Apr 29
Spyware database, education, events, for-some-scams, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, voip, vulnerabilities, wiki, windows, wireless
I remember several years ago learning about how CAPTCHAs work. Companies were developing exciting, interesting, cute and fuzzy new types of CAPTCHAs using animal faces and other images, in order to outsmart the captcha crackers.
The fact is that many common captchas that show numbers and letters can be hacked by computer programs. And another problem is that the better captchas are often illegible even to humans–mostly because the captcha itself is illegible, not because the humans aren’t up to snuff.
Clearly the CAPTCHA system in place now is a highly flawed system. Not only is it ineffective, but it also blocks people who genuinely are human and want to use a site. I can’t say how many comments I’ve been about to leave on articles or blogs, which I’ve abandoned cuz I didn’t want to jump through the captcha hoop. Ridiculous.
So why haven’t they been replaced by more effective, smarter captcha types, the ones I was studying about years ago? Well, it’s because those really aren’t any better. Many captchas get broken by human scammers as much as super intelligent computer crackers.
There really is a human on the other end breaking the captcha, laborers getting paid a penny or less per catpcha they crack, hired by scammers. Even if the job requires robot-like and monotonous tasks, the hired hands are still smarter than the captcha programs.
Once cheap labor with human intelligence starts being employed to overcome the security programs we have in place, the game is pretty much over. We’ll still need captchas and security programs to catch the bulk of the problem, but no computer program for security in the world is going to be able to overcome the real zombie army. The real zombie army isn’t made of computer bot programs secretly infesting unwary grannies’ computers–just the automatons willing to work for next to nothing for scammers.
Why do they do this? Well, the money isn’t very good, but it’s there. Everyone needs a job. So, I would have to conclude the real problem is poverty that would drive people to that kind of work.
We can’t build a security program that will overcome that kind of scam system, or root out the cause of the problem. It’s something we have to do socially, and globally, instead.
Read more:
For Some Scams, Cheap Labor Replaces Technology
Apr 27
Spyware database, education, events, government, malware, microsoft, news, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
Just take a look at this fun little word cloud generated by the scripty toy Wordle.net to find out what we’ve been posting lately–
…you put your right click in and it shakes the words about…
I found this toy through the PCI focused blog written by Michael Dahn this morning. Dahn uses it to create word clouds for his favorite Ten Greatest Books of All Time. Fun to read!
The toy seems to just take the first page or selected entries from the blog though, rather than its sum entirety. It made me think about spam filters and their level of assessing the text of emails.
Of course, spam filters have various levels of ability to read emails; some can only read the headers and not the content, while the more intelligent filtering programs can read the content and learn what is and is not a risk.
Of course many filters will automatically mark emails that have certain keywords like cialis or viagra as spam, or emails that contain a certain percentage of risky words. I imagine the more advanced also learn by what the user marks as spam, what type of content is unwanted, but can also make distinctions based on headers. For example, I might not really want random people sending me press releases about random computer programs or even security products, but I have spoken with many PR reps and spokespeople from various companies and am more likely to read their releases.
My current spam filter is pretty much crap, but ideally it would send through emails written directly to me from people I’ve spoken with before. Then it would filter all the random press releases into a spam folder and mark all the generic press releases I get from my contacts as potential spam in my inbox.
I think they are more likely to work by whitelisting the people you’ve emailed before, however that doesn’t really protect users from mass emails from their contacts. And those mass emails are often what could be infected with a virus or malware, if your contact’s computer has been compromised.
Content analysis is a pretty tricky business, partly because it’s not always clear what is a risk, or even what people want to read. Of course, there’s a fine and vague line sometimes about what is and isn’t spam versus marketing email versus solicited information. My spam (eg. random press releases) is another journalist’s daily bread. Or my spam is my cousin’s latest attempt at humor (tired forwarded jokes that should have died 10 years ago).
I think to be effective then, email filters need to have more preferences available, and advance to the point where they learn quickly and effectively what the user prefers.
It’s a double edged sword, however–the better my email filter gets, the better the spammers will get at bypassing it, and the more intelligent bots will get in general. They’ll be more likely to crack captchas, hack accounts, and so on.
