<![CDATA[THE STRAIGHT TALK EXPRESS - Security Blog]]>Thu, 10 Mar 2016 17:27:54 -0800EditMySite<![CDATA[Worm spreading on Skype IM installs ransomware]]>Tue, 09 Oct 2012 01:37:44 GMThttp://www.thestraighttalkexpress.com/security-blog/worm-spreading-on-skype-im-installs-ransomwareWorm spreading on Skype IM installs ransomware

Malware is downloaded onto users' machines after they click on the message "lol is this your new profile pic?"

by Steven Musil

October 8, 2012 4:37 PM PDT

The Skype worm attempts to entice users with this socially-engineered instant message.

(Credit: GFI )

A malicious worm spreading through Skype instant messages threatens to take control of a victim's machine and hold its contents for ransom.

The issue, which was first brought to light Friday by GFI, tricks users into downloading a ZIP file by displaying the socially-engineered message, "lol is this your new profile pic?" along with a link that also spreads the message to other Skype users. The ZIP filed contains an executable file that installs a variant of the Dorkbot worm and creating a backdoor via "Blackhole," an exploit kit used by criminals to infect computers through security holes.

The backdoor allows a remote attacker to take control of the machine and install the ransomware, a malicious application that locks the user out of the computer via password or encryption and demands a payment, or ransom, in exchange for its contents. This particular strain demands a payment of $200 within 48 hours or risk having their files deleted.

PC users are also presented with a screen (see below) that claims the computer has been used to visit sites of a nefarious nature, including the downloading of MP3s, illegal pornography, gambling, and illegal drugs, and threatens to send that information to the "special Department of US government" via a program called "System Cleaner," which it claims was developed by the U.S. government "to prevent crime and illegal activity on the Internet."

Click to enlarge.

(Credit: GFI )

The malware also employs click fraud, imitating legitimate user behavior by clicking on ads to generate revenue for its authors. And it's not a few clicks; GFI said in a 10-minute span it recorded 2,259 transmissions.

Skype said it is investigating the matter and recommends upgrading Skype versions and making sure the machine's security software is up to date.

"We are aware of this malicious activity and are working quickly to mitigate its impact," the company said in a statement. "We strongly recommend upgrading to the newest Skype version and applying updated security features on your computer. Additionally, following links -- even when from your contacts -- that look strange or are unexpected is not advisable.

<![CDATA[How to Setup a Gmail account]]>Wed, 11 Jul 2012 23:59:16 GMThttp://www.thestraighttalkexpress.com/security-blog/how-to-setup-a-gmail-accountHOW TO SET UP GMAIL Account (Free email account) & Forwarding Instructions

Click below to go to GMail

Click on: Create Account (top right hand corner)

Complete the Info requested on the screen:

You will pick a username for your account here - and password (Remember these two)
(You do NOT have to enter correct information for any of the other fields if you choose not to & You do NOT have to enter your secondary email address here either)



SKIP THE PROFILE (unless you want to set it up) and Click NEXT

Click on CONTINUE TO GMAIL Your GMail account is now ready to use..

IF YOU WANT TO HAVE YOUR GMAIL FORWARDED TO YOUR REGULAR EMAIL ACCOUNT(so you only have to use your current email account and not log into GMail) FOLLOW THE INSTRUCTIONS BELOW:

On top right of page: Grey box that looks like a wheel (this is the Settings Tab)
Choose SETTINGS from the drop down menu

Click on: Forwarding & POP/IMAP tab

Click on: Add a forwarding address

Click on: Forward a copy of Incoming Mail

Enter the email address you want to receive all gmail emails sent to you
(For example: when I set up my gmail accounts, I forward a copy to my aol account so ALL emails that come in to my gmail account are AUTOMATICALLY forwarded to my main email)
Which means I do NOT have to log into Gmail to get my email.


