patching...
Update: Don't "like" Malden Patch on Facebook? What are you thinking?! Click here to get Malden's headlines in your newsfeed, as they happen. »
Welcome back, Patch Blogger!
Local Voices
Unknown
Mike G.

Ask the IT Guy! - Internet Safety, Part 2

Posted on June 28, 2012 at 5:50 am

This is part 2 in a series on Internet Safety.

How You Get Owned, Part 2

In Part 1 of this series, I told you that the Internet, for all its glory and cat photos, is a very creepy place full of creeps.  I also told you that if you don't want to get "owned", meaning, if you don't want someone taking control of your stuff, you should use strong passwords.  That's among the very least you can do to protect yourself.  But having a strong password sometimes isn't enough - sometimes you just need to be aware of your surroundings.

Phishing has been a media buzzword for quite some time now.  Phishing doesn't refer to the Birkenstock-wearing jam band; rather, it refers to an attempt by an attacker to steal your information by pretending that they're a trustworthy source.

 

Example:  Your "Bank"

The most common thing seen is when someone claiming to be your bank or credit card company, or other person who says they want your money sends you something like this:

Dear Valued Member of BigBancorp,

We received word that your account might be hacked.

To resolve this, please log into http://bigbancorp-owned.com/v/verify/login.shtml

Thank you kindly,

Sincerely -

BigBancorp Security Department

 

What's wrong with that?

Right away I can tell a few things wrong with this.  For one, I don't bank with BigBancorp - but maybe millions of people do.  If the attacker sends this out to a million people and just .01% are suckered into giving their info, now this attacker has 100 accounts to work with.

 

  • None of my personal info is in that e-mail

 

Check any legitimate e-mail you've gotten and you'll notice that most financial institutions will usually at least say, "ACCOUNT ENDING IN XXXX".

 Here, there is no specific account information about me from "BigBancorp".  That's because attackers don't have that info about me at this stage, but they will try to make it look as believable as possible to dupe me into giving them the keys to the castle.

 

  •  The link to their login page is using HTTP instead of HTTPS.

 

This is one that still slips in unnoticed.

'https' creates a secure connection between you and the server that you're performing a transaction on.  So your passwords and your information are generally pretty safe while going over that type of connection.

When a site uses the standard "http" prefix on their site's URL, that means that every bit of information flowing from your computer and over the wire to its destination is happening in open plaintext for the world to see.  

"What does that mean," you might ask? It means if I were capturing traffic on your network while you put your password in on a site that used 'http' instead of 'https', I could then analyze your traffic afterwards and read your password in plaintext from one of the packets that got sent.  

Scary, right?  That complex password we talked about last time won't mean jack if you're just willing to give it up to me that easily.

For giggles, check your bank's website.  If their login page is not using https, consider banking elsewhere.

 

Today's Takeaways:

  • Phishing is when an attacker sends you something to make you think they're really your bank, or Chase, Amazon.com, (insert any other retailer, credit card organization, etc)
  • Phishing can lead to an attacker getting your username and password combinations for whatever site they're pretending to be
  • Phishing can also send you to a site where malware will be installed on your computer without you knowing anything about it
  • People get owned by phishing scams EVERY DAY.

 

The good news?  In many cases your web browser knows what a phishing site looks like, so it will try to save you from yourself.  But your browser can't do all of your thinking for you -- you need to be smart, and be aware of what you're doing online.

Links can very easily be forged.  Just because it LOOKS legit, doesn't necessarily mean it IS legit.  Hover your mouse over the link and check out the bottom left of your browser.  It should give you the TRUE link location.

 

What can I do about it?

Yes folks, you too can avoid being a statistic for phishing scams! 

  • Don't click on links from people you don't know, especially shortened links from places like 'bit.ly' or 'tinyurl'.
  • If you think an e-mail from your bank/merchant is fishy - well, it probably is.  Check with them directly - never be afraid to ask.
  • Always check for https when you're sending passwords, credit card info, financial info, or anything else that's sensitive.
  • Keep your browser, and your operating system up-to-date with security patches.
  • BE SMART.  Use your best judgment, and common sense.

Stay tuned for Part 3 of "How You Get Owned" - as always, questions, comments and suggestions are welcome!  Thanks for reading.

david mokal

4:11 pm on Friday, June 29, 2012

Very good info. When TJ MAX and Marshalls got hacked they used Keylogging. I read that they actually use a plastic pipe hooked to an amplifier microphone and another device to the computer. They could hear each click of the key at the register true the plastic pipe. You can but a code breaker at any short wave radio store. We used them to translate Morse Code dits n dots into letters. I was shocked how easy this was. Thank you for your important info Micheal.

Reply
Comment_arrow

Mike G.

1:20 am on Saturday, June 30, 2012

You're close - what the attackers did for the TJ Maxx breach was they sat outside a TJ Maxx store in the parking lot, and using a laptop with a wireless card, they were able to intercept the wireless signals from TJ Maxx's registers, and then steal the credit card records from there. The reason the attackers were able to get onto the wireless network is because the TJ Maxx wireless network was using WEP encryption instead of the sturdier and stronger WPA/AES.

In 2007, researchers at a German security company were able to crack WEP in THREE SECONDS with a computer that by today's standards would be pretty slow: http://news.techworld.com/security/8456/researchers-crack-wep-wifi-security-in-record-time/

It's an important lesson that most everyone learned after this was that WEP was a horrifically insecure encryption method, and that it was no longer enterprise-grade security.

Claire Murray

7:38 am on Saturday, June 30, 2012

This is a good blog column for the public Michael. Too many people are unaware of how to surf safely and why they should do the things that we now say are SOP. Keep blogging!

Reply
Comment_arrow

Mike G.

3:04 pm on Saturday, June 30, 2012

Thanks! And thanks for reading!

david mokal

10:58 am on Saturday, June 30, 2012

I read somewhere just recently in the News that never purchase a gift card that is on a display outside the counter. Just like a credit card they can swipe the gift card and retreive the info.

Reply
Comment_arrow

Mike G.

2:57 pm on Saturday, June 30, 2012

That's actually a pretty clever scam that people run on those 'pre-loaded' gift cards. What they do is they scan the barcodes of the first few giftcards on display. Then, a few days later (presumably after they've been bought), they call the customer service number to check if the gift card they've targeted has been activated. Then, they use those gift cards online where you don't need to present the card to the cashier.

Stores have widely taken measures to defeat this little trick by having the customer scratch off a PIN to collect the value of the card. So if you see a gift card at the register with a little scratch area to scratch off a PIN, you're using a good card. If you see a card at the register with the PIN scratched off, let the manager know.

Thanks for bringing that up, David, and for reading!

Leave a comment

 
 
 

Most Popular Blog Posts