Meanwhile I guess I’ll just be marking lots of emails as spam, and playing with word toys online. Not such a hard life, really! Here’s another fun one I made from a poem I recently discovered, “Meditations at Lagunitas,” by Robert Hass:
More here:
What IT Security is All About
Apr 22
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
My latest hobby for procrastination is browsing Craigslist ads, looking for new furniture and trying to get rid of old stuff. I’ve been doing spring cleaning and trying to sell off an old stereo, VCR, a Dell laptop, and other miscellaneous things. (Let me know if you need anything)
Along the way I’ve also gotten a few odd emails by folks asking to do a wire transfer or Moneygram–a classic Nigerian scam. Usually I either tell them I know it’s a scam, or just delete the emails without thinking much about it. So I was amused to read about another Craigslister actually responding and messing with the scammers.
Todd Lappin of Telstar Logistics–a little bit famous for creating a fake brand in order to avoid parking fees–happened to be selling a loveseat on CL when he received a convoluted, poorly written note asking to use a moneygram and explaining the transaction would be completed with the emailer’s secretary. Another classic Nigerian scam, which he recognized right away.
Todd’s not your ordinary guy, so instead of deleting the email, he responded to the friendly Nigerian scammer, played along, and got the guy to send him the check. Now he’s posted and exposed the scam on the Net for all to see, over at laughingsquid. The scammer will be expecting him to try cashing it and send back the difference between the check amount (nearly $3k) and the price of the loveseat ($200).
If he went along, the check would bounce and the scammers would be making off with the difference. And he might still be stuck with an ugly yellow loveseat. (Okay it’s actually not a bad loveseat, just the same horrible color my childhood bedroom was painted).
Why anyone still falls for these scams on CL is odd, since there are warnings plasted all over the site, and it’s common and easy to recognize. I suppose they wouldn’t be still trying if they didn’t get bites and people still ignorant enough to go for it. So it’s good to see people messing with and exposing the tricks.
Interestingly, Todd says the check he receives looks entirely authentic and may be from a genuine bank account. So he’s gone to the trouble of blurring the account number in the check image he posted. It’s good to see someone’s looking out for others’ security online.
The rest is here:
Playing Along with Nigerian Scammers
Apr 20
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
I spent a small chunk of time this morning reading through the slides posted online from a Malware course that was taught at the University of Helsinki earlier this year. The lecture slides are in PDF and available for anyone to browse.
The introduction starts off at a fairly basic level deconstructing many of the terms used to describe different attacks and shows examples of criminals’ posts on bulletin boards and prices for various attacks. Interesting stuff, even for a non-programmer like me. You could use them to educate staff or friends who are not computer professionals.
Then those of you who do security and programming may even find more useful stuff in there to work on… take a look.
Read more:
Malware course online from FSecure/University of Helsinki
Apr 15
Spyware database, education, events, government, malware, microsoft, news, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
Here’s something to think about, next time you read one of those “Green Home Tips” guides that advises you to turn off your lights at night more often. It’s not personal use of electricity that’s eating up the atmosphere—it’s industrial use of lighting, trucking and transit, and all that spam going through the tubes.
I’ve read over the years varying reports that claim spam comprises somewhere between 80-90% of all Internet traffic. The latest stat is from McAfee saying 80%. Consider the number of computers and routers an email can travel through just for one email being sent across the world, and then calculate that by billions. McAfee calculates that the amount of energy it takes to send all that spam every year could power 2.4 million U.S. homes. Apparently, it’s just as important to turn on your spam filter as to turn off the lights at night.
According to Treehugger, it takes 3% of U.S. energy consumption topower the Internet. Comparatively, about 20% of the world’s electricity is used for lighting, but only 1/4 of that is for residential use worldwide, making that about 5% of worldwide use.
Treehugger also points out that deleting old archives can also help reduce energy consumption. They’re referring specifically to emails, which are pretty negligable compared with photos, video, or other documents. In business, it’s become commonplace to save as much as possible in order to keep information available in case it is needed, or to meet compliance requirements. But not everything really needs to be stored online at all times–it could be saved away to DVDs, hard drives, or cassettes to save energy, and reduce the power bill.
See the original post here:
The Force of Spam Kills Polar Bears
Apr 13
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, voip, vulnerabilities, wiki, windows, wireless
What is the first thing that you think of when you see “Acai Berry”? I think “scam” or “spam” or “hackers.” Same thing with a handful of other products–viagra, cialis, you know them and can name them yourselves. So why are hackers successful with these products?