A confirmation code email will be sent to the email you entered
Go to your email and click on the link that says ALLOW TO FORWARD

Then go back to your NEW GMail account and Again Click on Forwarding & POP/IMAP

Click on Forward a copy to email


<![CDATA[Do you Know what They Know you and the Web]]>Wed, 11 Jul 2012 23:50:54 GMThttp://www.thestraighttalkexpress.com/security-blog/do-you-know-what-they-know-you-and-the-webSPOKEO
Instructions on How to Remove Your Information


Enter Name OR Phone # or email address (don't forget to check your cell, your home, etc)

IF it shows up....click on the link address at the top of the page and copy it

Go to the bottom of the page and Click on Privacy or click here http://www.spokeo.com/privacy

Scroll to the bottom of the page and insert the url you copied

Then enter your email address (make sure it is NOT your main email address or this will just happen again)

Then enter Code

Click on Remove Listing

Go to your email for further instructions....you must click on the link to finish the process


Spokeo is a leading people search engine. We aggregate vast quantities of public data and organize the information into attractive and easy-to-follow profiles.

You can search for anyone using: Unlike other people search sites, Spokeo merges “real life” information (address, email address, marital status, etc.) with social network data (Facebook profiles, Twitter feeds, etc.) providing you with a profile that is among the most comprehensive profiles available on the Web.

Spokeo was founded in 2006 by Harrison Tang and a couple of his classmates at Stanford University. Working out of their parents’ basement, they developed a technology to better keep up with their friends online. Spokeo has since grown to become a leading solution to America’s connectivity needs. Our mission is to help people find, learn about, and connect with others more easily than ever.

Spokeo Privacy – Get the Scoop from the Source


<![CDATA[Cyber bank robbers attempt billion-dollar heist, targeting your money]]>Wed, 27 Jun 2012 22:03:42 GMThttp://www.thestraighttalkexpress.com/security-blog/cyber-bank-robbers-attempt-billion-dollar-heist-targeting-your-money1Cyber bank robbers attempt billion-dollar heist, targeting your money

By John R. Quain

Personal Tech
Published June 26, 2012

The next Internet billionaires won’t be pushing social-networking apps. They’ll be breaking into your bank accounts.

An organized global cyber crimewave has been underway for months, according to a report released today from security firms McAfee and Guardian Analytics, attacking banks in Columbia, Germany, Italy, the Netherlands, the United Kingdom and the U.S.

A total of roughly $78 million was successfully siphoned out of bank accounts, according to researchers, with a potential total of $2 billion attempted. (Banks are understandably loathe to reveal losses and due to additional security concerns have not been identified.)

Analysts at the firms report that these thefts represent a new generation of attacks running off of hijacked servers that can be frequently changed to avoid detection and completely automated so that thousands of customer accounts can be broken into without even raising the owners’ suspicion.

By adapting two types of malware designed to steal passwords — known as Zeus and SpyEye — hackers can now invisibly record login information and add additional requests for information on what appear to be valid online banking pages. They can even intercept secondary, one-time only passwords, and then put the user on hold while they login and transfer funds to criminal accounts. After the transfer is complete, the software can even post false balances so that the victim is unaware of the theft until it is too late.

What is different about these new attacks is their high level of automation. It allows organized cyberattacks that can drain just a few dollars from multiple accounts without any intervention by the crooks. Furthermore, according to McAfee, the criminals look for large account balances — hence the researchers dubbed the crime spree “Operation High Roller.” In at least one case, the criminals made off with $130,000 from a single account.

The moral of this latest cyberscare story is that you cannot rely on your bank or financial institution to protect your money. In many cases, the financial institution’s profits are sufficiently high and the investment in additional computer security measures considered too expensive to prevent many of these attacks. As some analysts have told me, it’s considered part of the cost of doing business. Just make sure it isn’t your cost of doing business online.

First, you have to run some sort of anti-virus software. There are free basic versions out there from the likes of Avast, AVG, and BitDefender. Many of these monitor new threats and will warn you about suspicious Web pages.

Second, never, ever, ever open a link in an “official” e-mail message you receive. This is the primary way criminals lead thousands of users astray every day. If you get a message from your bank, open a separate browser and type in the URL that you usually use. It’s the only way to avoid being led astray.

Third, update your software: in particular the Web browser you’re using and Sun’s Java and Adobe’s Reader software (for opening PDFs). These programs are the favorite targets of hackers and new exploits are uncovered every week. Keeping them updated can often prevent so-called iFrame hacks that may compromise legitimate Web sites and secretly install malware on your computer. So instead of watching that Tree Girl video, check for updates whenever you have a spare moment

The computer security threats are clearly endemic, prompting the head of Britain’s spy agency,  Jonathan Evans of MI5, to coincidentally come out this week to warn that the level of cyber attacks is now “astonishing.” Evans warned that the scale of such threats has now reached “industrial-scale” proportions.

