Tag Archive: advice


Targeted Trojans


A very particular problem that we face is around customised malware, aka targeted Trojans. These malicious programs are written specifically to avoid detection by our current anti-virus systems and are sent to carefully selected people within the institution. The purpose of these programs can only be inferred by the recipients.

LSE uses MessageLabs to protect our inbound email, primarily to reduce  the flood of spam to as small a trickle as possible. One of the systems that MessageLabs use is something called skeptic, that tries to identify previously unseen malicious software and to block it.

We think that this has been quite successful, although it is impossible to know how many attacks have managed to get through. Using the information we get from this system, we can discuss the implications of being on the list with the people being targeted.

The uncomfortable facts are that:

  1. LSE is a major target
  2. academia is being systemically attacked by a number of groups
  3. the threat is growing all of the time

There is no foolproof way of blocking every attack, but the intelligence gained from knowing the areas of interest of the attackers allows us to focus our efforts of the people at highest risk.

If you want more information on this or are at LSE and want specific advice, please contact me.

UPDATE: Martin Lee and I are proposing doing a talk about this at the RSA Conference 2012 in San Francisco. See the teaser trailer here.

Advertisements

This week, LSE received a couple of calls from “Microsoft”, stating that they had detected a virus on the PC that the user was using and could they install an update. Luckily, the person they called is in our support team and she managed to string them along for a bit. We have managed to get the originating telephone number, apparently a Croatian number, and have passed it on to the Police.

It’s worth following up on these calls, which are blatant social engineering attempts and informing staff. We have had reports that Skype users are also being targeted.


While I am not a lawyer and others have said this before, notably Rob Carolina in his talk “The Cyberspace Frontier has Closed“, I thought it worth reviewing some recent developments that demonstrate the fact that the Internet is not lawless and behaviour online may well result in liabilities “in the real world”.

There still seems to be this perception that laws don’t apply to online activity. Take Joanne Fraill, the juror who was jailed for eight months for contempt of court by contacting one of the defendants in the trial she was on. She had received clear guidance from the Judge on the case, as had all of the other jurors, not to research the case online and definitely not to contact anyone related to the trial. I had exactly the same advice when I was a juror at the Old Bailey a couple of years ago.

And, yet, she still did it, no doubt believing that:

  1. It wasn’t so bad, and;
  2. She wouldn’t get caught anyway.

She was wrong. The trial collapsed.

This sort of thinking is rife online, which is exacerbated by the fact that any search will bring back results that confirm every point of view on every subject, thus not really being much help.

Other areas on the Internet that people should consider in terms of consequences, include:

  • Copyright infringements
  • Data protection issues
  • Harassment
  • Money laundering
  • Tax evasion
  • Libel

Some of these apply to corporate organisations in a different way to individuals. For example, a data protection breach has the potential to seriously damage an organisations reputation. Libel may get you a hefty fine.

Just because people have a romantic notion of the Internet where normal laws don’t apply, doesn’t make it reality.


News reaches us of the latest, unannounced Facebook feature: facial recognition. What this implies is that Facebook will trawl through all the photos on the site, automatically “tagging” you in pictures that the system think you’re in.

Great time saver, you might think, but there are several things to think about:

  1. It was enabled, quietly, without user consent and requires users to actively disable the feature
  2. No technology of this sort is 100% accurate, so if you don’t disable it, you may find yourself tagged in embarrassing pictures that aren’t of you
  3. This is an indication of the power of data mining. What’s to stop Facebook mining Google or Bing, looking for pictures on other sites?

With thanks to the Sophos blog on this topic, here’s how you disable it:

Go to Account -> Privacy Settings -> Customise Settings (near the bottom) and go to the “Things others share” section.

Then go down to “Suggest photos of me to friends” and click the edit button.

 

Then select “Disable”.

If Facebook want to be seen to be taking privacy seriously, they should start by adopting a policy of opt-in for new features.


Interesting news about Gawker and passwords. For those that don’t know, Gawker is a news aggregation site and seems to have been subject to some sort of attack recently whereby its entire password database seems to have been compromised. The impact of this is that lots of Twitter accounts have been hacked.

Two things are of interest here:

1. The types of user on the site are quite technically savvy, and yet still have very poor passwords

2. People are still using the same password on different sites

If you take anything away from this, please seriously consider using different passwords on different sites as if one gets hacked another becomes vulnerable. Password vaults are potential solutions to this problem, like LastPass or 1Password (recommendations from Graham Cluley of Sophos).


