Monthly Archives: September 2011
You may now be savvy enough to know that when a friend reaches out on Facebook and says they’ve been mugged in London and are in desperate need of cash, that it’s a scam. But social engineers, the criminals that pull off these kinds of ploys by trying to trick you, are one step ahead.
Social engineering attacks are getting more specific because targeted attacks are generating far better results.
What that means is the hackers may need to do more work to find out personal information, and it may take longer, but the payoff is often larger.
Today’s attacks are not just a broad spam effort, sending out a million emails with an offer for Viagra. These are now individual attacks where they are going after people one by one.
Here are five new scams circulating that involve greater individual information gathering tactics.
This is Microsoft support –we want to help
A new kind of attack is hitting many people lately. It starts with a phone call from someone claiming to be from Microsoft support, calling because an abnormal number of errors have been originating from your computer.
The person on the other end says they want to help fix it because there is a bug and they have been making calls to licensed Windows users. All this pretext makes sense; you are a licensed Windows user, you own a machine with Windows on it and the caller wants to help you.
The caller tells the victim to go to the event log and walks them through the steps to get to the system log.
Just about every Windows user will have a multitude of errors in the event log, simply because little things happen; a service crashes, something doesn’t start. There are always errors, but when a non-experienced user opens it up and sees all these so called “critical errors”, it looks very scary.
At that point, the victim is eagerly ready to do whatever the alleged “support” person wants them to do. The social engineer advises them to go to Teamviewer.com, a remote-access service that will give them control of the machine. Once the social engineer has access to the machine, they then install some type of rootkit or other piece of malware that will allow them to have continual access.
Donate to the hurricane recovery efforts!
Charitable contribution scams have been a problem for years. Any time there is a high-profile incident, such as the devastating earthquake in Haiti or the earthquake and tsunami in Japan, criminals quickly get into the game and launch fake contribution sites. The best way to avoid this is to go to a reputable organization, such as the Red Cross, and initiate the contact yourself if you want to donate. However, a particularly vile targeted social engineering ploy has cropped up recently that seeks specifically to target victims who may have lost loved ones in a disaster.
In this example, about 8-10 hours after the incident occurs, web sites pop up claiming to help find those who may have been lost in the disaster. They claim to have access to government data bases and rescue effort information. They typically don’t ask for financial information, but do require names, addresses and contact information, such as email and phone numbers.
While you’re waiting to hear back about the person you are seeking information on, you get a call from a charity. The person from the charity will often strike up a conversation and claim to be collecting contributions because they feel passionate about the cause as they have lost a family member in a disaster. Secretly, they know the victim they’ve contacted has lost someone, too, and this helps build up a camaraderie.
Touched by the caller, the victim then offers up a credit card number over the phone to donate to the alleged charity. Now they have your address, your name, relative’s name from the web site and also a credit card. It’s basically every piece of information they need to steal one’s identity.
About your job application…
Both job seekers and head-hunting organizations alike are being hit by social engineers who know they are looking for employment or seeking new employees.
In both instances, this is a dangerous scam. Whether you’re the person looking for work or the company posting new jobs, both parties are stating – I’m willing to accept email attachments and information from strangers.
According to a warning from the FBI, more than $150,000 was stolen from a U.S. business via unauthorized wire transfer as a result of an e-mail the business received that contained malware that resulted from a job posting.
The malware was embedded in an e-mail response to a job posting the business placed on an employment website and allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company, the FBI alert reads. The malicious actor changed the account settings to allow the sending of wire transfers, one to the Ukraine and two to domestic accounts. The malware was identified as a Bredolab variant, svrwsc.exe. This malware was connected to the ZeuS/Zbot Trojan, which is commonly used by cyber criminals to defraud U.S. businesses.
Malicious attachments have become such a problem that many organizations now require job seekers to fill out an online form, rather than accept resumes and cover letters as an attachment. And the threat for job seekers of receiving a malicious message from a social engineer is high, as well. Many people now used LinkedIn to broadcast that they’re looking for work, a quick way for a social engineer to know who is a potential target.
@Twitterguy, what do you think about what Obama said on #cybersecurity? http://shar.es/HNGAt ”
Social engineers are taking the time to regularly observe what people tweet about and using that information, launch attacks that seem more believable. One way this is happening is in the form of popular hashtags. In fact, earlier this month, the U.K. debut of the new season of Glee prompted social engineers to hijack the hashtag #gleeonsky for several hours. British Sky Broadcasting paid to use the hashtag to promote the new season, but spammers got ahold of it quickly and began embedding malicious links into tweets with the popular term.
These spammers can redirect you to any webpage they like once you have clicked on the link. It could be a phishing site designed to steal your Twitter credentials, it could be a fake pharmacy, it could be a porn site or it could be a website harboring malware.