So it’s no longer a matter of paranoia to check your software and Web surfing habits. It’s a matter of common sense.



<![CDATA[ Fraud Ring In Hacking Attack On 60 Banks ]]>Wed, 27 Jun 2012 16:02:11 GMThttp://www.thestraighttalkexpress.com/security-blog/-fraud-ring-in-hacking-attack-on-60-banks 
Fraud Ring In Hacking Attack On 60 Banks

Some 60m euro is stolen from bank accounts in a massive cyber raid, after fraudsters raid dozens of banks around the world.

7:16am UK, Wednesday 27 June 2012

Video: McAfee: Biggest Cyber Bank Robbery In History

By Pete Norman, Sky News Online

Sixty million euro has been stolen from bank accounts in a massive cyber bank raid after fraudsters raided dozens of financial institutions around the world.

According to a joint report by software security firm McAfee and Guardian Analytics, more than 60 firms have suffered from what it has called an "insider level of understanding".

"The fraudsters' objective in these attacks is to siphon large amounts from high balance accounts, hence the name chosen for this research - Operation High Roller," the report said.

"If all of the attempted fraud campaigns were as successful as the Netherlands example we describe in this report, the total attempted fraud could be as high as 2bn euro (£1.6bn)."

The automated malicious software programme was discovered to use servers to process thousands of attempted thefts from both commercial firms and private individuals.

The stolen money was then sent to so-called mule accounts in caches of a few hundreds and 100,000 euro (£80,000) at a time.

Credit unions, large multinational banks and regional banks have all been attacked.

Sky News defence and security editor Sam Kiley said: "It does include British financial institutions and has jumped over to North America and South America.

"What they have done differently from routine attacks is that they have got into the bank servers and constructed software that is automated.

"It can get around some of the mechanisms that alert the banking system to abnormal activity."

The details of the global fraud come just a day after the MI5 boss warned of the new cyber security threat to UK business.

McAfee researchers have been able to track the global fraud, which still continues, across countries and continents.

"They have identified 60 different servers, many of them in Russia, and they have identified one alone that has been used to steal 60m euro," Kiley said.

"There are dozens of servers still grinding away at this fraud – in effect stealing money."


<![CDATA[How many seconds would it take to break your password?]]>Sat, 09 Jun 2012 12:14:25 GMThttp://www.thestraighttalkexpress.com/security-blog/how-many-seconds-would-it-take-to-break-your-passwordHow many seconds would it take to break your password?

'Strong' isn't a detailed password-rating; go for a quintillions possible combos, then add a symbol
By Kevin Fogarty  56 comments

June 07, 2012, 8:00 PM —
Security breaches of mind-numbing size like those at LinkedIn and EHarmony.com set crypto- and security geeks to chattering about weak passwords and lazy users and the importance of non-alphanumeric characters to security.

And insisting on a particular number of characters in a password is just pointless security-fetish control freakishness, right?

Nope. The number and type of characters make a big difference.

[ Stupid security mistakes: Things you missed while doing the hard stuff ]

How big? Adding a symbol eliminates the possibility of a straight dictionary attack (using, literally, words from a dictionary. Adding a symbol, especially an unusual one, makes it much harder to crack even using rainbow tables (collections of alphanumeric combinations, only some of which include symbols).

How big a difference to length and character make?

Look below and pick which password-cracking jobs you'd want to take on if you were a computer. The examples come from the Interactive Brute Force Password Search Space Calculator: at GRC.com, the love child of from former InfoWorld columnist and freeware contributor Steve Gibson

How long would it take to crack my password: (Includes letters and numbers, no upper- or lower-case and no symbols)

6 characters: 2.25 billion possible combinations

Cracking online using web app hitting a target site with one thousand guesses per second: 3.7 weeks.
Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 0.0224 seconds
Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 0.0000224 seconds
10 characters: 3.76 quadrillion possible combinations

Cracking online using web app hitting a target site with one thousand guesses per second: 3.7 weeks.
Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 10.45 hours
Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 37.61 seconds.
Add a symbol, make the crack several orders of magnitude more difficult:

6 characters: 7.6 trillion possible combinations

Cracking online using web app hitting a target site with one thousand guesses per second: 2.4 centuries.
Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 1.26 minutes
Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 0.0756 seconds
10 characters: Possible combinations: 171.3 sextillion (171,269,557,687,901,638,419; 1.71 x 1020)

Cracking online using web app hitting a target site with one thousand guesses per second: 54.46 million centuries.
Cracking offline using high-powered servers or desktops (one hundred billion guesses/second) 54.46 years
Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 2.83 weeks.
Take Steve's advice: go for 10 characters, then add a symbol.





