Kane’s Computing World

The first step: be aware of what it is.  See my last post for more details.

Defending against social engineering means awareness and vigilance:

Traditional security measures remain important. Antivirus, antispam, antimalware, URL filtering, and other tools – installed and regularly updated at endpoints, the Internet gateway, and “in the cloud” – provide essential protection. Security policies, including formal ones tailored to the individual needs of enterprises, and informal ones implemented at home via a family discussion, must also be established, periodically discussed, and enforced. Finally, large and small enterprises must continually educate and train their employees while consumers need to do their due diligence to keep abreast of social engineering techniques. The bottom line: be skeptical, but not paranoid.

Trend Micro: First Line of Defense

One of the most commonly used tools in the arsenal of the bad guys: social engineering.  It’s effective because it uses the victim’s own good guy instincts against him.

A good overview of social engineering published by Trend Micro:

Cyber criminals have used social engineering since the dawn of the virus. As cyber threats have evolved, one constant has remained – the effectiveness of social engineering. The success of social engineering is due to its exploitation of the inherent emotions of humans, including empathy, sympathy, curiosity, and fear. People marvel at the achievements of athletes, cower in fear of illness or disease, and sympathize with the plights of those affected by a natural disaster. Social engineering plays on these emotions to entice humans to take actions that suit the nefarious purposes of cyber criminals.

Social engineering is particularly effective because it manipulates the natural human tendency to trust. Our natural willingness to trust leaves many of us vulnerable to attack. Hardware and software are quite effective at protecting against a range of cyber threats. However, the weakest link in the chain of protection is the most likely to be exploited. In this case, the weakest link is the human PC user. As Trend Micro Threat Research Project Manager Jamz Yaneza puts it, “Many of your connections may be secure, but it’s that connection between the chair and the keyboard that may cause a problem.”

Trend Micro: First Line of Defense

Read the whole article for a better understanding of the concept. 

To know how to defend, one must know how one can be exploited.

Some useful tips to help identify phishing scams, but beware, the criminals are getting smarter.  Some scams may not trigger the alerts listed in this article from Trend Micro: 

What Does Phishing Look Like?
People are still falling prey to phishing scams, so what can be done? “The first step is helping people realize what phishing looks like,” says Jamz Yaneza, Threat Research Project Manager for Trend Micro. “If people recognize email or phone calls as suspicious, they are less likely to bite.” The following are some common characteristics that may help identify phishing scams, as well as some advice to avoid being scammed:

Misspellings and Poor Grammar
Phishing often starts with email. Although most such email remains targeted toward U.S. users, non-native English speakers are often the authors. For this reason, some emails appear to be written in broken English, with misspellings and poor grammar. “Take this observation with a grain of salt,” warns Yaneza. “Cyber criminals are now outsourcing these communications to professional writers and designers. Only 70 percent of what I see looks unprofessional, and that number is dropping rapidly. It is becoming increasingly difficult to distinguish legitimate email from spam.”

Never Send Information Via Internet
Many consumers remain unaware that banks and other companies never request sensitive, personal information over the Internet. Also, banks never call and ask for bank account information or Social Security numbers over the telephone. It’s best to personally vow to never disclose sensitive information when receiving an email or telephone call. Only provide private information when first initiating a phone call to verify the identity of the person at the other end. If requested to provide a Social Security number, ask to provide the last four digits only. For example, phone companies request a Social Security to verify account information but will accept the last four digits alone if callers provide additional proof of identity.

Beware of Clicking
Spam itself is not dangerous—it’s what users do after receiving the spam that creates phishing problems. For example, suppose that a user receives a spam email requesting the user to click on an additional link to learn more or provide more information. This is where the trouble begins. Refusing to click on embedded links can circumvent a phishing attack. “Banks and other organizations never ask users to download software,” says Yaneza. “Occasionally a bank will request users to download a browser helper toolbar but that is becoming rare as phishing attacks increase.”

Avoid Ploys for Help
Although many volunteer organizations now use email to solicit donations, it is best to verify a request for a contribution by calling the organization directly. Many phishing attempts, such as the 419 scams described in the first article, are disguised as solicitations for helping someone in need.

Stop Forwarding e-Petitions
Email chains and online petitions are almost never legitimate. Instead, they are initiated by scammers searching for quick and easy ways to collect a mass email list. Unfortunately, people who forward these emails to friends and family are playing right into criminals’ hands. Some petitions feature names, addresses and email addresses. An e-petition is unlikely to actually find its way to the White House, for example. Upon closer inspection, most emails fail to request that a certain action be performed to resolve a problem. For example, a popular e-petition supposedly originating from Mothers Against Drunk Driving (M.A.D.D.) contains no call to action or instructions once the list reaches its stated 5,000 person signature goal. [1] Spammers use these lists to perpetrate phishing and other Internet crimes.

