Boiling Like Frogs

Since completing my recent whirl-wind conference schedule, I have been battling a severe throat infection that just won’t go away.  I could count on one hand the number of times I’ve been actually SICK in the past ten years, but this has been one of them!  Started today on a more potent antibiotic… so hopefully this will be short-lived now.

 

Wanted to (last week) send you this article… but just didn’t have the fortitude to type it all out… (still don’t to be perfectly honest)… but here goes anyway….  I will post a follow up to this article tomorrow… so please take the time to read both… as both go hand in hand for what I am recommending everyone take action on at this time.

 

You must have heard the story about the frog that sits in a pot of water that is gradually heated. The process is slow and the frog doesn’t notice as the temperature inches up, even when it gets quite hot. Finally, it is too late and the frog is boiled.  Well, we are all frogs in the computer security pot and it is getting awfully hot.

 

The manufacture and application of malware is no longer the province of script kiddies, thrill-seeking hackers, and occasional malcontents. It has passed into the hands of professionals who are in it for the same reason as bank robbers- money. These people are in the full-time business of removing your wallet. They are located all over the world and are almost impossible to prosecute (if they are ever caught). Not only do they use sophisticated programming but like other types of con men they are masters of psychology and social engineering.

 

It isn’t just individuals who seem to be ignoring the rising heat. Institutions like banks have been shameful in their neglect of basic security practices. It’s the old story of human behavior when faced with an unpleasant prospect. They hope it’ll go away and they won’t have to actually confront the situation. Security is too much work. Security is inconvenient. Security is unpleasant. Security costs too much.

 

Well, the problem is not going away. It’s only going to get worse; there are too many easy pickings for the international gangs.  The statistics that get reported are very discouraging. There’s no way of knowing the true numbers but various studies show that maybe 10 to 20 percent of PCs (or more) contain malware. Much of this is some form of Trojan horse that makes the unwitting owners of the infected zombie computer part of “botnet” rings. Even a small number of infected machines is a problem. The Internet is like a giant organism with low resistance and a few infected machines rapidly multiply their numbers.

 

In my opinion, this is a situation that is rapidly getting out-of-hand. It’s a mess that gets more complicated by the day. You are supposed to have a vast collection of software to guard you. You need a firewall. You need anti-virus, anti-Trojan, anti-spam, anti-phishing, anti-spyware. And of course, all of these programs don’t always play well together. Yes, you can get suites but so far there is no suite without at least one or more inferior components. All these things running in the background result in a big hit to system performance. Next, you need constant security updates for all of this. And you also need security fixes for all kinds of other applications. You need to update Windows. You need to update your browser. You need to update Microsoft Office. You need to update Flash, You need to update Java. And so on. Then there is the problem that not everybody bothers to update. The software companies are trying to make the updating as automatic as they can but the statistics on the results are not good.

 

Everyone gets “patch fatigue”. We’re numbed by the constant drumbeat about new malware. Even businesses with full-time IT staff have a hard time keeping up. The fact is, even with constant updating, systems are still vulnerable to so-called “zero-day” and undocumented exploits.

 

Moreover, it’s not just the PC that is a problem. People are becoming more and more connected. Cell phones, iPods, Blackberrys, and other similar instruments are ubiquitous. The criminals are not neglecting these fresh pastures.

 

I could go on and on with the lamentations and hand-wringing but all that becomes a bit boring.  Let’s look at possible answers.  We have to begin with the sad fact that our fellow human beings are not to be trusted. Most of us are basically decent and responsible people who do not steal or enjoy vandalizing other people’s computers. We would prefer to be able to use the Internet in a spirit of community and trust. Unfortunately, there are always hoodlums, charlatans and sociopaths waiting to take advantage of our trust. So we have to stop believing everything we read on the Internet. We have to treat all emails as possibly suspicious and never click on any links they contain. We have to regard unfamiliar Websites as potentially dangerous. We must test anything we download before we install it to see if it is malware. We have to trust less and verify more!

 

Also, there is no getting around the fact we must give up a lot of convenience. There is a clear trade-off between ease-of-use and security. Locked doors are less convenient to use than open doors. For example, online operations like banking will have to involve longer procedures. Security can be tedious but we must learn to live with computers that are harder to use. Reports on the Web about the annoyances of the new security features in Windows upcoming release of Vista illustrate that point.

 

Some people (usually officials who want headlines) suggest that more laws are the answer to the security problem so they urge or pass laws against Internet fraud. These efforts are so pathetic that I have to wonder how seriously the law-makers really take them. There are plenty of laws against fraud already. Does anyone really believe they are going to deter the gangs in places like Uzbekistan, and Iran, and Russia? However, if the legislators want to pass laws, there is a very important way they could help. Let them make fiduciary institutions like banks more responsible for security breaches. At present these institutions are woefully inadequate in guarding your personal data or in guarding against phishing. (There are some exceptions like Bank of America and Vanguard.)

 

If your identity is stolen, the burden is on you, not the bank. Let the legislators pass laws making the banks, stock brokers, etc. responsible for losses due to identity theft. Make them responsible for safeguarding your personal information. Make the institutions liable and then you’ll see a lot more security. Of course, this will cost money and make things like online banking less convenient but it has to be done. As long as it is really easy to steal somebody’s account information, thieves will thrive. As of now, institutions haven’t the incentive to do much about it.