<![CDATA[LinkedIn users targeted in phishing scam after hack]]>Thu, 07 Jun 2012 20:00:55 GMThttp://www.thestraighttalkexpress.com/security-blog/linkedin-users-targeted-in-phishing-scam-after-hack7 June 2012

LinkedIn users targeted in phishing scam after hack

Convincingly-designed emails like these have been sent to LinkedIn users
LinkedIn users have been targeted by email scams after hackers leaked more than six million user passwords online.

Emails designed to look like they were sent by the social-network website asked users to "confirm" their email address by clicking a link.

However, the link took unsuspecting recipients to a site selling counterfeit drugs.

Dating website e-Harmony has also admitted that a "small fraction" of its users' passwords have been leaked.

Approximately 1.5 million passwords from the US-based relationship site were posted online, reported Ars Technica.

The company said on its blog that it had reset the passwords of the affected users, who would receive an email with instructions on how to set new passwords.

On Wednesday it was revealed that 6.4 million passwords from LinkedIn had been posted on a Russian web forum, along with a message encouraging other hackers to help decrypt the "hashed" data.

Affected LinkedIn users have been told they will receive instructions in an email - but not with a link - on how to change their details.


Security experts have advised users to change their passwords on LinkedIn. Here's how: First, visit www.linkedin.com, and log in with your details

"Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid," said LinkedIn director Vicente Silveira, confirming that a breach had occurred.

He added: "These members will also receive an email from LinkedIn with instructions on how to reset their passwords.

"These affected members will receive a second email from our customer support team providing a bit more context on this situation and why they are being asked to change their passwords."

However, Ant Allen, from analyst firm Gartner, said LinkedIn must do more to inform their members about the situation.

"I'd really like to see a clearer statement from them on their front page," he told the BBC.

"A statement that they were taking steps to minimise the risks of passwords being exposed in the future and the risks to users if passwords were exposed would do a lot to reassure people. Simply saying, 'we need you to reset your password as a security precaution' is not enough."

Final tally 'higher' Security analyst Imperva said it believed the breach was larger than had been acknowledged, as the list did not duplicate individual passwords, even though many were likely to have been used by more than one user.

"The list doesn't reveal how many times a password was used by the consumers," the company said.

"This means that a single entry in this list can be used by more than one person. For reference, in the [social network] RockYou hack the 5,000 most popular passwords were used by a share of 20% of the users. We believe that to be the case here as well, another indicator that the breach size exceeds 6.5m."

The password breach came just hours after the company admitted it had updated its mobile apps due to a privacy flaw.

In a blog post, Skycure Security said the the mobile app was sending unencrypted calendar entries to LinkedIn servers without users' knowledge.

In response LinkedIn said it would "no longer send data from the meeting notes section of your calendar".


<![CDATA[Upgrade Your Life: 5 ways to make an easy-to-remember, ultra-secure password]]>Tue, 22 May 2012 01:05:42 GMThttp://www.thestraighttalkexpress.com/security-blog/upgrade-your-life-5-ways-to-make-an-easy-to-remember-ultra-secure-passwordUpgrade Your Life: 5 ways to make an easy-to-remember, ultra-secure password
By Taylor Hatmaker, Tecca | Upgrade Your Life – Wed, Aug 24, 2011
Nobody wants to get hacked. But when it comes to choosing a password, there are key steps you can take to reduce your risk of data intrusions from unwanted virtual visitors. This week's edition of Upgrade Your Life will teach you how to make a strong, safe password that's easy to remember — and how to reduce your odds of being an easy target for hackers.

