Your Daily Computer Security Tips

Someone somewhere has their identity stolen every two seconds. Now that’s scary. Go here to learn more about ID theft:
http://www.identitytheftfixes.com/how_much_do_you_really_know_about_identity_theft.html

You do not have to sign up for a paid service to protect yourself. You do need to follow good, safe practices, both online and off, to safeguard your sensitive information and your bank account.

Read my recent article here:
http://mypcsecurityblog.com/featured/id-theft-checklist-%e2%80%93-please-print-keep

It is a 10 – point checklist you can print out and keep handy.

While we are on the subject of ID theft, here are the three critical pieces of your information that you should never reveal to anyone except your employer, bank, government agency or the like. They are your Social Insurance/Security Number, your date of birth and your mother’s maiden name.

This key information is used to organize and collate information about you. Guard it well.

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

Security company Sophos warned recently that hackers were making posts to Facebook’s Wall feature that linked to malicious Web sites. Facebook has now blocked the links from anywhere on its site, and told users how to remove the malware. The company says only a tiny fraction of its users were affected.

The posts impersonated friends, and asked you to click on a link to see a video supposedly hosted by Google. Clicking the link took you to a malicious Web site, where you were told to download the latest version of Adobe Flash Player in order to see the video.

If you did so, a Trojan would be installed on your computer. Then other malware would be downloaded and your PC taken over by the hacker.

There are some 80 million active Facebook users. If you are one of them, be cautious about clicking on links you see. Never ever share your password with anyone, especially not someone claiming to be a representative of the company. To begin your session, click your Desktop icon or Favorites link, or manually type www.facebook.com into your browser.

Do not connect via links in emails or on Web sites. It could be a phishing scam. Be on guard for similar attacks at other sites.

As expected, hundreds of people around the world have been scammed out of a lot of cash using fake Olympic ticket-selling Web sites. This sort of thing happens at every major news event, and will no doubt continue.

Two of the Web sites were www.beijing-tickets2008.com and www.beijingticketing.com They have been shut down by the International Olympic Committee, but look for them to pop up again elsewhere.

Purchasers gave their credit card and passport information while buying the non-existent tickets. The fake sites were very slick and convincing.

As I have said many times before, when buying anything online or giving sensitive info, make sure you are on a site that begins with https://… Look in your browser address bar. Look also for that little gold padlock in the upper or lower part of your screen.

These two indicators mean you are on a secure site, although it is not foolproof. Use care and common sense as well, when making purchases online. Try to buy from well-known merchants.

The Beijing Olympics opens tomorrow, and runs for about two weeks.

Next week, there will be a Black Hat computer security conference in Las Vegas. Researchers will talk about and demonstrate all sorts of evil, unethical or borderline software and techniques.

One such new program is a GIFAR, or hybrid file. It is a combination of a GIF (graphics interchange format) and a JAR (Java Archive).

When you open such a file, it will allow the attacker to run code in your browser, and therefore steal your login credentials from any account you log in to. The attack would work on any site that allows you to upload files.

Java is a programming language made by Sun Microsystems. Sun is expected to issue a patch for Java shortly after the conference, to prevent this attack. In fact, it would be a good idea to check if you have the latest version now.

Go to http://java.com and click on “Do I have Java?” Follow the instructions.

The researchers claim that there may be many ways to mount this attack, and other types of attacks are possible. They say browser security needs to be much improved.

They may well be right, but here’s my question: Why do legitimate researchers spend their time thinking up attacks like this? Don’t they have anything better to do? Like thinking up new applications and improvements??

Here’s one more in a seemingly endless supply of IRS phishing scams. You get an email, supposedly from the Internal Revenue Service. It asks you to click on a link to an IRS site so you can fill out a form to get a tax refund. Of course it is a phishing scam, designed to steal your personal information.

But watch out for unexpected twists and unusual variations. One such email had a link promising you a downloadable IRS report on your employer. If you click on it, you will sure enough download something. But it will be malware, not a report.

Remember, the IRS does not send out emails advising people of tax refunds.

Meanwhile, in Quebec, Canada, the Government is warning people to avoid those online offers for foreign exchange trading. The emails, blogs, Web sites, etc. offer to teach you how to make big profits from forex trading. You can even sign up others under you and earn a commission, in an apparent pyramid scheme.

Foreign exchange trading is very risky. Big companies have lost millions, sometimes even billions, dabbling in this area. Since it appears to be a pyramid scheme, which are illegal in most places, you could be breaking the law if you sign up or sponsor someone else. Steer very clear of these schemes.

