Your Daily Computer Security Tips

A new type of vulnerability has emerged, that could affect all major browsers. It is being called clickjacking. In essence, your clicks are being hijacked. The researchers who found it just recently are not releasing much information, while the browser publishers work on a fix.

The exploit appears to work as follows. A button linking to a malicious site, or set to perform an unwanted action, can be made to hover invisibly under your mouse pointer. When you click on something you actually see on the Web page, you are also clicking on that invisible button.

The researchers have contacted Microsoft, Mozilla and Apple, makers of the Internet Explorer, Firefox and Safari browsers respectively. These three account for 98% of all browsers. The companies are working on a fix to this problem.

Flash Player from Adobe also appears to be indirectly affected, and they, too, are working on a patch. Flash is a multimedia content player that most of us have installed on our PCs.

Stay tuned for more details.

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

The ingenuity and brazenness of hackers never ceases to amaze me. Here’s the latest. A Trojan called Limbo is circulating on the Web. A Trojan is a program that you think does a particular task or operation, but in fact does something else entirely, usually malicious. Remember your Greek mythology.

Limbo integrates itself into your browser using HTML injection, also known as cross-site scripting (XSS). This usually involves a maliciously crafted link. When clicked, it creates new content for you, the user. So then you visit your bank site, which is of course supposedly secure. But you may notice that you are being asked for additional information.

You see new data fields that were never there before. That’s Limbo, hard at work trying to steal your bank card number or login credentials. At the moment, the only way to detect this type of malware is for you to be vigilant!

If you see extra data entry fields on a secure site, or if it looks different in any way, do not sign in. Take a screenshot by pressing Print Screen on the upper right of your keyboard. The page is now in your Clipboard. Or save the Web page. Call or email the company.

How did this malicious code get onto your PC? In the usual way. You downloaded something from an unknown or untrustworthy source. Or perhaps you responded to a pop-up, a phishing scam or a spam email. In any case, you must be prudent, especially with online banking.

These sites use SSL encryption, which has never been broken. But this is not the first time the scammers have made an end run around that encryption, to relieve you of your personal info and then your cash.

Ever wonder what happens to stolen credit card numbers, or bank login or your other sensitive info? How and where is it bought and sold? For how much?

Watch this video. It is a real eye opener. I hope it makes everyone take better care of their personal data. Go here.

Sara Palin, the Governor of all the Alaskans and VP candidate, had her Yahoo email account broken into just the other day. The contents were put on the Web for all to see.

So it seems like a good time to review a few points for good email practices and security. There is nothing wrong with the free, Web-based email services like Yahoo, Hotmail and Gmail. Using the email services of your ISP or your company will not automatically keep you safe.

Follow these few guidelines in any case:

1. Use a password of at least eight characters, including special characters such as ?, *, !, $, # if possible. Avoid actual words. Words can be guessed, especially by someone who knows your likes, dislikes and habits.

Do not use words like your favorite restaurant, college, your dog’s or kid’s name, nearby landmark, etc.

2. For your password reset question, use something obscure and unusual. If you use your mother’s maiden name, for example, change the spelling.

3. Make sure you are on a secure page when you sign in to your email account. Yahoo and Gmail provide a secure page by default. But with Hotmail, you have to click the link, “Sign in using enhanced security”.

4. Change your passwords every few months.

Wanna find some information or a picture of your favorite Hollywood star on the Web? Or maybe their bio? Be careful, and make very sure all your security programs are running and are up to date. Why?

Because security company McAfee says the hackers and scammers are using popular stars such as Brad Pitt to draw victims to their Web site. Once at a malicious site, your PC will be infected with malware. Or you will start to receive phishing scams and adware.

For example, McAfee says if you search for pictures, wallpaper and screensavers of Brad Pitt, you have an 18% chance of landing at a hacker’s Web site, where bad things are bound to happen to your computer.

Other celebrities for whom it is dangerous to search include Beyoncé, Justin Timberlake, George Clooney and Mariah Carey. Surprisingly, Paris Hilton did not make the list, after ranking as the #1 most hijacked celeb last year.

This is just one more reason to always follow safer surfing practices without exception. So if you want celebrity news and gossip, stick to well-known, reputable sites.