1. Worst Passwords
In 2009, a major hack on social gaming site RockYou revealed some troubling patterns in how we choose our passwords. The Imperva Application Defense Center (ADC), a security research group, examined the passwords of RockYou's clients to see just what went wrong. The study found that more than 29,000 of the compromised accounts were using the password "123456" — the most popular password. The second and third most common passwords were also strings of consecutive numbers. And the fourth most common password? "Password." Other popular passwords from the RockYou case include "iloveyou," "abc123," and a handful of common first names like "Ashley" and "Michael."

How to avoid bad passwords:
* Don't use any part of your name or email address: These two pieces of information are easily obtained about you.
* Avoid any other personal information: Don't use your birthday, family member or pet names, street addresses, or anything else that could be public knowledge for prying eyes.
* Don't use consecutive numbers: These are extremely easy for a cracking program to decode, and as you can see from the ADC study, they're also wildly popular.
* Avoid words in the dictionary: This includes random sequences of words and slang terms too.

2. Best Passwords: Uppercase and lowercase letters, numbers, and symbols
Nowadays, many websites encourage good password practices by forcing you to input a mix of numbers, letters, symbols, and mixed capitalization. This approach is definitely the right idea: mixing it up can pay off, statistically speaking. Why? Most password hacks you'll be warding off use a technique called a "brute force attack." This flavor of hack uses automated computer software to guess every possible combination to crack your personal code.

According to the ADC study, automated hacking software combined with poorly chosen passwords means a hacker can break into 1000 accounts in just 17 minutes. If you introduce more variables into your password — namely numbers, symbols, and a mix of lower and upper case letters — intrusive software will take longer to crack your code.

Make passwords more secure:
* Add letters: Since there are 26 letters in the alphabet, one additional letter can make your password 26 times harder to crack.
* Use a mix of lower and uppercase letters: Mixing up your cases adds complexity and safety to your chosen password.
* Add numbers: Using letters, words, and phrases for your passwords seems both natural and easy to remember, but it's much safer to diversify.
* Add symbols: Symbols are the real secret ingredient to security. Since there are over 1500 symbols a hacking program needs to run through to correctly lock down one character of your password, adding one extra asterisk or exclamation point can make it 1500 times more difficult for intruders to pry open your personal accounts.

3. Password length = Password strength
Most websites prompt you to create a code with a minimum and maximum amount of characters, often between 8 and 14. Since each additional character increases your odds of staying safe, be sure to max out the length of your password. If you can enter 14 characters, don't stop at 10 — those extra 4 characters will work to your statistical advantage.

Here's an example: compare the passwords m00se44 verses m00se44!.!.!.!
Sure m00se44 might be faster to type, but m00se44!.!.!.! is a far safer bet. How much safer? According to a handy online brute force simulator, hackers could crack m00se44 in less than a second. What about m00se44!.!.!.!? Assuming that the hacking software is guessing one hundred billion combinations a second, believe it or not, it could take the same software almost 200,000 centuries to crack it.

4. Password padding: Symbols are your secret weapon
Much of the basis for this article comes from the research of a noted security expert named Steve Gibson. His most recent practical advice involves a simple technique called "password padding." It used to be that a random password like Pr5^w4''t3F was perceived to be the best password. But the reality is that people can't actually remember those totally random passwords, so they don't end up using or sticking with them.

To solve this dilemma, Gibson wanted to create a memorable password strategy that would be equally secure. He stumbled onto the idea that long passwords loaded with symbols can be both ultra-secure and yet also easily memorized. He came up with the following example to prove his point.

Which of these is easier to remember? Which is more secure?

The more memorable password is D0g!(!(!(!(!(! since it looks like the familiar word "dog" and ends with a repeating pattern of symbols. And according to Gibson, D0g!(!(!(!(!(! is also the more secure password because, while it too has numbers, letters (upper and lowercase), and symbols, the first example is one character longer than the random second password — and it has more symbols.

Want to see this effect in action? Play around with Gibson's password security calculator yourself.

5. Store passwords in one place with a password manager

If you're a little concerned about juggling all of the lengthy, ultra-secure passwords you've dreamed up, you can have a program do the heavy lifting. These programs and apps, known as password wallets or password managers, lock down your cache of codes by encrypting them, which translates them into a secure language that hackers can't parse. If RockYou's data had been encrypted, that security scandal could have been avoided altogether.