Be Vigilant
Consumers are the first line of defense in protecting against phishing attacks. The best advice is to open attachments from known or expected sources only and to delete all unwanted and suspicious messages. If email arrives from a known company or Web site, only click on links that are hosted on the same site. Redirections to another site are a sure sign the email may not be legitimate.

Technology Solutions
For maximum protection against phishing, implement a comprehensive anti-phishing solution, comprising protection at all possible entry-points—including the Internet gateway, messaging gateway, endpoint clients, endpoint servers, and the network. Trend Micro offers a variety of anti-phishing solutions to suit both consumer, small to medium-sized business and enterprise needs. In addition, keep all operating system, browser, desktop applications, and instant messaging (IM) security patches up to date to guard against the newest phishing scams.

Nope, not a rerun of “Deadliest Catch”, it’s the lingo of the underside of the Internet.

Phishing attacks are attempts to trick users into giving up confidential information usually through a fraudulent email.  However, phishing attacks are on the rise and using new techniques, like the telephone:

Although more commonly associated with email, phishing also uses other communication techniques. As Internet users have become more savvy, phishing technology continue to grow more sophisticated, and new scams are continually occurring. For example, creative thieves are now using “vishing,” which uses Voice over Internet Protocol (VoIP) phones instead of a misdirected Web link to steal user information. Rather than using an email campaign, thieves use a VoIP system to cover a particular area. A recorded message tells the person receiving the call, for example, that their credit card has been breached and to “call the following (regional) phone number immediately to resolve the matter.” Of course the phone number does not belong to a credit card company, but rather to the criminals behind the scheme.

Trend Micro First Line of Defense Newsletter

Read the rest of the newsletter to learn more.

From Windows Server newsletter:

Microsoft Delays Release Of XP SP3

The saga continues. No, you can’t have XP SP3. Nothing to see here. Move along folks. They pulled SP3 and blame a “compatibility issue” with their Microsoft Dynamics RMS (a SMB retail-chain-management application). SP3 seems to cause data corruption. And they are also “Temporarily holding any additional automatic distribution of Windows Vista SP1,” said a spokeswoman for Microsoft. And oh, they only had a few -years- to check for these things before SP3’s release. The conspiracy theorists are going to have a field day with this one. I can already hear them muttering, “nobody knows anybody who uses RMS, fishy”. I’ll be sure to update you when Microsoft gets that update updated with a new update. *g*

From Cnet News:

Microsoft says it has stopped automatically updating machines to Vista Service Pack 1 after discovering a bug that can cause problems between the OS and another of the company’s products.

View Original Article

Apparently, there’s a last minute fix for the long awaited service pack for the venerable Windows XP:

An anonymous reader sends word that Microsoft Windows XP SP3, which had been scheduled to hit the Web today, was pulled back at the last minute. SP3 apparently broke a Microsoft application, Microsoft Dynamics Retail Management System. Their solution is to set up a filter to make sure that no system running the affected software will get automatically updated; once the filter is in place, SP3 will be released to the Web. A fix for the incompatibility will follow.

Read more of this story at Slashdot.

View Original Article

The newest and probably last Service Pack for Windows XP is scheduled for release on April 29^th.  The folks at Cnet have a hands-on preview:

Microsoft says the service pack includes functionality previously released as updates. Perhaps that’s why the download and installation for SP3 was effortless on our test system. XP SP3 took only 30 minutes to download, and 10 minutes to install.

• Some updates relevant to the home user include:
  Support for WPA2, the latest standards-based wireless security solution derived from the IEEE 802.11i standard.
• Improvements to black-hole router detection (detecting routers that are silently discarding packets). Windows XP SP3 turns this protection on by default.
• BITS 2.5, which is required by Microsoft System Center Configuration Manager 2007 and Windows Live OneCare.
• Peer Name Resolution Protocol (PNRP), which allows Windows XP applications to communicate with Windows Vista programs that use PNRP.
• Windows Installer 3.1, which contains new and enhanced functionality and addresses some issues that Microsoft found in Windows Installer 3.0.
• Digital Identity Management Service (DIMS), which allows users who log on to any domain-joined computer to silently access all of their certificates and private keys for applications and services.

However, the balance of these improvements are not necessarily relevant to the home user. For example:

MMC 3.0, which is a framework that provides common navigation, menus, toolbars, and workflow across diverse tools.

MSXML6, which provides better reliability, security, and conformance with the XML 1.0 and XML Schema 1.0 W3C Recommendations as well as System.Xml 2.0.