Cisco sent me a press release today for a scam on Facebook advertising Acai berry drinks. Supposedly it’s a pretty slick scam from a marketing perspective, because scammers are using advanced and genuine marketing tools in their campaign. The list includes a “free” trial that really nets the scammers $30 per transaction, the use of “better than corporate” marketing, and the use of accounts and URLs from legitimate marketing companies Livefaceonweb.com and LivePerson.net. After the person pays for the free trial, the scammers have their credit card data too, and can commit any number of fraudulent transactions.
The mix of scammy and legitimate methods may help lend some authenticity to the transaction. But I’m not convinced the whole thing is so slick after all. Even legitimate marketing campaigns aren’t so successful on Facebook, evidenced by the fact that the site with a 120million + user base is still unprofitable after years of relative success. Next, the accounts may be with legitimate marketing companies, but does that actual lend any air of authenticity? I don’t recognize the domain names and probably very few people do. (and if you know online marketing enough to know the sites, you’re probably savvy to the scams too, right?).
Even all those doubts aside, the fact remains that acai berry drinks should just be a huge tip off. Never mind the message that “you’ll be paying for the free thing, now give us your credit card numbers.” That should also be a tip off. Any web user should recognize those tricks and should know better.
I suppose that’s why Facebook is such a great target. People from all walks of life, and all ages and tech skills, congregate their and share their private thoughts. Even my 68-yr-old dad is on Facebook these days–he has a minimalist profile in order to connect with other family members. People with very little experience or web savvy, who are also feeling safer because they’re on a site they know and trust, are more likely to fall for the tricks. I bet my dad is too smart, though.
Read more:
Why It Should Be Easy to Avoid 3/4 of All Online Scams
Apr 11
Spyware database, education, events, government, malware, microsoft, news, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
A company’s right to privacy about layoffs, insider politics, and the workplace environment just got a little less private. A friend just pointed me to this new web site, in beta–called “telonu”–that invites workers to anonymously post their insider data and horror stories about the latest in layoffs and company scandals, or just vent about their workplace and boss. Telling on your boss is kinda like telling on your little brother, except now more public and maybe a little dirtier.
Of course you can expect this is going to be a gossip site, maybe just as dishonest and suspicious as the reviews you can read on yelp or celebrity gossip sites. Whatever niche thing you can think of, there seems to be a social networking site for it these days.
How critical are the reviews? Well, take this one from some anonymous employee at JP Morgan & Chase:
“They are amateur in the field and don’t know how to run the company. They have laid off large number of people and now want current employees to make up for the work. Is this justice?”
Justice, is that what you’d expect from layoffs? Nah, that sounds pretty typical corporate to me. You mean laying off workers means more work *gasp*for the remaining workers? Yeah, expect a lot of venting but probably not high-caliber analysis, or even reliable reporting, over there at telonu.com.
You can expect that companies will try to post good things about themselves; employees will try to scandalize the companies. And, probably like yelp, the media company will try to make money from ads and maybe from asking people to pay for good reviews. (The ads I saw on the site advertised wrinkle cream and auto insurance. Wrinkle cream, exactly what I’m worried about right now.)
Happy cadbury egg and jelly bean weekend, folks. I hope pink describes the fluffy bunny slippers you have on, and not the piece of paper your boss hands you today.
Continued here:
Telonu.com invites workers to denounce and expose their workplace horrors
Apr 09
Spyware database, education, events, google, government, malware, microsoft, news, open-source, Phishing, privacy, research, security, Spam, Spyware, voip, vulnerabilities, windows, wireless
I’ve taken only a bare minimum of self-defense and martial arts training in my life, but I know that as a short and petite woman, my best chance in a fight would be to use an assailant’s force against him.
And so it is with computer systems, it seems. The more software capabilities and files we allow on networks, and the more capable computers become, the more that hackers and scammers will have to work with, or to work against us with. Just one more variant of the “build a better mousetrap” adage.
That’s what popped into my head earlier when I read this story about spies hacking into the U.S. electrical grid and leaving behind malware that could disrupt service. That kind of attack could be invaluable in a war or large-scale hack situation, affecting millions of people.
Of course, without networked and computerized utility systems, such an attack wouldn’t even be possible. The same technology that makes industry more effective, efficient, and easier to use, also makes it that much more vulnerable. In the end, I have to wonder if such a system is exchanging one set of problems for another set, which they may be less able to deal with.
An interesting finding in the article is that utilities are constantly under attack, and often vulnerable, but that human resources databases are far more secure. I guess that makes sense in a way, since data loss and ID theft are such common concerns in media overall. Much of the public’s awareness of security is via media targeted to the individual consumer. On the job, it’s possible that tight budgets or a lack of time and expertise contribute to the lack of an effective security system, especially in such a large-scale and specialized operation. Every company needs a Human Resources division…but the infrastructure to operate a smart grid is much more specialized, therefore harder to protect.