While no method is infallible, well-regarded password managers like LastPass and 1Password are great options. With a password manager, you'll use a master password to access the program or app, and it will auto-fill password entry fields for you as you log in around the web.  Both LastPass and 1Password feature mobile and desktop versions, so you can keep both computer and your phone locked down safely.



<![CDATA[USING PUBLIC WI-FI TO PAY BILLS AND SHOP CAN BE VERY DANGEROUS]]>Sun, 20 May 2012 15:46:59 GMThttp://www.thestraighttalkexpress.com/security-blog/using-public-wi-fi-to-pay-bills-and-shop-can-be-very-dangerous USING PUBLIC WI-FI TO PAY BILLS AND SHOP CAN BE VERY DANGEROUS

Have you ever gone to the local hotspot at the McDonalds to browse the internet, have a cup of coffee and pay bills?
Well did you know you are at risk having your password and Identity stolen...  Surprised?
Most people are...We have a false sense of privacy on the internet today and it can be damaging to you and your personal information.   The nature of Public Wi-Fi is that it is open and Free....The word Public should be a clue as to how safe you really are on the network.   Public Wi-Fi is an open network and all your information is open to anyone on the network to see and copy and use. 
Ok....take a deep breath, now we can continue....Try this one day when you are traveling at the airport when connected  to the Wi-Fi..click on your network neighborhood icon and you can see all the information from other peoples computers.
If you are paying bills any one can glean passwords and logons and you have given your information to them freely. 
So how do you stop this?
First make sure your computer is up to date, all of the security patches are installed, you have a virus program and a Fire Wall running.
NEXT MAKE SURE YOU TURN OFF FILE AND PRINTER SHARING , so that others cannot see what you are broadcasting for others to share.
Remember it is possible to connect to any computer on the network.
Remember the internet is one big network and any one on that network can access your computer if you don’t take precautions. 

Windows 7 has the most secure features to protect you.  When you enter a new network it pops up a screen to ask you what type of network your are on, Public , home and work.   Each network applies different security policies to protect your computer and disallow  things like sharing.  The most vulnerable  operating system to expose to the network is Windows XP, so  make sure at a minimum you are using Windows firewall to protect your computer from others.

Remember, and  let me make it clear, on a public network it is never safe to do banking or shopping on a public Wi-Fi, because your data is never safe.  If you need to do banking on the road, you should remote into your home machine via LogMeIn, Team View, etc.... this lets you securely use your home computer to do banking on a safe network. 

Straight Talkin Mike

I have included a link and the News Article that will let you explore this further below:

Is It Safe To Bank On Public Wi-Fi? How Not To Get Hacked!

By Becky Worley | Upgrade Your Life – Wed, Feb 8, 2012 


Online banking has grown in huge numbers, and mobile banking is on an even faster rise. But accessing your sensitive financial data via computer can be dangerous. One well known computer virus that steals banking logons and passwords is thought to have infected over 3 million computers in the US alone, siphoning at least $70 million dollars from consumers. So how can you access your bank account safely?

We've enlisted the help of noted hacking researcher Darren Kitchen to find out:
• Is it safe to bank on a public computer, like at a library or in a school?
• Can you safely check your bank balance in a Wi-Fi café on your own laptop?
• How safe is it to check your bank account from your home computer?
• Is it OK to bank on your phone?

I've known Darren Kitchen for years. He hosts a podcast about hacking called Hak5 and has been interviewed by ABC News, the New York Times and Wired Magazine on various hacking topics. In short, he's the real deal, and he sat down with me to answer the following questions and demo what a hacker could do if you log on to the wrong Wi-Fi.

Is it safe to bank on a public computer?
Answer: No
Public computers in libraries, schools, and hotels are completely unsafe for any sensitive web browsing. You have no idea if they are secure or if a criminal has installed a key-logger that tracks every username and password you enter.

Can you safely bank online at a Wi-Fi café on your own computer
Answer: Probably not
Darren and I set up an experiment.  With my own laptop, I logged onto the free Wi-Fi in a café while Darren sat across from me. I went to my bank site and entered my username and password. In real time, Darren intercepted the logon info. If that had been my real info he could have immediately logged onto my bank account (NOTE: I gave Darren expressed permission to hack my browsing — I need to say this for legal reasons. ALSO - I am a blond, but what you see in the video is not my real banking info.)