IPsec filter creation and maintenance. XP SP3 reduces the number of filters that are required for a server and domain isolation deployment. Also, the Simple Policy Update removes the requirement for explicit network infrastructure permit filters and introduces enhanced fallback to clear behavior.

The Security Options control panel includes more descriptive text to explain settings and prevent incorrect settings configuration.

Network Access Protection (NAP), which is a policy enforcement platform built into Windows Vista, Windows Server 2008, and Windows XP SP3 to better protect network assets by enforcing compliance with system health requirements.

Starting April 29, all Windows XP SP2 users should upgrade to SP3, if only to get a complete set of Windows XP patches installed.

A slideshow of Service Pack 3 is available from PC Magazine here.

Alex Eckelberry at Sunbelt Software just heard a rumour

We just got this in from a credible source:

I have just been advised by my Dell representative that Dell will be offering XP on Optiplex and Latitude computers through 2011 at no extra cost. Vista media will be available for those who think they might want to install it later on. Vostro computer orders will have the same option at a $50.00 premium.

Note: this means that there will be an extended period of review available for Windows 7 before we have to commit to it.

She told me that the reps are thrilled to be able to respond to the increasing expressions of concern from customers regarding the June 30 cut-off XP date publicized by Microsoft. She also told me that, of the more than 100 customers she has, only one is ordering Vista computers…

Anyone have any confirmation on this rumor? If it’s true, it’s really good news…

Alex Eckelberry

View Original Article

Tags: WindowsXP

The end is in sight for Windows XP, and what a great run it’s been!

From Mary Jo Foley’s All About Microsoft blog:

Microsoft made it official on April 3: There will be no new reprieves for Windows XP (other than on Ultra Low-Cost PCs).

Some customers and partners had been hoping the company might extend again the deadline for all PC makers to be allowed to preload Windows XP, rather than Windows Vista, on new PCs. But today, Microsoft officials said the current June 30, 2008 cut-off date would remain in place for the vast majority of machines.

[…]

For plain-vanilla PCs, Microsoft is holding fast to its June 30 preload cut-off for XP. (In September, Microsoft granted PC makers a five-month extension, allowing them to continue preloading and selling at retail Windows XP until June 30 of this year. ) As Microsoft noted previously, users still will be able to get XP preloaded on new machines from white-box vendors/system builders through January 31, 2009. And Vista Business and Ultimate customers with volume-license contracts can still get XP via their “downgrade” rights.

Microsoft will still provide mainstream (free) support for XP until April 2009. Extended support (free for security fixes and paid for other help) ends in 2014.

[…]

One person’s experience with Geek Squad/Best Buy, also from The Consumerist:

Still think using Geek Squad to repair your computer isn’t such a bad idea? That’s what reader Nicole thought when she took her laptop in for a warranty covered repair. The laptop was sent off to a service center, “repaired”, then sent back. She immediately noticed it had the same exact problem and sent it back 48 hours later. This time, she was told the warranty wouldn’t cover it, as the Blue Screen of Death was now being caused by water damage. Nicole pointed out that there wasn’t water damage the first time it was repaired for the exact same problem two days ago. Geek Squad responded by quoting her $775 for the repair. The details, below.

Complaints: Geek Squad Soaks Your Computer, Blames You

Ouch!  Maybe she should have read this post.

Tags: customerservice

We all hate calling technical support or dealing with customer service representatives on the phone.  An interesting article lays out some practical tips to get through the process and increase the odds of getting a satisfactory result.  So read the article, print it out and keep it by the phone next time you have to call HP, Dell or any other large faceless corporation.

From the Consumerist.com

Reader Lona says that people in her family have called her a consumer advocate since she was sixteen, and now she is going to share with us 2,177 words on the customer service tactics and techniques she uses to get satisfaction. She writes, “in 99% of situations, it allows you to reach an agreeable solution to almost any problem. It is something I do for family and friends, and for myself.” Some of her methods have been mentioned in various ways on the site before but others are completely unique. And by the time you read her true success story at the end, you’ll swear she has Jedi mind-control over customer service reps. It boils down to, without raising your voice, asserting control over the conversation from the beginning and then never relinquishing that power.

Hardballs: How To Mind Control Customer Service Reps

The whole article has 13 easy to implement and common-sense suggestion for dealing with customer service reps.  It ends with the author relating a real world application of her principles and techniques to reach a happy conclusion. 

Read the whole thing here.

Tags: customerservice, phone

An excellent article at esecurityplanet.com shows why the choice of your wireless password is so important. 