Craigslist is the most popular classified ad board on the Internet. It is also being flooded with fake ads by the crooks. So say the police and a woman in Vancouver, Canada named Meg. Meg says she has been watching Craigslist for years.

One popular fraud is the rental scam. Criminals posing as landlords collect deposits on apartments in buildings they do not own. Meg claims that 20 – 40% of all rental ads in the city of Vancouver are fake.

Stolen goods being offered for sale are another big problem. Police in the west coast city say they receive complaints daily about these two Craigslist frauds.

Craigslist itself said the number of illegal ads is very low, when you remember there are some 30 million ads a month posted on the ad board. The spokesman noted that it is Buyer Beware.

Another recent unsavory incident happened to a father of four in Maine. He advertised his handyman services, saying he needed the money to feed his children. Someone emailed him, offering cash to have sex with one of his kids.

If you buy or sell on Craigslist or in any other online venue, be careful. Read the safety and good practices tips these sites usually provide.

Late last week, Trend Micro released an update to its antivirus program, that mistakenly identified up to eight Windows files as Trojans. The files were then quarantined. This prevented some computers from booting up.

Both Vista and XP were affected. Some users reportedly still have not regained control of their PCs. The programs in question are Trend Micro AntiVirus, AntiSpyware 2008, Internet Security 2008 and Internet Security Pro 2008.

Trend Micro quickly issued a replacement definitions update, as well as a recovery document for those still in trouble. The document contains step-by-step instructions on how to boot into Safe Mode and download and run a utility that moves the quarantined files back to their proper location.

Back in 2005, Trend Micro experienced a similar foul-up with another bad signature file. More recently, Symantec caused many Chinese computers to freeze last year, as its antivirus program mistook two Windows .dll files for malware. Dll files are files that are available to and shared by several programs.

Google’s new browser, called Chrome, has only been out for a few days, but already researchers are reporting vulnerabilities in it. One flaw would enable a hacker to construct a malicious link. If you click on it, the browser crashes.

Another more serious bug could allow you to download and execute dangerous code. This is partly due to the fact that Google built Chrome with older Webkit technology that permits the vulnerability.

One researcher said that Chrome uses technology from several different browsers, putting users at risk “for a long time”.

The browser’s licensing agreement has raised hackles across the Internet. You must agree to give Google a perpetual, free license to any content you post or display in, on or through Chrome. Among other things, this outrageous clause raises problems if you do not own the copyright to the material you are looking at, and therefore cannot, of course, grant it to a third party. Google says it will amend the offending language.

Early reviews of the browser have been mostly positive otherwise. It has already grabbed 1% of the browser market.

Yesterday I mentioned that a second Beta version of Internet Explorer (IE) 8 is out. I don’t usually suggest you mess with Beta (test) versions of anything. But if you are an advanced user and want to go ahead, there is something you should know.

IE 8 has a feature called InPrivate which is supposed to delete your browsing history and other personal data. And it does. Sort of. But do not depend on it to hide your tracks, because forensic experts can very easily reestablish where you have been on the Web.

The InPrivate Browsing feature prevents the browser from storing any cookies. But it does not disable the cache, where your recently visited sites are stored for quick retrieval. The funny part is, privacy is supposed to be a top priority for IE 8.

Microsoft said the InPrivate feature is designed to keep the average user out of another user’s browsing history, not to protect the data from security experts. Firefox 2 and 3 work in a similar way, but at least they have extensions available that make it a little harder to snoop on you.

You can get Internet Explorer 8 (Beta) free here.

Do you use OE? Your messages automatically open in the preview pane when you open OE. This could be dangerous. We all get many HTML email messages these days, right? An HTML email can be just as risky as a Web site. It can contain all sorts of malware, which can execute when opened.

You should turn off this preview feature, so you can inspect the email before you open it. If it seems to be spam, you will delete it without opening it, won’t you? You betcha. Here is how to turn it off:

Click View, Layout and clear the check mark beside “Show preview pane”. Click Apply, OK. While we’re at it, here are two more steps to take, to keep yourself safe. Click Tools, Options, and click the Read tab. Check the box, “Read all messages in plain text”. Click Apply.

Now click the Security tab. Under download Images, click the box that says, “Block images and other external content in HTML e-mail”. Click Apply, OK. Now to view an email, click on it.

There you go. You are now a bit safer on the Internet. In other email clients, look for similar settings, and do the same thing.