Phone Forwarding Phishing

There's a report in "The Register" (here: http://www.theregister.co.uk/2007/04/25/call_forwarding_phish/ ) about phishing attempts that include instructions to dial a special phone number to verify the email.

The 'special phone number' starts with "*72", which (in the US) will forward all incoming calls to the number after the "*72". Once you fill in their form (with all the usual details), forward your phone number so that any future phone calls will go to the phisher.

Although it would seem that one would be able to track the phone number (perhaps not, with services like Skype), it is a way to get information for financial fraud. Forward the number, then start applying for credit cards. Any verification calls will be answered by the phisher.

Sort of a 'man in the middle' attack.

The SecurityDawg's rule: any email asking for personal information gets sent directly to the trash. The Dawg does not give out his credit card number to anyone that asks.

Real Time BlackList Checking

One of the things I do in my 'day job' is to monitor the email system. We get a lot of email here at the office.

Our daily 'email load' is about 250K messages/day. Of those, we block about 150K messages using real time blacklists. The other 100K of messages are about 75-80% spam, which is filtered with our email filter program.

You can see that using Realtime Blacklists can really reduce the load on a mail server, blocking a lot of spam.

But there can be 'issues'. If your mail domain name gets on a blacklist, then you'll start having email problems. Sometimes it's random: if your ISP has multiple servers handling the mail, then you might get randomly assigned to a mail server that has problems.

There are ways to check if your domain name (the part after the "@" in your email address) are on a blacklist. One good site I found is here: http://www.robtex.com/rbls.html . Just type in your domain name, and see if you are on any of a number of blacklists.

There's some really technical stuff in their results, and they also have some other great tools to look up information about your domain name.

Recommended.

Backups? I Don't Have No Steenkin' Backups!

How are your backups doing? Have you tested them lately? Do you transfer them to off-site locations? Is the data encrypted (if it contains personal or confidential information)?

What about all those pictures from your camera? On your home computer somewhere? Have you copied them to a CD/DVD and stored that off-site?

Here's how to judge your backup strategy: what if your computer and all it's data mysteriously disappeared?

Looks like a good task for this weekend.

All Your Computers Belong to Us?

If you are on a corporate network, does your computer (and the stuff that you have on that computer) belong to you? Or does the company own it?

If the computer is provided by the company, then they own it. And they also own everything you do on that computer, even things that you might think are private.

This is especially true if they have policies in place that define that ownership. For instance, does your login screen say that by signing in, you agree to the company policies regarding computer use? Did you sign a computer use policy?

If your company wants to protect their information, then these things should be in place.

Even if you connect your own personal computer to the company network, you may not be protected. By connecting, you are (if the company has those policies in place) agreeing that the company has the right to monitor your use while on the network.

If you have some personal stuff on your computer, then you better take precautions. Delete (and even 'wipe') stuff that you wouldn't want others to see. Use your work computer for work purposes. Keep that personal stuff private.

Checking Your Computer for Malware

I was asked how to ensure that a computer is not infected with evil programs. So this post is sort of a primer in exorcism.

First, I would run a full anti-virus scan on my system (with current anti-virus updates installed). I would also look for the icon in the taskbar associated with the anti-virus program. (Some malware will try to disable or stop your anti-virus program, so the icon may not be visible, or it might have a "slash" across the icon indicating it is disabled.) And I'd use the anti-virus program's "console" to check out the configuration, to ensure that the proper protections are in place. I might also use an on-line virus scanner from McAfee or other mainstream company as a double-check. (I would be very wary about a "virus scanning service" shown via a pop-up advertisement.)

Next, I'd run a spyware detection program, getting rid of all items found except for cookies (which I consider mostly benign). I think that Ad-Aware Personal Edition or Spybot Search & Destroy are good choices that are free for personal use. Watch out for similarly named programs.

Another check is to watch network activity while the computer is idle. I would watch the lights on the modem when the computer is idle. If you see activity via the lights, then it's possible that something is going on in the background.

Then I would run a root-kit detection program. There is one from F-Secure called "Blacklight rootkit eliminator" that is in beta at the moment, and therefore free for personal use. The link is here: http://www.f-secure.com/blacklight/blacklight.html . It is a standalone executable, doesn't install, and has separate Windows and command-line version. I've heard good things about it. I just tested it on one of my systems, and the scan took under 10 minutes. It is able to find hidden stuff, and also able to remove it (although you should take care to backup your important data first).

If you find some sort of malware or rootkit, eliminating it can be difficult. Depending on your system's use (for instance a corporate server), you might want to entirely rebuild the system by reinstalling (not repairing) the operating system and applications. A backup of your important data to CD/DVD would be a good thing to do (two separate backups is better).

You might also want to do some physical checks. For instance, there are keystroke loggers that connect directly to your computer's keyboard cable or USB port. One keyboard keystroke logger looks just like the round plug at the end of the keyboard cable. You may want to set up a power-on password (in the BIOS setup) in addition to having a password-protected login. This might be important to do for a laptop. And consider disk encryption if you have confidential information on the hard disk.

Another BIOS configuration change would be to ensure that your 'boot' order is only the hard disk. Don't allow booting up from floppy, CD, or USB drive (which is the default on many systems).

And, there's the "Safe Computing" thing....

You Can Be Safe on the Interweb

It's possible to be safe on the Interweb. It takes a bit of effort, but it's not that hard. Here's one way:

Make sure that your computer is current with patches and updates, no matter what your operating system. In Windows, enable Automatic Updates.

If you don't know how, start at Microsoft's "Security" page: www.microsoft.com/protect .

There's lots of help on those pages on how to be safe on-line. There's help for parents, kids, business, and more. There's articles and videos.

Got some other tips? Leave a comment.

Thoughts on the Windows Animated Cursor Exploit

The big news in computer security land is the latest animated mouse cursor problem. It's been getting a lot of press in the computer world, and has resulted in the Internet Storm Center ( http://isc.sans.org ) raising their 'threat level' to yellow.

This exploit can be triggered by a link in email, or going to a infected web page. And it can result in letting the hacker execute programs on your computer.

Now, that's not a good thing. But my current thinking, which I haven't seen disproved, is that my protection against such an exploit can be mitigated by safe computing practices, including current anti-virus protection.

Here's my thoughts.

Assuming that I have current AV running (happens to be McAfee Viruscan), if I visit an ani-evil site, the ani-exploit might work. But wouldn't the subsequent actions of the ani-exploit be sensed and blocked by my AV?

For example, if the ani-evil site attempted to download and run a keystroke logger, wouldn't that action of trying to download (or even load) the keystroke logger program get caught by my current AV?

My point is that the zero-day action may not be caught, but the subsequent actions of downloading/executing malware *would* be caught by a current AV-protected system, with a good firewall.

And in all the hysteria about this exploit, I am not convinced that the exploit, while real, will cause a 'safe computing person' like me any problems.