are open to anyone with a sense of curiosity, or perhaps more malicious motives, to prod, probe and poke.
More worryingly, IBM also revealed that 74% of those vulnerabilities have still not been fixed. Many of these can be abused by hackers to penetrate web sites and either extract confidential information, or leave behind malware or links to virus distribution sites.
The failure of websites to keep their own house in order leaves us all vulnerable. The unpredictability of vulnerability discovery and exploitation means that we can never really be sure which sites to trust.
So how can we protect ourselves?
Events at Google last weekend exposed an unusual problem where programmer error caused an excess of security. It is a standing joke that if you want a really secure computer system, just don't connect it to the internet, but I never expected Google to be a proponent of this.
Security has to strike a balance. Take cross site scripting attacks for example. They are a really nasty way that the bad guys are abusing our trust in known web sites to do bad things.
The popular 'NoScript' plugin for Firefox takes a very aggressive approach this which provides great protection. Unfortunately it also prevented me from winning $43 million in the provincial lottery last weekend, because it blocked the link from the web site's payment page to my Bank's 'Verified by Visa' site.
Microsoft's Internet Explorer 8 also provides XSS prevention which uses more complex rules to avoid overblocking, but reports suggest it errs on the side of allowing potentially suspicious requests.
Which is the correct approach? I suspect your answer would vary depending on whether you've just been the victim of an identity theft or you're just trying to buy a last-minute lottery ticket online.
The boundaries of trust and mistrust, good and bad, real and fake are severely blurred by the internet and the way we experience it. The increasing complexity of web applications and the vulnerabilities in them means that very few sites can be really trusted. Databases of good and bad web sites just can't keep up with the changes. Simple content rules or signatures will either overblock or underblock.
Web security needs to combine URL filtering with content analysis, behavioural prediction (reactive and proactive) and control of unnecessary content to even begin to be effective. Combining gateway and endpoint security is also vital to get a full picture of the threat.
Any one of those techniques alone will always fail us in one way or another.
* Image source: Stephen Witherden's Flickr photostream (Creative Commons 2.0)
Posted on February 6th, 2009 by Rich Baldry, SophosFiled under: Guest blog, Malware, WWW
Facebook femme fatale: Youth accused of sex blackmail plot
Police have accused a teenager with sexual assault after he allegedly posed as a girl on Facebook, encouraged 31 classmates to send him naked photos, and blackmailed them into performing sexual acts.
18-year-old Anthony Stancl of New Berlin, Wisconsin, has been charged with five counts of child enticement, two counts of second-degree sexual assault of a child, two counts of third-degree sexual assault, possession of child pornography, repeated sexual assault of the same child, and making a bomb threat.
All 31 boys attend New Berlin Eisenhower Middle/High School, according to Waukesha County District Attorney Brad Schimel.
There's much more detail about this horrific case in a report by the Milwaukee-Wisconsin Journal Sentinel newspaper, but I think for the purposes of this blog the most relevant element to focus on is the issue of people disguising their true identity on Facebook.
We should all know by now that it's trivial to create a fake profile on Facebook.
Sophos itself registered a bogus Facebook user (using the image of a small plastic frog called Freddi Staur) when it conducted an investigation into identity theft on Facebook.
So, there's no doubt that there are plenty of "female" profiles online that are in reality men (and probably vice versa) using photographs that they have stolen or downloaded off the internet.
Even if you recognise the name and picture of someone you know on Facebook, you can't necessarily be certain that it is the person you think it is, unless they have confirmed it to you face-to-face. This has been brought to more people's attention recently with the rising number of reports of accounts on Facebook and other social-networking sites being stolen by scammers, phishers and malware authors.
And there is an issue for parents here too. Can you be confident that your children are behaving safely on the internet and not getting themselves into hot water?
Young people need to learn how to use the internet sensibly and be made aware of the risks that are present when they login. The alternative is that we are bringing up a generation of youngsters who are not just comfortable using the internet, they're too comfortable.
If convicted, Stancl faces a maximum sentence of 293 years in jail.
Posted on February 6th, 2009 by Graham Cluley, SophosFiled under: Law and Order, Web 2.0
$9 million stolen in co-ordinated global cash machine heist
Hackers who stole information from RBS WorldPay, distributed cloned debit cards around the world that stole $9 million from 130 ATM machines in 49 cities around the world in just 10 hours. Atlanta, Chicago, New York, Montreal, Moscow and Hong Kong were amongst the locations were the criminals fleeced money from cash machines using counterfeit cards.
That is the astonishing claim being made by the FBI, who say that the highly-organised sting occurred shortly after 8pm on November 8, 2008.
Electronic payment service RBS WorldPay admitted on December 23 that personal information on up to 1.5 million people had been stolen, causing some to speculate that they had tried to hide the bad news by releasing information on the eve of the holiday season.
The Chicago branch of the FBI has released pictures of a man and a woman making withdrawals from ATMs at a bank branch in Matteson and a Walgreens in Calumet City. It's worth noting that the people in these photographs are unlikely to be the ringleaders of the plot - but instead low-level operatives sent to withdraw machine from cash machines.
More images of suspects can be found in this report from Fox News.