Twitter mentions are another way to get someone’s attention. If the social engineer knows enough about what you’re interested in, all they have to do is tweet your handle and add some information in that makes the tweet seem legitimate. Say you’re the politically active type who is tweeting quite a bit about the GOP primary race lately. A tweet that mentions you, and points you to a link asking you what you think about Mitt Romney’s latest debate statements can appear perfectly legitimate. Once you’ve clicked through – they’ve got you!
Get more Twitter followers!
Be warned of services claiming to get Twitter users more followers. If you spend any time at all on twitter, you’ll see tweets all over that say something like: GET MORE FOLLOWERS MY BEST FRIENDS? I WILL FOLLOW YOU BACK IF YOU FOLLOW ME – [LINK] Clicking on the link takes the user to a web service that promises to get them many more new followers.
The pages ask you to enter your Twitter username and password. That request alone should instantly have you running for the hills – why should a third-party webpage require your Twitter credentials? What are the owners of these webpages planning to do with your username and password? Can they be trusted? Twitter itself even warns about these services on their help center information page.
Remember, when you give out your username and password to another site or application, you are giving control of your account to someone else,” the Twitter rules explain. “They may then post duplicated, spam, or malicious updates and links, send unwanted direct messages, aggressively follow, or violate other Twitter rules with your account. Some third-party applications have been implicated in spam behavior, fraud, the selling of usernames and passwords, and phishing. Play it safe – do not give your username and password out to any third-party application that you have not thoroughly researched.
These are just some common sense rules to follow. For more information visit the Department of Homeland Security Website and blog: http://blog.dhs.gov/2011/07/protect-yourself-against-social.html
The cloud is now your hard drive. And not just a few dozen Gigabytes, Terabytes or even Petabytes, but all of it – infinite storage – for only $10 per month. That’s the incredible promise of the new TechCrunch Disrupt finalist Bitcasa.
The company is launching a new cloud storage, syncing and sharing service that blows away its competitors, including hard drive manufacturers and online services like DropBox and SkyDrive, with ease. In fact, beyond the pricing and limitless storage, the most disruptive thing about the service is its complete integration with your device. You don’t see it, it’s not an icon on your desktop, you don’t drag-and-drop files or folders into it. Instead, you write to the cloud when you save a file on your computer. The cloud is your hard drive, and your actual hard drive is just the cache.
The idea of using the cloud to store files or sync files between devices is not new. Dropbox, SkyDrive, Google Docs, Amazon and countless others have been offering online storage for some time. Plus, companies like Mozy and Carbonite use the cloud to back up your files. Other services, like Megaupload or YouSendIt revolve around sharing files through the cloud.
But Bitcasa is not like any of those services. It doesn’t move files around. It doesn’t sync files. It deals in bits and bytes, the 1′s and 0′s of digital data.
When you save a file, Bitcasa writes those 1′s and 0′s to its server-side infrastructure in the cloud. It doesn’t know anything about the file itself, really. It doesn’t see the file’s title or know its contents. It doesn’t know who wrote the file. And because the data is encrypted on the client side, Bitcasa doesn’t even know what it’s storing.
So if you want to cloud-enable your 80 GB collection of MP3′s or a terabyte of movies (acquired mainly through torrenting, naughty you!), go ahead. Even if the RIAA and MPAA came knocking on Bitcasa’s doors, subpoenas in hand, all Bitcasa would have is a collection of encrypted bits with no means to decrypt them.
If you’re still having a hard time wrapping your head around this idea, think of it like this: instead of relying on the fallible and limited hard drive in your computer (and soon, your smartphone), your data is stored on an array of thousands of hard drives and streamed to you on demand. And in order to deal with the “offline” problem, the files you use the most are intelligently cached on your computer, allowing you to work when the cloud goes down, which is rare, as well as when you don’t have an Internet connection, which is more common.
Sharing files via Bitcasa is simple too: just copy and paste a file’s or folder’s link (a URL, available on right-click) and send to someone via email, IM or some other service. They click the link to have the file delivered directly to their desktop.
And the pricing! How on earth is it so cheap?
That’s the easy part, actually. Explains Bitcasa CEO Tony Gauda, $10/month still gives the company good margins. The fact is, 60% of your data is duplicate. If you have an MP3 file, someone else probably has the same one, for example. Each person only tends to have around 25 GB of unique, personal data, he says. Using patented de-duplication algorithms, compression techniques and encryption, Bitcasa keeps costs down (way, way down, but that’s it’s secret sauce), which is what makes it so affordable. Bitcasa also explained that a freemium model is on its way with less-than-unlimited storage for free.
This service sounds almost too good to be true, leaving us with questions that need still need to be answered. Does it really work? Does it slow down your computer? Can it scale? The company is positive it’s ready, but we need to see it to believe it.