Syd Tash is a noted computer security consultant and author of How to Protect Your Computer Online. He has been keeping Internet surfers safe and secure since the last century. Find out how he does it; protect your own computer with five layers of protection right here:
= > http://MyPCSecuritySite.com

You may include these Tips in your Web sites and publications provided they remain unchanged and include the above paragraph, with the author’s name and Web site. You can also get a direct URL to this post. Click the title, then copy the URL in the browser address bar.

Hackers have recently released software code that could be used to exploit that serious flaw in the Domain Name System (DNS). The DNS is used to route traffic on the Internet, making sure it gets to the right computer.

Using this bug, a hacker could launch a phishing attack that is nearly impossible to detect. The only way to prevent such attacks is for your ISP to install the latest DNS server updates. This takes time.

The bug was accidentally disclosed earlier this month. But it had been known for months, as the big DNS software houses worked to fix it. These include Microsoft, Cisco and the Internet Systems Consortium (ISC).

There is not much you can so to protect yourself against this type of attack, except to be vigilant. Examine a site closely before giving sensitive info, and make sure it is secure. Minimize your use of online banking, for now. I’ll keep you posted.

You have no doubt heard of those Nigerian email scams promising you millions in commissions. All you have to do is open a bank account, and help with the transfer of the cash. And pay some fees and taxes. And bribes. And more fees… etc. etc.

I’m sure you have gotten plenty of these emails yourself. Well, MSNBC decided to try and find the people behind this fraud. Watch this fascinating video: http://youtube.com/watch?v=2-wFhy0ouzI

After watching the clip, you will see links to other, followup videos. Watch them too, if you like, and send the above link to your friends. It could save you a lot of money and grief.

Way back in 2006, the University of Michigan conducted a study of 214 banking sites. A few details of the study have just been released, with the full findings to come on Friday, July 25.

The study found that more than 75% of the sites had design flaws that could allow login credentials or other confidential data to be stolen. These are vulnerabilities that cannot be fixed with a software patch.

For example, nearly half the sites didn’t use SSL (secure sockets layer) to encrypt login pages. This makes it easier for a hacker to steal your login info, without you even knowing it. Another problem was putting sensitive or confidential information on insecure pages.

In some cases, users were allowed to choose weak IDs and passwords. Some banks emailed passwords and statements, which is risky since email is not secure.

Although the study was done in 2006, many of the problems are believed to still affect banking sites. If you do your banking online, at least make sure that every page you enter data on, is secure. It must begin with https://… and you must see that little gold padlock in the upper or lower part of your screen.

For more on Internet banking, read this post from last January:
http://mypcsecurityblog.com/alerts/do-you-do-your-banking-online-read-this

Syd Tash is a noted computer security consultant and author of How to Protect Your Computer Online. He has been keeping Internet surfers safe and secure since the last century. Find out how he does it; protect your own computer with five layers of protection right here: = > http://MyPCSecuritySite.com

You may include these Tips in your Web sites and publications provided they remain unchanged and include the above paragraph, with the author’s name and Web site. You can also get a direct URL to this post. Click the title, then copy the URL in the browser address bar.

I have written before about the dangers of free music on the Web. Downloading music from those peer-to-peer networks exposes your computer to possible attack and infection.

We have two iPods in my family, and we get our music from the Apple iTunes Store. (Yes, I pay $1 per song.)

The other day, yet another such danger surfaced. Windows users are vulnerable to malware that can insert links to malicious Web pages within audio or video content. When you play the music file, Internet Explorer launches and loads a dangerous site.

The site then asks you to download something, which of course is malware that infects your computer. The download could be a Trojan, for example, which hijacks your PC. This allows the hackers to take control of your machine and possibly use it to send out a flood of spam, or attack other computers.

Be especially wary if you get a pop-up upon playing audio or video content.

Say you get a call supposedly from the security department of your credit card company. They want to confirm a purchase made on your card. You inform them that you didn’t make the purchase.

The caller seems to have all your details, including card number, name and address. It sounds convincing and authentic. He even gives you a reference number and the toll-free number on the back of your card. He assures you the purchase will be cancelled.

Oh, and just before terminating the call, he asks you for those three security digits on the back of the credit card, to prove you do indeed have it in your possession.

Wham-O! That is the point of the whole exercise. With those three numbers, the crook can max out your credit card in minutes. Never give those numbers or any other information to anyone unless YOU initiate the call or contact.

In a case like this, ask the caller for his phone number, and say you will call him right back after verifying the number. That will usually send him scurrying back to the rathole he crawled out of.