How did he hack my connection?
Darren brought his own router into the coffee shop. He can set it up to provide an open connection that is labeled "Internet" or "free Wi-Fi" or even includes the name of the café, something like "Cuppa Joe Wi-Fi."  Simply put, he pretends to be the Internet access provided by the café. The scenario: you turn on your computer and log on to what you think is the Wi-Fi provided by the business. Even more deviously, Darren can create a Wi-Fi signal called Linksys, TMobile, ATT Wireless or GogoInflight. If your computer has ever connected to those legitimate networks in the past, it will be fooled into thinking it already has permission to connect — and does so through Darren's router.

"Once you're on my router, I am the Internet. I'm the man in the middle, so I can see everything," said Darren. "I'm essentially your Internet service provider, and inherently, I can eavesdrop and even change data on the fly. And when I see you're going to a bank, I can serve up my own [site] that looks and feels in every way like the bank's site."

And that's how he got my info. I thought I was going to a legitimate bank, but really it was Darren serving up an easily faked version of the site.  It looked exactly the same as the real bank's site.

Bottom-line: if you must do sensitive web browsing over a Wi-Fi network in a public place you should be very sure you know that the Wi-Fi is actually provided by the business and being passed through their router. It should be encrypted so you need a password to log on. And finally, do you trust the business and its employees? There are enough risks that when I ask Darren if he would log on to his bank this way he says "Absolutely not."

How safe is it to check your bank account from home?
Answer: Safe, but be sure your computer is virus free
If you are connecting to the Internet at home over a Wi-Fi router that's encrypted with WPA2 security, you should be safe to log on to your bank.

BUT… big caveat! Are you sure your computer is virus free? Computer viruses are getting more devious about specifically targeting online banking information. The Zeus botnet has resulted in hundreds of millions of dollars funneled out of consumer bank accounts. If you have any doubt about the security of your home computer, it may be time to get serious about disinfecting it and protecting it with an antivirus program if you want to bank online without anxiety.

Is it okay to bank on your phone?
Answer: Yes, but…
Phones using Wi-Fi to connect to the Internet are susceptible to hacks just like the Wi-Fi café hack Darren exhibited. But phones using cellular data networks for their connection are MUCH harder to fool. It's not impossible. As Darren points out, he replicated the café's Wi-Fi with off-the-shelf router equipment. It's much harder to replicate a cell phone tower.

The biggest caveat for checking your bank account on your phone is to consider what would happen if the phone fell into the wrong hands. The financial and identity information on your phone has now become more valuable than the hardware itself, so thieves are getting much more sophisticated about mining bank and personal data from mobile devices. So keep a password screen lock on the phone and have a remote wipe program so you can delete all data if your phone is lost or stolen.


<![CDATA[8 Privacy Threats Worse Than Google]]>Sat, 05 May 2012 15:57:25 GMThttp://www.thestraighttalkexpress.com/security-blog/8-privacy-threats-worse-than-google 8 Privacy Threats Worse Than Google

Google's privacy policy tweaks this week caused a fresh flurry of outrage. But Google should not be your top privacy worry.

4 Comments | Thomas Claburn | March 03, 2012 09:10 AM

Google has taken a lot of heat for combining several dozen privacy policies that few people ever read into a single set of rules that people might actually glance at, even if they don't really want to bother with the specifics.

The outcry is both appropriate and ridiculous.

  Worries about online privacy are appropriate because online privacy is terrible. Remember Facebook's Beacon ad targeting system, which caused similar controversy in 2007? Well, read Google's new privacy policy, the part about pixel tags.

Google explains, "A pixel tag is a type of technology placed on a website or within the body of an email for the purpose of tracking activity on websites, or when emails are opened or accessed, and is often used in combination with cookies."

That's basically what Facebook's Beacon system did. But it's not just Google doing this, it's pretty much every online ad company and major Internet service. Get ready for the Soylent Green moment: The information economy runs on your information.

[ Read Google Insists Privacy Change Is Legal. ]

But worries about online privacy are ridiculous because we don't really want privacy. We want to feel like we're in control, whether or not we are or can be. We want a property right in the information we generate and passively express. You'd better hope that we never get that far because there won't be any information economy after that.