Bitcasa currently has 20 patents for its technology and plans to add more in the future. It will also offer mobile applications that run in the background to do on mobile what it does on the desktop today. And it will work on other features, like real-time video transcoding, so your movies can stream to any device, without any manual effort on your part. There are even more things in the works, too, but those are being kept tightly under wraps for now.
The Bitcasa founders include CEO Tony Gauda, Joel Andren and Kevin Blackham, whose combined work experience includes time spent at MasterCard, VeriSign, Classmates.com, Mozy and more. In total, Bitcasa has raised $1.3 million from Andreessen Horowitz, First Round Capital and Pelion Venture Partners.
On Tuesday, September 13, at 9AM Pacific Time, someone from Microsoft will take the stage at Microsoft’s BUILD conference in Anaheim, California to present the opening keynote and offer the first extended public demonstration of Windows 8.
I have no inside knowledge of Windows 8 and haven’t seen it except for video clips and pictures you can find all over the internet, but rest assured, Windows 8 will be another game changer with a long list of “features” we’ll all need to master.
The Windows 7 release accomplished Microsoft’s immediate goal of cleaning up their Windows Vista mess while attempting to establish Microsoft’s reputation of delivering a well-engineered piece of software on a predictable schedule. With the Vista debacle in its rear-view mirror and Windows 7 being more widely adopted every day, Microsoft concentrated on fundamental improvements in performance, reliability, and the ever important – user interface.
Based on current rumors and videos floating around the web, here are a few “sneak peeks” at Windows 8 and some of the changes we can expect:
- The new OS will run on x86 systems as well as new designs based on ARM processors. System requirements will be equal to or lower than those of Windows 7.
- It will have a new Start screen, designed to work equally well with a touch screen or a mouse and based on the same design principles used on Windows 7 Phone devices.
- A new generation of full-screen applications (based on HTML5) will be especially well suited for tablet devices.
- The traditional Windows desktop, with support for all the programs you can use today on Windows 7, will be available as a full-screen app, with the capability to switch from the desktop to a full-screen app with a gesture. If you’ve had an opportunity to play with a new MacBook, you’ll understand just how cool “gesture
- Internet Explorer 10 will be part of Windows 8, and the Trident rendering engine will be at the heart of the new Start screen and application model.
- The ribbon, a feature so many of us didn’t like in MS Office, will be a key part of the interface for Windows Explorer and other utilities that run on a traditional Windows desktop.
- There will be a new, Microsoft-managed App Store.
By the end of the day on Tuesday, after day one of Microsoft’s BUILD conference concludes, we’ll know much more about Windows 8. Hopefully, the conference will answer some of the questions Microsoft watchers have been asking over the past few months, questions like…
How will Microsoft manage the transition to a new interface?
Windows 8 will include two interfaces: the “modern” Metro-style interface and the traditional desktop as embodied in Windows 7. This means that business owners will need to carefully evaluate the “re-training” costs associated with a different “tablet style” interface as well as 3rd party application developers deciding which interface to invest their development resources. This question will be on the minds of many BUILD conference attendees.
Where’s is Microsoft’s cloud strategy?
Microsoft has spent the past few years building up its cloud-based offerings. With a Windows Live ID, you can get 25 GB of online storage for documents and photos. You can sync a separate 5 GB of data to SkyDrive using the Windows Live Mesh utility as well. but that’s about it. Google and Apple have already gone public with their cloud solutions. Will the Microsoft cloud picture get clearer this week? Let’s hope so
Can a Microsoft Windows powered tablet really wait till mid-2012 or later?
The stunning success of Apples iPad means there’s some urgency for Microsoft to respond. But a hasty response can be worse than none at all. Just ask HP, which abruptly canned their TouchPad less than two months after rolling it out to the market. Or ask anyone you know who bought a current-generation Android tablet and is now struggling to make it work.
Based on these competitors’ experiences, Microsoft’s decision to wait until it can release a combination of hardware and software that works well together is the right one. One rumor floating around today is that Windows 8 could be delivered in two releases: one version exclusively for ARM-based tablet devices, early in 2012, followed by the full Windows 8 release for traditional PCs later that year.
How much will it cost?
There’s really no way to answer this question without first defining the list of Windows 8 editions. Windows 8 will be delivered in multiple versions just like Windows 7 – at a bare minimum, there will be one for consumers and another for businesses on enterprise networks.
Most copies of Windows are sold through hardware manufacturers on new PCs so don’t expect that to change for Windows 8. With Microsoft’s decision to engineer Windows 8 to run on existing hardware, it wouldn’t surprise me to see discounted upgrades for Windows 7 users. Windows XP and Vista users – my bet is that you’re out of luck – no discounts for you.
There are many more questions waiting to be answered at this conference. If you haven’t seen any pictures of Windows 8 take a look at this article from PC MAGAZINE
You can follow along with the BUILD conference here:
Or just Google “Pictures of Windows 8” There’s a bunch out there!