WPA Security Tips

[…]

With access to your wireless network, a hacker could intercept sensitive information, such as e-mail messages or even access-shared files. More commonly, a hacker might not want your personal data, but to abuse your network access. She or he could use your Internet service to engage in criminal activities, such as sharing illegal content or sending spam.

The original WEP protocol designed to protect 802.11b/g networks did not remain secure for very long. Flaws in its design allowed snoopers to extract the keys needed to unlock it from the airborne packet stream. In 2005, some 200 million credit card numbers were stolen from TJX, parent company of clothing store Marshalls, by compromising their WEP-encrypted wireless network using Wi-Fi gear sniffing packets from outside a store location. WEP hacking tools have matured to the point where even novice hackers can compromise WEP networks in a few clicks and a few minutes. It is no surprise that WEP is no longer recommended for securing wireless networks.

Replacing WEP in 802.11b/g/n networks is WPA, or Wi-Fi Protected Access The conventional wisdom about WPA is that, unlike WEP, it is not vulnerable to hackers. But this is only partially true. Under certain, often common, conditions, it is, in fact, possible to compromise WPA- or WPA2-encrypted wireless networks. Simply choosing WPA instead of WEP and assuming that all is well is not enough, and could give you a dangerously false sense of confidence. Armed with the right knowledge, though, you can defend yourself against WPA hacks.

[…]

WPA security all boils down to the complexity of your passphrase [my emphasis-DK]. For a hacker to unlock the WPA passphrase, that passphrase needs to be contained in whichever dictionary he or she is using. Obviously, a hacker’s chance of success improves the larger and more thorough the dictionary.

Because hackers’ dictionaries are composed mostly of words and simple combinations, the chances that your WPA PSK can be hacked increase depending on how likely it is to be found in a dictionary, even a very large one.

Tempting though it is to choose a passphrase you can easily remember, like the name of your pet or street, doing so is likely to produce a PSK found in a good dictionary. Your two best defenses against a WPA attack are randomness and length [my emphasis-DK]. 

The article goes on to give examples of good and bad WPA passwords: read the whole thing here.

There are some excellent online tools to help you generate complex, random passwords that you can use in your home wireless network.

Happy networking!

The TidBITS article is here and is well worth a read.

adamengst tips an article up on TidBITS that explores the persistent reluctance of many nerds to embrace fully new communications media such as IM and Twitter. In this thoughtful article Joe Kissell explores, from the inside, the mind of the introvert and how this personality style often struggles with new “always-on” media. The result is a sometimes exasperated incomprehension on the part of the more extroverted. Well worth a read.

Read more of this story at Slashdot.

View Original Article

I know this flies in face of all the people who are convinced that video games lead to an increase in violent behaviour, but this study accord with my own experience.  I come home at the end of a hard day; a beer and some Call of Duty 4 relaxes me and then I’m ready to get on with an evening with my family.

Stony Stevenson writes “A new study of computer gamers has found that a session in front of World of Warcraft can make players less stressed and more calm. The study questioned 292 male and female online gamers aged between 12 and 83 about anger and stress. They then played the game for two hours and were retested. “There were actually higher levels of relaxation before and after playing the game as opposed to experiencing anger, but this very much depended on personality type,” said team leader Jane Barnett from Middlesex University.”

Read more of this story at Slashdot.

View Original Article

Tags: violence, video games

Sad but true!  Damn, but XP had a good run!

An anonymous reader writes “Though the Redmond software giant may be extending the lifetime of XP on low-end laptops, the end is nigh for the aging OS. That extension makes perfect sense, as recent studies have shown XP is far faster than Vista across a number of platforms. Still, Microsoft is ’sticking to its guns’ when it comes to drop-dates for most other uses of the XP operating system. ‘There are several dates that apply, but the one you’re probably thinking of is the June 30 deadline that Dix referred to. That’s the last day when large computer makers — the Dells, HPs and Lenovos of the world — will be allowed to preinstall Windows XP on new PCs. It also marks the official end of XP as a retail product.’”

Read more of this story at Slashdot.

View Original Article

Tags: malware, IRS, scam, phishing

This is a disturbing story.  The full Washington Post article is here.

dstates writes “The Washington Post is reporting that some Internet Service Providers (ISP) have been using deep-packet inspection to spy on the communications of more than 100,000 US customers. Deep packet inspection allows the ISP to read the content of communications including every Web page visited, every e-mail sent and every search entered, in short every click and keystroke that comes down the line. The companies involved assert that customers’ privacy is protected because no personally identifying details are released, but they make money from advertisers who use the information to target their online pitches. Deep packet inspection is a significant expansion over tools like cookie in the ability to track a user. Critics liken it to a phone company listening in on conversations.”

Read more of this story at Slashdot.

View Original Article