No wonder people are confused by security…

Wednesday, November 2nd, 2011

The Met Police can feel justifiably proud of themselves, with an investigation leading to the jailing for many years of a pair of criminals who attacked computers with malware to steal £3 million from UK bank accounts.

Excellent news; high-fives to everyone involved. However, the force’s communications team slightly tarnished the win with some rather confusing advice on internet security.

(more…)

Are security breaches really bad PR?

Monday, June 20th, 2011

There’s a general belief in the security industry that being hacked is bad for business: it makes your firm look careless and will cost you customers.

I’ve always wondered if that’s true. Will Sony lose gamers’ hearts because it lost their password details? Will Citi Group, Sega, or any other recent target go out of business over a hack? Or is the PR fallout from a breach not actually as bad as the security industry says?

(more…)

What LulzSec logins reveal about bookworms

Thursday, June 16th, 2011

Today the hacking group LulzSec posted 62,000 hacked email usernames and passwords online. But don’t panic: I’ve been through the list and I can confirm that none of my details have been compromised. So far.

Not everyone has been so lucky, though. As I write this, unscrupulous voyeurs around the globe are sifting through these compromised email accounts looking for… well, whatever they can find. We’ve heard of people finding login details for social-networking sites, online-dating services and even porn sites.

Here at PC Pro we can’t condone such behaviour, fascinating though it would doubtless be to gain such an insight into a stranger’s private life. Happily, the email addresses and passwords themselves are quite revealing.

(more…)

Microsoft wakes up to cold-caller scam – what took it so long?

Thursday, June 16th, 2011

A Microsoft press release that landed in my inbox this morning has left me fuming. “Microsoft Survey Warns of Emerging Internet Phone Scam” reads the headline.

The “emerging” phone scam it’s referring to? The swindle that sees conmen cold-calling computer owners, telling them they’ve got a virus on their PC, fleecing them for hundreds of pounds to remotely “repair” non-existent problems and installing God knows what on their PC in the process. The very same phone scam that PC Pro was the first publication to uncover in March 2010.

Why it has taken Microsoft 16 months to wake up to this problem is bewildering. Especially as we alerted Microsoft’s press office to the fact that these con artists were often pretending to be Microsoft and splashing Windows-style logos all over their websites when we broke the story last March.

(more…)

How a cheap graphics card could crack your password in under a second

Wednesday, June 1st, 2011

I was pointed in the direction of a blog posting talking about the use of GPU processors to launch brute-force attacks on passwords. GPUs are extremely good at this sort of workload, and the price/performance ratio has changed dramatically over the past few years. What might have seemed impossible even 36 months ago is now perfectly do-able on your desktop computer.

In this report, the author takes a fairly standard Radeon 5770 graphics card (you’ll find it on our A-List under Value Graphics Card), and uses a free tool called ighashgpu to run the brute-force password cracking tools on the GPU. To provide a comparison point with the capabilities of a standard desktop CPU, he uses a tool called “Cain & Abel”.

The results are startling. Working against NTLM login passwords, a password of “fjR8n” can be broken on the CPU in 24 seconds, at a rate of 9.8 million password guesses per second. On the GPU, it takes less than a second at a rate of 3.3 billion passwords per second.

(more…)

Why Android owners shouldn’t worry about Metro’s front page splash

Wednesday, May 18th, 2011

Today’s Metro has a spectacularly sensationalist headline (that’s now been changed on the website) screaming from its front page: “Android phones ‘all leak secrets’”. That’s potentially worrying if, like me, you’re an avid Android user – after all, if I wanted my phone to be less private than Jordan’s holiday, I would have bought an iPhone (only joking Apple lawyers).

According to Metro, “almost all” Android phones are vulnerable to a problem that allows “criminals to steal users’ personal information”. That’s done, theoretically, by hackers using unsecured Wi-Fi networks to gain access to the data contained within your phone’s Calendar and Contacts applications, according to researchers at Ulm University, in Germany. (more…)

Where hacked Sony went wrong, and Lastpass got it right

Friday, May 6th, 2011

Unless you have been living in Osama Bin Laden’s old cave, you can’t have failed to notice that Sony is having a bad time of it right now.

First the PlayStation Network is hacked and customer data compromised, and then we discover that the Sony Online Entertainment network has suffered the same fate. There has been plenty written, including some excellent editorial here at PC Pro, covering the what and why of the breach, so there is little point me going over that again.

I’m more interested in how Sony responded after discovering the breach. Did the gaming giant get it right regarding disclosure in this case? Is the Pope a belly dancer?

(more…)

The nightmare of Patch Tuesday for small businesses

Thursday, April 21st, 2011

More and more businesses are dreading that Tuesday every month when Microsoft release a bunch of security patches and updates.

Patch Tuesday should be a thing to look forward to, of course, seeing as it’s when the latest round of application and operating system vulnerabilities get a nice big sticking plaster to protect your systems and data from exploit. The trouble is that when, as with the latest Patch Tuesday, there are no fewer than 17 security bulletins (nine rated as critical) covering a whopping 64 vulnerabilities –  many of the patches requiring a full system restart – it all starts to become something of an IT management nightmare. Especially for the smaller business where there isn’t an IT manager or even an IT department to handle such things.

The vast majority of smaller businesses that I talk to are not IT savvy, they get by and rely upon the systems and software they are supplied to do their job. They don’t switch browser to Firefox or Chrome, they run Internet Explorer because that’s what everyone else uses and it came with the box. What’s more, they often run an older version of Internet Explorer as they apply the “if it ain’t broke” rule. Wrongly in the case of older versions of IE, of course, which are broken from a security perspective.

(more…)

Waiting for the Epsilon email attacks to start

Thursday, April 14th, 2011

You’ve already doubtless noticed that email marketing outfit Epsilon had fallen victim to a data security breach. US-based Epsilon, a third-party marketing company that sends out emails to customer addresses supplied by well known businesses all over the world, admitted on 30 March that its email database had been hacked.

While only customer names and email addresses were compromised, and then only concerning around 2% (or 50 companies in total) of Epsilon’s client base, the ‘your email address has been compromised’ warnings have been rolling in thick and fast: Hilton Worldwide, Mothercare, Capital One, Barclaycard and Marks and Spencer to name but a few.

But while the security breach itself is serious, it’s tempting to think that the fallout won’t be. After all, what can someone do with your email address and name? The truth is that I expect the Epsilon email attacks to start coming thick and fast, just as soon as lists of names and email addresses tied to specific retailers and businesses have been compiled and sold on the underground criminal market.

(more…)

Eclipse Antivirus: one product we definitely do not recommend

Monday, April 11th, 2011

To judge by its website, Eclipse Antivirus must be an astonishing piece of security software. Not only has it won awards from most of the British tech press, it’s won three from PC Pro alone – including a slot on our A List. The feat is even more impressive given we’ve never heard of it.

This is, it seems, yet another attempt to con people into using fake antivirus software. Last year, we were the first to report on a scam that saw conmen ring unwitting victims, telling them they have a virus on their PC and then convincing them to part with their credit-card details to  install remote access software to “remove” it.

(more…)