Still, there may be good news for cyber security soldiers on the horizon. The
Obama administration is taking steps to review and research the national state of cybersecurity and take measures to improve it. It’s no doubt they have a massive job on their hands.
Go here to see the original:
Apr 07
Spyware database, education, events, government, malware, microsoft, open-source, Phishing, privacy, research, scamming, security, skimming, Spam, Spyware, voip, vulnerabilities, windows, wireless
This story from Consumerist today caught my eye, about a man who found a card skimmer attached to his local ATM and pulled it off. He found there was a USB port attached, meaning a hacker could scan people’s cards, then plug the scanner into his computer and steal the card numbers and account information.
There’s an interesting video on YouTube showing a demo of how the scam works. After the hacker retrieves the scanner from the ATM, he gets the scanner plugged into his computer and downloads all the account information. Then, he can reprogram one of the accounts into a new credit card or any card with a magnetic strip, even a phone card. The fake card can be used at another ATM with the stolen PIN to take cash out of someone’s account.
Some card skimmers don’t even need to be retrieved from the ATM. According to one report, some skimmers can do things like text the hacker the information, so they don’t have to risk going back to retrieve the device.
Targets are often gas stations, bank ATMs, convenience stores, or even DVD rental units. Anywhere you can swipe a card could be a risk. There’s even another video showing a waiter who skims a card as he’s walking to the back of a restaurant to swipe it–one of the risks I talked about in my last post! However, that looks like something that would be difficult to do unnoticed in public.
The skimming scam is very similar to a phish attack. The machine looks and acts genuine, but is hacked so that it steals critical information in the process of doing its job.
Interestingly, I don’t think I’ve ever given a second glance to the card readers at my ATM, even though I’m careful about verifying the identity and safety of web sites online. The story made me curious whether young’uns like me (under-30) are more careful online, while older folks might be more wary and savvy about the scams that can take place in the course of daily life. It would make sense. I spend the majority of my time on my computer, but the Internet as it exists now is so very recent. It always surprises me that there is such a generation gap about technology, but it’s also surprising how quickly people have been able to learn the new technology, even when they aren’t trained in it.
View original here:
Skimming, Scamming, and Scoring Credit Cards at Genuine ATMs
Apr 03
Spyware database, education, events, google, government, malware, microsoft, open-source, Phishing, privacy, research, security, Spam, Spyware, trends, voip, vulnerabilities, windows, wireless
A while back, I blogged a story from Ira Winkler at RSA, who wrote about the differences between paying for a restaurant meal here in the U.S. versus abroad.
In the U.S., usually they take your credit card to a machine in the back of the restaurant to swipe it, which means that your credit card goes out of your sight. An unethical waiter could write your numbers down and then use your credit card to buy things later—or leave your card out of his sight, meaning anyone else could get their hands on it.
Winkler’s experience in the UK was that the waiter brought a card reader to the table and asked for a PIN, instead.
Someone in the comments suggested that in Europe they tend to use electronic cash, like a debit card, which makes it easier to implement that type of system. Here in the US we tend to use credit cards and sign our names to verify; although when we do use a debit card, we do use a PIN to verify too.
The story slipped my mind until recently, until I had a similar experience at a restaurant here in Silicon Valley (in Milpitas). My mother took my family out to celebrate my brother’s birthday, and the waiter brought a card reader to the table. Instead of taking the card anywhere, he swiped it right there, she entered a PIN, and the machine printed a transaction. (Thanks for dinner, Mom!)
Of course my whole family was enchanted as if this was shiny new technology we hadn’t ever thought of before. Technologically it doesn’t seem like a giant step forward, but for security reasons, it’s a great idea. We don’t usually think about the security problems with letting cards out of our sight in restaurants, but that doesn’t mean there aren’t any risks involved. When we asked the waiter about the system, he said he wasn’t allowed to take the card away from the table.
That must be a rule confined to the restaurant, though, because I haven’t seen it anywhere else before or since. But it’s a good sign…maybe that system will slowly catch on. I hope to see more restaurants taking up that type of service, and hopefully ID theft will dwindle a little as a result.
Here is the original:
New Restaurant Swipes Your Card At the Table
Older Entries Newer Entries
RSS
