How PayPal is perpetuating the phishing problem

Friday, February 15th, 2013

Phishing has been a problem for years, with ne’er-do-wells sending emails stuffed with links to lure you into typing passwords into their mocked-up sites resembling your bank or some other service.

With the criminals making fewer stupid grammatical errors and getting better at designing mocked-up sites, the one rule of thumb recommended by banks and security experts is to not click through links in emails from companies without checking they’re safe — and if in doubt, to head to the site directly to log in.

(more…)

How much does cybercrime cost the UK? Not £27bn

Tuesday, February 12th, 2013

Judging the success of the UK’s online security strategy is difficult, a government agency has reported – and it’s no surprise given it’s using debunked statistics.

The National Audit Office (NAO) has today released a report examining the government’s£650m cybersecurity strategy, looking to judge whether or not it’s working and offers good value for money.

(more…)

The world’s worst phishing attack

Tuesday, January 8th, 2013

It’s not often I get actual, handwritten mail sent to me at the office, let alone from South Africa. So I was intrigued when the envelope above landed on my desk yesterday. Was it an invite to come and meet Nelson Mandela? Fan mail from afar? No, it was the worst phishing attempt in the history of mankind.

(more…)

The USB stick that turns into a keyboard

Tuesday, December 4th, 2012

To Covent Garden, where James Lyne – director of technology strategy at Sophos – has been presenting a review of the security landscape during 2012, and a look forward to next year’s threats. The review is an annual event, and always entertaining thanks to Lyne’s bona fide geek credentials: this year’s talk included references to Anonymous masks, the obligatory Gangnam Style allusion and several exhortations to “[verb] all the things”.

Predictions for 2013 include increasingly sophisticated and targeted attacks, on mobile platforms as well as PCs. No surprises there. More interestingly, Lyne also expects to see a rise in ransomware, which locks away your files and provides the decryption key only on payment of a fee. So far, malware ransoms have typically been around the £200 mark, but Lyne reckons criminals will soon start to recognise high value targets (such as company CEOs) and demand much higher fees for the return of sensitive documents. He describes this type of attack as “irreversible”, as there’s nothing third-party software can do to recover your files if they’ve been strongly encrypted: the only defence is to keep backups. You’ve been warned.

The part of the talk that particularly struck me, however, relates to the little device pictured above, which Lyne demonstrated with glee. Fully assembled, it looks just like a regular USB flash drive. Or, from the internal microSD slot, you might assume it was some sort of card reader. In fact – believe it or not – it’s a keyboard. (more…)

How to compromise your web security in one stupid step

Tuesday, September 11th, 2012

Opinion is divided amongst the security experts about whether you should write down passwords or not — security guru Bruce Schneier is among the write-them-down advocates.

(more…)

DNSChanger a “damp squib”? That’s a good thing

Tuesday, July 10th, 2012

The DNSChanger server shutdown has come and gone, and it was nothing but a “damp squib”, a doomsday that “fizzled”, and not worth the headlines comparing it to the frenzied build-up around Y2K. The Daily Mail’s talented subs managed to shove most of that sentiment into a single headline: “Malware internet meltdown a bust as feared DNS Changer virus fizzles on ‘doomsday’.”

Uh, guys? It’s good when the internet doesn’t meltdown. Doomsdays, as should be clear from the name, are bad — when they “fizzle”, we should crack open champagne, not whine.

(more…)

How EKMPowershop leaks personal data

Thursday, July 5th, 2012

Online service providers have a duty of trust to protect the data we give them – but it appears that some take this more seriously than others. EKMPowershop.com is a long established, UK-based provider of ecommerce software and, just last week, I was signing up for trial accounts with all the major players, including EKM, as part of a forthcoming Real World column.

Imagine my surprise, then, at seeing the contact details of a complete stranger in my trial shop. At first, I thought this might be dummy data but, on emailing the person concerned (I could, alternatively, have rung her using the details EKM kindly provided) I discovered someone as shocked as me that her information was not as private or secure as she imagined.

Naturally, I contacted EKM’s support team but it’s now ten days later and the problem persists. I shan’t describe how to access these private details for obvious reasons but suffice it to say the only sensible response by EKM would have been to remove the trial functionality until the hole was patched.

(more…)

No wonder people are confused by security…

Wednesday, November 2nd, 2011

The Met Police can feel justifiably proud of themselves, with an investigation leading to the jailing for many years of a pair of criminals who attacked computers with malware to steal £3 million from UK bank accounts.

Excellent news; high-fives to everyone involved. However, the force’s communications team slightly tarnished the win with some rather confusing advice on internet security.

(more…)

Are security breaches really bad PR?

Monday, June 20th, 2011

There’s a general belief in the security industry that being hacked is bad for business: it makes your firm look careless and will cost you customers.

I’ve always wondered if that’s true. Will Sony lose gamers’ hearts because it lost their password details? Will Citi Group, Sega, or any other recent target go out of business over a hack? Or is the PR fallout from a breach not actually as bad as the security industry says?

(more…)

What LulzSec logins reveal about bookworms

Thursday, June 16th, 2011

Today the hacking group LulzSec posted 62,000 hacked email usernames and passwords online. But don’t panic: I’ve been through the list and I can confirm that none of my details have been compromised. So far.

Not everyone has been so lucky, though. As I write this, unscrupulous voyeurs around the globe are sifting through these compromised email accounts looking for… well, whatever they can find. We’ve heard of people finding login details for social-networking sites, online-dating services and even porn sites.

Here at PC Pro we can’t condone such behaviour, fascinating though it would doubtless be to gain such an insight into a stranger’s private life. Happily, the email addresses and passwords themselves are quite revealing.

(more…)