 

I also believe the current notion that the PC should be an all-purpose machine with the same basic type being used by everybody from grannies doing email to big businesses with large applications is fatally flawed. Microsoft, Intel and Dell have a big investment in this model so we are probably stuck with it for a while but it makes no sense. A whole lot of the people who use computers at home simply don’t need the power and flexibility of the current PC and they are completely unprepared to do many of the security measures that these systems require. I deal with a lot of ordinary people who have little understanding of Windows and no interest in learning details about how a PC operates. They want something that works like their other appliances. They want to turn the PC on, do some email, surf a little and that’s it. The needs of this large section of the PC users could easily be met with a machine that is a lot safer and easier to use than the present PC type. It would also be cheaper and that’s the rub; there’s no money in selling a box with limited functions. Unfortunately, these average users are the very people who are the biggest security problem.

 

What about the defenses right there on our own PC? Can we improve them? Previously, I’ve written about “Do We Need a Paradigm Shift in Anti-Virus and Anti-Spyware Protection?”, where I suggested that the reactive approach with anti-everything software was clearly not working. The solutions mentioned in the previous article included using virtual machines and I think that may be the best practical solution.

 

There are various ways to configure your Internet browser to make your computer safer but that’s a subject that involves technical details and will have to wait for another time. Meanwhile, don’t let the scalawags out there ruin your enjoyment of the wonderful world of the Internet.

 

Tomorrow… I will continue this thread with a suggestive measure you can take now to help with your spam dilemma, which in turn will solve many other dilemmas for you as well.

 

Until then….

 

Ed

 

Care to comment on this article?  Your comments are welcomed below….

 

 

Watch Out for Phishing Scams

This is just a reminder to be on your guard at all times for Phishing Scams that try to bait you in to giving information about yourself or your security.

 

One that seems to never stop is the Pay Pal scam.  (No wonder.. look how many Pay Pal accounts there are worldwide!)  It looks something like this:

 

Your Billing Information! 

    

Dear PayPal Member,
It has come to our attention that your PayPal Billing Information records are out of date. That requires you to update the Billing Information.
Failure to update your records will result in account termination. Please update your records within 24 hours. Once you have updated your account records, your PayPal session will not be interrupted and will continue as normal. Failure to update will result in cancellation of service, Terms of Service (TOS) violations or future billing problems.
You must click the link below and enter your login information on the following page to confirm your Billing Information records.
You can also confirm your Billing Information by logging into your PayPal account at http://Don’tClickTheseLinks!
  

Thank you for using PayPal!
The PayPal Team

 

Just use common sense folks, and remember, Pay Pal, eBaby, nor any bank, will EVER ask you to update your account via email.
Ed

 

Pay Pal (and other) Spoofs

The SPOOFS continue making the rounds.  If you have not received a notice from what APPEARS to be “Pay Pal”, or “Amazon Books”, or “EBay” (or one of a dozen others) saying something like:

Unauthorized access to your PayPal account!
We recently noticed more attempts to log in to your PayPal account from a foreign IP address.

We recently noticed more attempts to log in to your from a foreign IP address.If you accessed your account while traveling, the unusual log in attempts may have been initiated by you. However, if you are the rightfull holder of the account, please visit Paypal as soon as possible to verify your identity…

…followed by a bogus URL… then you probably will. 

If you’ve already gotten one (or like me, a dozen or more) of these… then HOPEFULLY you have ignored or deleted them and NOT clicked on any of the links in one of these bogus emails.

 

My advice.. when you get one of these… either delete it and just move on… or do as I do and forward them to the respective site’s tech crew for investigation.  I send every one of these I get on to the following addresses for them to investigate (and hopefully, eventually shut these jerks down!)

Spoof@PayPal.com

Spoof@EBay.com

Spoof@Amazon.com

Open the FULL header before you forward the entire email to the company in question, and remember… these guys… NONE OF THEM, will EVER ask you to access your account with a direct link in the email…  nor will they EVER ask you for your account information via email.

When you get one of these… KNOW without question, that it is a spammer trying to sucker you in.

Be smart.  Don’t fall prey to these tricks!

Have a good week!

 

Ed

 

 

If You’re Getting These – Beware!

I received another one the other day (one of three or four I’ve gotten now).  An email with the subject: “Please update your contact information.” Apparently this is some type of service being used (in this case) by a client.

I’ve received other requests from other “services.” I continue to trash them all. I don’t care if I do recognize the person using the service. Here’s why …

The email states:

————
I am using Zoovy, Inc.’s contact management system to update my contacts.

Please take a few moments to verify your personal information. If something is not listed or is incorrect, please click on the URL below to update your information.
————

It then shows a little box with personal and business addresses, personal and business telephone numbers, including cell, a fax number and three email addresses.

On mine, only one of the email addresses is filled in. A link is included where I should go to fill in the rest of the information.

Okay – who the hell is Zoovey, Inc.? I went to the link to see.

At the indicated link, I found nothing but a form for you to fill in all that information. PLUS more that wasn’t in the email, such as company name, job title, mobile phone number, web address and IM address.

Nothing too sinister about any of that except there was nothing else! Nothing! Nada! Just the bloody form!

I removed everything but the domain name from the link and went to the home page. There, I found nothing but a login form and the word “Webmail.”

So, detective that I am, I checked the domain name in the whois database. Found it registered at GoDaddy and the only registrant information showing is FuseMail, LLC – NOT Zoovey, Inc.

So, who the hell is FuseMail, LLC?

Now we have two company names requesting contact information through a web site that hides all its own contact information! I’m sure in a big hurry to give them mine. (Not on your life!!)

For all I know, this could be a real service. But, how would I know? And, even if all the company information was available to me, why would I give mine to them?

I’m certainly not going to hand it over to some anonymous company that may be, for all I know, be gathering large lists and selling them to spammers, telemarketers, or any other pond scum.

Anyone who wants my contact information can find it on my web site.

Have you gotten any of these?  If so, BEWARE!  DO NOT fill these things out.  You are opening yourself up to nothing but T-R-O-U-B-L-E!

Comments?

Ed