You are currently browsing the monthly archive for March, 2007.
A Canadian company came up with the idea of using a desktop webcam as an authentication device. The camera, essentially a biometric device, uses 40,000 identification points. Apparently, even if you had a beard and then shaved, the system will still recognize your face ( . . . your wife may not). I love this statement:
“The 3D DeskCam can remove the need for passwords, tokens or smart cards to log on to a computer or online services”
Yeah, right, we’ll be much happier to use a $350 desktop camera for authentication, rather than a ~$10 token, or ~$1 mutual authentication systems. And if you are reading this blog, chances are, you have more than one computer in your household.
Here is a different type of phishing scams – getting people to go to a website where “an attacker sends e-mails to managers seeking job applicants, asking them in a cover letter to visit a website to view a resume provided via a link. If a manager clicks on the link, the website then tries to execute a backdoor Trojan to compromise the machine”. The full article can be accessed here.
A little girl managed to enter the House of Commons at the British Parliament and attach a keylogging device on a Member of Parliament’s computer. It took only 15 seconds to do this and no one noticed. In a world where everyone is focused on screening for guns and explosives, a little, $100 device could have created a security breach of astronomical proportions. Read the full article here.
Here is an article that provides some interesting data on the phishing activity based on the days of the week and major events. It’s great to know that phishers take time of during weekends, but they probably don’t like soccer. I wonder f it is possible to make a connection between the days when phishing activity is low and which countries have national holidays on those days. That could be a pretty good indicator where exactly the phishers “live, work and play”.
“During the second half of 2006, spam made up 59 percent of all monitored e-mail traffic. Thirty percent of all spam related to the financial services industry — for example, so-called pump-and-dump scams.
Over the last six months of 2006, Symantec tracked a total of 166,248 unique phishing messages — an average of 904 per day. That figure reflects a 6 percent increase over the first six months of 2006.
For the first time, Symantec tracked the impact a phishing attack had when it was sent on a certain day or around a certain event.
An average of 27 percent fewer unique phishing messages were sent on weekends than on weekdays, when 961 were sent on average. This trend indicates that phishing activity mirrors the business week, with attackers attempting to mimic a legitimate company’s e-mail practices, Symantec said.
Phishing activity increased during major holidays and other high-profile events, Symantec observed, such as the FIFA World Cup, with attackers crafting theme-specific social engineering ruses.”
During a phishing attack on MySpace.com, about 34,000 usernames and passwords were exposed. The most popular password . . . “password1”.
Yesterday, a man in Australia was caught hijacking email accounts and 90 eBay seller accounts by guessing the passwords, then selling imaginary iPods to buyers who trusted the positive rankings on those hijacked profiles. The article goes on the suggest that eBay and PayPal should use tokens to raise the security of the login process, as if it was possible to manage a logistical nightmare of giving out 100+ million tokens.
Identity thiefs make a living by knowing personal (and confidential) information about their victims so that they may profit by misusing it. However, that makes them the least identifiable people in the world . . . always hiding behind other people’s identities. The bigger the operation, the higher the risk, and it’s coming not only from the authorities, other hacker gangs want to know who their rivals are, in order to “police” the unpoliced territory.
This article on BBC talks about the rise in hijacked PC networks (botnets). “Alfred Huger, vice president of Symantec Security Response, said online criminals appeared to be adopting more sophisticated means of “self-policing”. He added: “They’re launching denial-of-service attacks on rivals’ servers and posting pictures online of competitors’ faces. . . . It’s ruthless, highly organised and highly evolved.”
Here is a bit of humor at the expense of usability.
Definition: SMiShing is a security attack in which the user is tricked into downloading a Trojan horse, virus or other malware onto his cellular phone or other mobile device. SMiShing is short for “SMS phishing.” David Rayhawk, senior researcher at McAfee Avert Labs, explains how SMiShing works in a blog post entitled ‘SMiShing – an emerging threat vector:’
“Some cell phone users have started receiving SMS messages along these lines: ‘We’re confirming you’ve signed up for our dating service. You will be charged $2/day unless you cancel your order: www.smishinglink.com.’ (This is an example and was not a real url at the time of writing) This phenomena, which we at McAfee Avert Labs are dubbing “SMiShing” (phishing via SMS), is yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams.
While some might recognize this as a scam, many unsuspecting users would not. Fearful of incurring premium rates on their cell phone bill, they visit the Web site highlighted in the message. Once they arrive at the URL, they are prompted to download a program which is actually a Trojan horse that turns the computer into a zombie, allowing it to be controlled by hackers. The computer then becomes part of a bot network, which can then be used to launch denial of service attacks, install keylogging software and steal personal account information and other malicious activities. Because monitoring botnet activity is complex, it is challeging to know the current scope of the problem.”
Mobile phones and devices and the wireless networks they connect to often lack effective security mechanisms. As a result, mobile devices are becoming an increasingly frequent target of attack. Rayhawk predicts that threats to cell phones and other mobile devices will become as common as those targeting the PC and that SMiShing attempts could eventually outnumber malware-laden e-mail messages. Furthermore, because users often forward messages to their personal computers, they may put their PCs and networks at risk as well.
According Daniel Taylor, managing director of the Mobile Enterprise Alliance, best practices for mobile device security management should include:
- Policies that help to address phishing.
- Security software to address viruses and other malware.
- A way to use over-the-air updates to re-image devices and recover data.
Users are advised to be as vigilant about security for their mobile devices as they are for desktop computers.
I recently heard of a new phishing scam, where people (presumable browsing on porn sites) will get to a page which will say:
“If you do not wish to see child pornography, click “No” and enter your password”.