It's getting more and more common to hear stories of companies losing data about their customers, but this case sends an additional chill down the spine because of the sheer audacity of the scheme to steal an extraordinary amount of money in such a short time.
Posted on February 5th, 2009 by Graham Cluley, SophosFiled under: Banking, Data loss, Identity Theft, Law and Order
The Sophos snowball fight
Following the deluge of snow overnight which covered Sophos's offices in Abingdon, Oxfordshire, we decided to have a snowball fight.
Snowball fight at Sophos from SophosLabs on Vimeo.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
We challenged the guys at rival anti-virus firm Kaspersky to join us in the battle, but they showed up about 90 minutes late (one of our web developers did still manage to hit them in the back with a snowball though as they were walking away..).
If there is more snow tonight we'll probably organise another snowball fight, Clash of the Titans-style, to see who is the stronger security company.
Posted on February 5th, 2009 by Graham Cluley, SophosFiled under: Clu-blog, Video
Come on Kaspersky, if you think you're hard enough..
Enough snow fell in the UK on Monday for everybody to make 251,800 snowballs.. each.
That's the calculation of maths wizard and national sweetheart Carol Vorderman, who reckons that Britain saw a mind-boggling 3,840 billion kilograms of snow on 2 February.
Sophos's HQ in Abingdon, near Oxford, escaped most of the snow that day, but last night it fell in droves covering our rather swanky offices.
Snow at Sophos from SophosLabs on Vimeo.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
And that's why Gareth in our virus analysis labs (you'll see him hard at work in the video above) has organised a company-wide snowball fight on the grassy knoll outside Sophos. The snowball fight starts at 1pm - please be sure not to cross over into the roads (it's a bit hard to tell where the once-grassy knoll ends and the roads begin).
And if anyone from Kaspersky's UK offices (which aren't based that far away from us, and should be no strangers to snow given their Russian heritage) wants to join us in the snowball fight to find out who is the toughest anti-virus company... BRING. IT. ON.
Posted on February 5th, 2009 by Graham Cluley, SophosFiled under: Clu-blog, Video
FBI warns of money mule scams
The FBI has published a warning on its Internet Crime Complaint Center (IC3) website about the danger of fake job adverts and "work at home" scams.
The scams normally involve a criminal gang hiring an often innocent third party (known as a "money mule") to transfer stolen money deposited in their account. The mule, who is usually recruited via spam email with promises of how they can make fortunes by working from home for a financial institution, usually takes a percentage of the money transferred for their efforts.
Of course, there is not only the risk that the money mule will hand over personal information to the criminal gang (including their bank account details) in the belief that they are dealing with a legitimate employer, but also that the police will not look kindly on their involvement in the criminal activity.
According to APACS, the UK's Association for Payment Clearing Services, this sort of fake job advertisement have risen 345% in prevalence in the last three years.
Don't be an ass, be more sceptical about job offers you receive in your email, and avoid getting yourself involved in a money mule scheme.
* Image source: The Untrained Eye's Flickr photostream (Creative Commons 2.0)
Posted on February 4th, 2009 by Graham Cluley, SophosFiled under: Banking, Scam, Spam
Government security workers warned of identity theft risk
No company likes to admit that it has had a security breach. But things must feel even more awkward when the victim company is a computer security contractor working for the US federal government.
SRA International, a government contractor that provides cybersecurity services, has admitted that computer malware found on its computer network may have stolen personal information about its employees.
The unnamed malware was found on a network server also used for storing employees' names, addresses, dates of birth, health information and social security numbers. The firm has informed its staff by letter of the security breach, and advised that they are offering credit monitoring services to employees concerned that they may become victims of identity theft.
I guess the big unanswered question is this: Why wasn't this sensitive data encrypted? If it had been securely encrypted then even if malware and hackers had gained access to the same drive as the confidential information, they wouldn't be able to do anything with it.
Posted on February 4th, 2009 by Graham Cluley, SophosFiled under: Data loss, Identity Theft, Malware
About Graham Cluley
Who is this Cluley
chap anyway?
And what's all this stuff regarding
anti-flappertanknibbles about?
Search Clu-blog
Subscribe
Recent posts
- The dumbest malware attack I’ve seen this week
- Reporter investigating Facebook has his account hacked.. by me
- Michelle ‘Bombshell’ McGee pictures lead to malware
- Remote hacker immobilises over 100 cars
- Virgin Mobile fined for sending email spam
- SophosLabs: The Movie!
- Bogus Amazon order for Sony VAIO carries malware
- Serial killer Fred West has created a Facebook Fan Page for me - should I be worried?
- SophosLabs, Croatia and Jet Set Willy
- Facebook VIP spam sent via YouTube
- Erin Andrews Peephole Video maker jailed, as hackers take advantage
Categories
-
Apple /
Banking /
Botnet /
Clu-blog /
Competition /
Data loss /
Encryption /
Guest blog /
Hoax /
Identity Theft /
Law and Order /
Malware /
Mobile /
Oddball /
P2P /
Podcast /
Round-up /
Scam /
Shameless plug /
Spam /
Video /
Web 2.0 /
WWW
Archives
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