Privacy doesn't sell, at least beyond those in the market for tin foil hats. I've lost track of the number of companies that have tried and failed to sell privacy as a product. It doesn't sell because we'd rather be connected and share, because we'd rather have advertisers subsidize online services, and because it's difficult to place a value on privacy.

Worries about online privacy are ridiculous because much of the hysteria comes from companies using fear mongering to compete, from lawmakers who don't understand technology, and from interest groups with ties to industry. Real cases of privacy-related harm are few and far between. Remember the Borings, the couple in Pennsylvania that sued Google for photographing their property with a Street View car? They settled for $1. Google paid too much.

In a more recent Street View privacy-related lawsuit, a French man is suing Google for capturing an image of him urinating in his yard. Although his face was blurred, locals apparently recognized him. Maybe Google will have to shift to full-body blurring, to protect the privacy necessary to relieve oneself in public.

Worries about online privacy are ridiculous because we're so schizophrenic about privacy. Google has to blur the face of people captured in Street View images, yet these same people are probably present in the backgrounds of tourists' pictures and video posted to countless social-sharing websites. We surrender our privacy to our employers and yet accept that companies have a right to operate without much scrutiny. We submit to invasive body scanning at airports and become indignant at the thought of seeing ads tailored to our interests.

Though Google consolidated its privacy policies to allow it to generate more ad revenue by delivering more relevant ads, it also is offering what it believes is a better experience. So before you take up arms against Google, which is mainly trying to make enough money to pay for all those videos you're uploading and watching on YouTube, here, in no particular order, are a few privacy violators to worry about.

1. Shoulder surfers. Remember, you don't have much privacy and you have even less sitting in a cafe or on a plane where people can see your computer screen.

2. Hackers. No computer user with an Internet connection is immune from hacking, but you can mitigate the risk by choosing strong passwords and using two-factor authentication. Sure, it's a pain, but assuring that your computer is secure will help you maintain your privacy.

3. Other people. When things are going well in a relationship or friendship, it's all about sharing. When things turn to divorce, child-custody battles, or other disputes, you might realize that your enemies don't adhere to privacy policies. And even your friends might cause problems, posting pictures or sharing email messages that don't portray you as you wish to be portrayed.

4. Governments. If you're more concerned about what Google knows than you are about what governments know, consider whether any government is more true to the "Don't Be Evil" motto than Google. Who watches the watchmen?

5. Credit bureaus. Unlike consumer credit companies, what Google knows about you probably never prevented you from getting a loan.

6. Information vendors. Google might be able to point people to a lot of public information about you, but companies such as Intellius, when presented with an email address, will produce a report that includes a person's personal name, address, residential and cell phone numbers, and location details.

7. Your employer. Google is reasonably specific about the information it collects and it allows users a fair degree of control over that information. Your employer probably has a record of all the websites you've visited while at work and access to your work-related email. Before you sue for employment discrimination or back pay, be sure your own conduct online at work has been beyond reproach.

8. You. Google can collect only a limited amount of information if you haven't signed in to your Google account. And the company provides plenty of tools for limiting the information it stores. Have you done your part to protect your privacy? Here's a first step in the journey toward privacy awareness: Keep your voice down when talking on your mobile phone.

The list could go on. Insurers, retailers, ISPs, developers, telecom companies, electric utilities, grocery stores, and anyone rifling through your garbage might know more about you than you realize. Frankly, if Google's tracking is your major concern, you probably have very little to worry about.

That doesn't mean privacy isn't worthwhile. It's just complicated. We should expect and demand that companies are straightforward about how they're using information. Here Google and other businesses need to do more, to be more specific about how they leverage data. But we should not expect them to turn a blind eye to the information we don't take the trouble to protect, particularly if they make a good faith effort to be transparent and involve us in the process.

Trust as much as you have to, verify what you care about, block where necessary, and try to find your own personal comfort zone in the information economy.

New privacy rules might sound appealing, but they probably won't be very effective. Advertising has a way to surviving. And in the event it doesn't, guess who'll end up paying?

As enterprises ramp up cloud adoption, service-level agreements play a major role in ensuring quality enterprise application performance. Follow our four-step process to ensure providers live up to their end of the deal. It's all in our Cloud SLA report. (Free registration required.)