The majority of people I talk to want to do the right things online to protect themselves but don’t know what to do. That said, most people won’t go hunting for information to help themselves because they have to wade through great mountains of jargon and impenetrable comments from all quarters. If they do go looking for stuff, many give up.

So, I have been organising a series of three evenings at LSE, in the Old Theatre, with eminent speakers to explain what’s going on in the information security world, and how you can protect yourselves.

These will take place on the 19th, 20th and 21st of October from 6.30pm and are open to the general public.

#ssol on Twitter


This case just goes to show that you really should never post anything online you don’t want the world to see.

In summary, a woman in the US has been claiming that she is largely bed-ridden. The company that she works for disputes this, citing pictures of her being active on her Facebook account and they have applied to a judge to gain access to her Facebook and MySpace postings, including those that she has deleted.

It’s not overly clear from the article whether deleted posts were actually recovered, but Facebook’s privacy policy implies that at least some deleted content can be recovered.

More analysis can be found from The Register.

iTunes Account Hijacking


There have been a number of stories in the news lately that highlight the growing problem of people gaining unauthorised access to iTunes accounts and siphoning off money from people’s bank accounts in clever ways. These highlight the evolution of crime in an increasingly service-orientated world and people’s individual responsibility to keep their accounts safe.

Consider this scenario: either a genuine-looking website or an application installed on a smartphone asks you for your email address and password in order to access some specific content, like some music you’re looking for online or an app that you want to install. You happily give your details to this site and you may or may not get what you were requesting. A couple of weeks later, you get your bank statement saying that you have spent £1000 in iTunes. You have no idea that this has taken place, you contact your bank, who say that they can’t do anything about it because the purchases were authorised: they were all for giftcards.

What has happened here is that someone has tricked you into giving your account credentials to them, they’ve logged in as you, bought a whole load of very re-saleable items (especially at less than face-value) using your bank details (that they don’t even need to know) and got off scot-free.

This is already happening. And it is resulting in arrests. However, the victims are finding it very hard to claim the money back, as the banks are taking no responsibility for it.

Things you can do:

  • Be very wary of giving your username and password to anyone unless you are very sure that the site requesting them is genuine.
  • Use a different password for different websites
  • If possible, disable the ability to purchase high-value items to limit the impact of a successful hijacking
  • Change your passwords regularly

Hoax Malware


If you’ve had an email account for any length of time, you will have received an email that probably starts along the lines of:

URGENT! VIRUS!

This information arrived this morning, from Microsoft and Norton. Please send it to everybody you know who accesses the Internet.

You may receive an apparently harmless email with a PowerPoint presentation called “Life is beautiful.pps.”

If you receive it DO NOT OPEN THE FILE UNDER ANY CIRCUMSTANCES, and delete it immediately.

If you open this file, a message will appear on your screen saying: “It is too late now, your life is no longer beautiful”, subsequently you will LOSE EVERYTHING IN YOUR PC and the person who sent it to you will gain access to your name, email and password.

There are lots of these hoaxes floating around on the Internet; you just need to search for “hoax” at Symantec’s Security Center to see that there are hundreds. What people don’t appreciate is that the hoaxes do also cause damage. People can panic when not fully aware of facts and Chinese whispers can distort a fairly benign situation into something seemingly far worse.

An example of this is today’s announcement by Facebook Security that rumours have started about a virus that was affecting user profiles called the “knob face virus” (full article is here). The full text states:

Virusspreading like wildfire onFaceBook!! It is a trojan worm called “knob face”. It will steal your info, invade your system and shut it down! Do NOT open the link “Barack Obama Clinton Scandal”! If “SmartGirl15” adds you, don’t accept it; it is a virus. If somebody on your list adds her, ……then……. you get the …………virus too!! Copy and paste to your wall

So, the advice? Don’t forward or post anything like this without checking it out. All it does is create fear and clog up inboxes.


I’m in the process of creating some “Top Ten Tip” flyers for work to try to distil some best practice into bite-sized chunks.

Here are my Top Ten Social Networking Tips:

  1. Never post anything you don’t want made public
  2. Check your privacy settings often
  3. Don’t use the same password as for your email account
  4. If one of your friends starts chatting and asking for money, phone them up!
  5. Don’t install apps you don’t know the provenance of
  6. Remember: everyone can read your tweets!
  7. Be careful on tagging other people in posts
  8. Don’t show your date of birth to anyone
  9. Be careful who you friend
  10. Consider the future implications of posts and pictures: nothing ever gets deleted

Are there any more important ones? What would you suggest?

%d bloggers like this: