Tuesday, June 21, 2011

Social Network Scams: It's a Trust Thing


Illustration by Yevgeniya Mikhailik - www.yevgeniyadraws.com

One of best things about having a solid network of friends is that you can rely on them for good advice and suggestions. As you may have noticed, this basic tenet of human behavior has been carried over into the online world of social networking, as exemplified by the proliferation of "Like" buttons on almost every website you visit. See that your friend likes a particular vendor you've never heard of? Maybe you'll check them out. This system deftly combines the social aspects of word-of-mouth recommendations with the online reality of modern commerce, and works great for both vendors and customers.

Of course, the key to the entire system is trust; namely, that you trust the advice of your friends. Without that, the recommendations and likes you see would be meaningless. But this raises an interesting point: in real life, a stranger cannot pretend to be someone else you know. What about online? Is it possible somehow that the avatar with your friend's name and face is... not who they appear to be?

Desperate to be Heard

The abuse of online social networks by advertisers, spammers, and hackers is becoming increasingly prevalent, and it's not hard to see why. The internet is a thriving community of individuals and businesses, all with one common goal: to get you to click on their stuff. Whether trying to make a sale, earn advertising revenue, or enlist you into a botnet army run by the Russian mafia, at the end of the day the equation is the same across the board: click = $.

When it comes to advertising, the most effective kind is word of mouth. Recommendations between friends are much more likely to generate clicks (or even sales) than advertisements from unknown sources, plus it doesn't require any direct capital expenditure. As a corollary, though, you can't buy word of mouth advertising. It just has to happen on its own. That's why it works, and why people are much more willing to listen to a friend's recommendation than an advertiser's: the information is coming from a trustworthy source.

Today, social networking websites allow word of mouth recommendations to happen much faster and travel far wider than they can offline, making them a great target for unscrupulous advertisers, spammers, and hackers who want to generate clicks (and revenue) by any means possible.

Likejacking

Have you ever seen a friend on Facebook post a link to a purportedly outrageous video ("LOL This girl gets OWNED after a POLICE OFFICER reads her STATUS MESSAGE," etc.), only to find that the link didn't work? Did the link seem a bit out of character for your friend anyway? They were probably a victim of "likejacking," and so were you if you clicked the link.

Whenever you legitimately "like" something on Facebook, your activity is sent to your friends' News Feeds. Spammers have found that they can embed invisible "like" buttons beneath links and buttons on Facebook, allowing them to trick you into "liking" something without your knowing it. This activity is then sent to your friends, who are then likely to check it out themselves, unwittingly "liking" the page in the process, ad infinitum.

Even worse is when one of these links leads you to a Facebook app page that requests permission to access your information and post content to your wall. If you're desperate enough to see that girl get owned by that police officer, you just might go ahead and click "Allow" (hypothetically, of course). The spammer can then continue to push their links to you and your friends without any further action on your part.

What's the point? Why trick people into virally spreading links on Facebook? It's not always obvious, but the bottom line is clicks: getting people to interact with content they otherwise wouldn't. The clicks themselves may be enough to generate advertising revenue for the person behind it, or the links could redirect users to malicious websites that attempt to download a virus or other malware to users' computers. Either way, by getting you to unwittingly send the link to your friends (who then send it to their friends, etc.), the attacker can guarantee a continued return on their investment.

Account Hacking

Even worse is when hackers manage to take complete control of users' accounts. Last year, a Russian hacker tried to sell the login credentials of 1.5 million stolen Facebook accounts. Though he did manage to sell roughly half of them, it's dubious as to whether they were all unique, or merely an amalgamation of repeated information.

Either way, criminals were willing to pay real money for this information, and the reasoning is the same as before: to infiltrate a network of trust. With complete control of users' accounts, the criminals who bought the stolen credentials could have messaged the users' friends with links to malicious websites with viruses, trojans, or other types of malware. By posing as someone trustworthy, they could have easily gotten many, many people to fall victim to the attack.

What to Do

Your first and best line of defense is knowing that things like likejacking and account hacking can even happen. Remember: a scammer might be able to gain some control over a friend's account, but your friend's behavior and personality cannot be so easily mimicked. If a friend posts a link that seems out of character, or writes you a message that seems strange, it might not really be them. Of course, your friend might just be having a weird day. Either way, message them to see if their actions were intentional. Of course, if it's obvious that their account has been hacked, you should let them know as soon as possible. Aside from the danger their compromised account poses to them and others, these kinds of incidents aren't exactly the best for their reputation.

Also, and as a general rule, be wary of installing Facebook apps you don't completely trust. If you click on a link to a video or or online quiz that asks to access your account information, post information to your wall, and see your friends list, don't do it. Generally speaking, this is what Facebook quizzes and apps are all after in the first place: access to your account. By giving them permission, you're just enabling them to spam you and your friends with potentially harmful content. When in doubt, just say no.

Even more importantly, you certainly shouldn't download any software, video players, etc. from websites that you are directed to by a Facebook link, especially if you were lured in by promises of a funny video or other 'viral' content. These kinds of things are almost certainly a front for a virus or other malware, the consequences of which will render your compromised Facebook account the least of your worries.

As a precaution against unauthorized use of your account, you can have Facebook notify you when an unrecognized device logs in as you. To enable this feature, go to Account > Account Settings > Settings Tab > Account Security. You can even require a passcode be sent to your phone and entered along with your login information before a new computer can be used to access your account (a nice feature for the paranoid, an inconvenient one for anyone who logs into their Facebook account away from home). Personally, I think these features are a bit excessive, and should only be used by individuals who need to be absolutely sure that no one else is masquerading online as them.

Already a Victim?


If you think you've been a victim of likejacking, check your profile for any recent activity involving suspicious links or posts, as well as unwelcome entries under your likes and interests. If you see anything that shouldn't be there, delete it. Also disable any rogue Facebook apps you may have installed along the way by going to Account > Privacy Settings > Apps and Websites (Edit your settings) > Apps You Use (Edit Settings).

If you think your account has been hacked, change your password immediately. If you use the same login and password for other websites (a bad idea, as to be discussed in my next article), you should change those as well. Fortunately hacked accounts are generally one-off events; once you change your password, you should be safe.

Also, try taking the Facebook Security Quiz. The answers to the questions are pretty obvious, but the tips they offer underneath each question after you answer are pretty good, and are worth reading.

As always, a little knowledge goes a long way toward keeping your online identity secure. Be wary of unusual links and messages from friends, and don't install apps you don't know or trust. Remember, clicks are money, and some people will play the part of a wolf in sheep's clothing just to get them.

--

This week's article features yet another illustration by the oh-so talented Yevgeniya Mikhailik! Check out her work at www.yevgeniyadraws.com, and sample her wares at www.etsy.com/shop/yevgeniya!

Monday, June 13, 2011

Protect Your Data


Illustration by Yevgeniya Mikhailik - www.yevgeniyadraws.com

We all know we should keep a backup copy of our computer files. I'm sure many of you even have an external hard drive tucked away somewhere, purchased long ago with the best of intentions. But somewhere along the line backups became a chore, and as more time passed the thought of sitting down and doing it became increasingly daunting. It kind of makes sense (in a wrong-way-of-thinking-about-it kind of way): the ratio of tangible benefit gained to time spent makes the effort easy to defer. Backing up all of your data seems akin to stocking your garage with two weeks' worth of food and water in case of a natural disaster. I mean, what are the odds?


My data!

Well... they're actually pretty good. I've personally lost three hard drives over the years, and I've helped many others recover data on the brink of digital oblivion. These experiences are all anecdotal, but the statistics of hard drive failure tell the same story: every year, 2-4% of hard drives bite the digital bullet. I mean, imagine (really) what it would be like to lose your computer files. All the work you'd have to re-do (or more importantly, couldn't re-do). All of those photos you'd never get to look at again. We're talking about things of immeasurable value, the kind you can't put in a fireproof safe bolted to the floor. Data is a precious commodity, yet most of us allow a slight modicum of inconvenience stand between us and keeping it safe.

Of course, a little discipline could go a long way toward resolving this problem, but let's be honest: discipline is for people who already have it. In lieu of that, we're going to set up a backup system that's either completely automatic or so easy it might as well be. Our goal here is to never have to worry about keeping things backed up again.

Our first order of business: deciding what kind of backup system to use.

Local Backup

Backing up your files locally is the more common method of file backup, and is arguably the most reliable. The idea is that you have an external hard drive that stores an extra copy of your files in case you need them. If this is the route you choose, you'll have plenty of options: a trip to your local computer or electronics store will likely present you with more options than you know what to do with. When choosing a drive, you should consider the following:
  • Capacity: At least as big as your computer's hard drive (I prefer twice as big)
  • Software: Make absolutely sure it comes with software that will automate the backup process for you. This is a feature worth advertising; it should mention it on the packaging somewhere.
  • Brand: I prefer Western Digital (WD) or Seagate. They both have a good reputation, and I've never seen a Western Digital drive fail (but that's purely anecdotal).
With regard to the drive coming with backup software, you want something that offers incremental backups. This is a backup method that allows the drive to back up everything on your computer once, and then back up only subsequent changes to your files thereafter. This is an important feature, as it dramatically decreases the amount of time your backups will take. Most products won't explicitly mention "incremental backups" on the box, but all of the software that I've seen packaged with WD and Seagate drives have this feature.

Note that if you have a Mac you can go ahead and buy an external drive that doesn't include backup software; OS X's Time Machine works wonderfully for maintaining automatic backups. You just need to connect your backup drive to your computer, choose it as the destination drive in Time Machine's settings, and you'll automatically have your files backed up whenever your external drive is connected.

(It's true that Windows 7 also comes with built-in backup software, but I've found it to be painfully slow and somewhat unreliable. I wouldn't recommend it.)

Online Backup

The alternative to local backup is online backup. Relatively new to the scene, it's more of a service to subscribe to than a product to purchase. The idea here is that you install backup software similar to what an external drive would come with, but instead of your files being backed up to a locally connected drive, they are copied over the internet to a remote server owned by the company providing the service. Once your files are backed up, you can use your backup software to access them just the same as if they were on a local drive connected to your computer.

The two most popular services that offer completely automated backup are Carbonite and Mozy. Both services have been around since 2005, and the features they offer are almost identical. The main difference is price: for home users, Carbonite offers unlimited storage for $60/year, whereas Mozy only offers 125 GB for $110/year (almost twice as much). However, Mozy does offer the option of paying monthly instead pre-paying for a full year, and has cheaper plans if you plan on using less than 50 GB. Their software also provides the option of simultaneous online and local backups for the ultimate in data redundancy. Carbonite only offers this feature with their business-class service.

The advantages of online backup over local backup are twofold. First, the backups are completely automatic. No need to plug in an external hard drive: as long as you have an internet connection, your files are being taken care of. Second, and perhaps more importantly, your data is safe from certain catastrophes that a local backup would not protect you from. In the event of a physical disaster (fire, flood, etc), any physical backup of your files you maintain would likely be lost along with your computer. Or in the event of a theft, there is a chance your external backup drive would be stolen along with your computer. With online backups, no matter how much physical property loss you endure, your data will be safe.

Note also that both Carbonite and Mozy encrypt your data as it is being transferred to their servers, so that ne're-do-wells on the internet can't get ahold of your files as they are transmitted. Even if hackers were to break into Carbonite's or Mozy's servers (unlikely), they wouldn't be able to read any of your data. The point is, backing up your data online isn't like uploading your files to the internet; it's more like online banking. It's secure, and the benefits and convenience greatly outweigh any hypothetical risks.

Which One?

Deciding between local and online backup is really a matter of personal preference. Both are excellent solutions to keeping your data safe, and one might seem more attractive than the other depending on your priorities. As far as I see it, the advantages and disadvantages of each are as follows:

Local Backup Pros/Cons:
  • It's faster than online backup
  • You have the only copies of your files (complete control of your data)
  • It's a one-time investment
  • Backups only happen when your external drive is plugged into your computer (easy for desktop computers, a little tricker for laptops)
  • No protection against theft or physical damage when the computer and external drive are together

Online Backup Pros/Cons:
  • Super convenient: as long as you have internet access, your files are being backed up
  • Protection against any data loss scenario
  • The initial backup takes a long time (subsequent incremental backups are quicker)
  • Someone else has a copy your data (a pro or a con, depending on your level of paranoia)
  • There is a monthly/yearly fee

Making it Happen

This is where we make our dreams of automatic file backups come true. We want to set up a system that provides fully or nearly automatic backups, so that the usual excuses for not backing up your data become irrelevant. You won't even need excuses anymore.

If you opt for local backup, run the software that comes with your external hard drive (or set up Time Machine to work with your drive), and let it do its thing. If you have a desktop computer, just leave the drive plugged in all the time. If you have a laptop, remember to plug your external hard drive in every day (or at least once a week). Once your backup software detects the external drive, it should automatically get to work. After the initial backup, each subsequent daily backup should hardly take any time at all (often less than a minute if you back up regularly).

If you decide to subscribe to an online backup service, there's really not much you need to do. Once you install the software it will automatically start working in the background, scanning your system for files and uploading them to the backup server. The initial backup will take a long time (we're talking days here), but again, subsequent backups will go much more quickly.

In either case, there's one final step you need to take before you pat yourself on the back for a job well done and 'forget' about your new backup system: make sure it works! It may faithfully back up your files, but this will only get you halfway through a full-blown data disaster. You also need to be able to retrieve those files should something happen to your originals.

Checking this is pretty straightforward: once your initial backup is completed, open your backup software and find its recovery feature. Begin to initiate the recovery process and follow the prompts you are given up to the point where you are asked to select the backup from which to restore. If you see your local or online backup with the appropriate time/date stamp on it, you can go ahead and cancel the restore process. As long as the software can see the backup, it shouldn't have much trouble using it to restore your files should the need arise.

And that's it! We've successfully combined the best of both worlds: making your data impervious to theft, deletion, and disaster, all while making the process so easy that it practically takes care of itself. Again, I cannot emphasize enough how important it is to keep an additional copy of your computer files (at least the important ones). Data is a precious commodity, and it needs to be protected. And with an easy setup like what we've described here, you can rest easy knowing that you're ready to thwart any data disaster that comes your way!

High five!


Illustration by Yevgeniya Mikhailik - www.yevgeniyadraws.com

--

This week's illustrations were provided by the amazingly talented Yevgeniya Mikhailik! To see more of her work (and maybe buy a print or two to class up your casa), check out www.yevgeniyadraws.com.

Monday, June 6, 2011

Don't Negotiate with Scareware


Totally legit.

Do you know what your anti-virus software looks like? I'm not just talking about the little icon down in the tray, I'm talking about everything else too: its full name, the user interface, the kinds of messages that pop up when it detects something suspicious... no?

Well, you really, really should.

People trust their antivirus software to protect them from all kinds of threats, be they viruses, adware or anything else malicious. And when something suspicious is detected, people tend to follow whatever directions they're given to remove the threat. Which is usually a good thing.

Unless it's not their actual antivirus software.

The Scam


"Scareware" is any software that tries to frighten you into purchasing it. Most commonly, a website will make false claims regarding the safety or security of your computer (such as claiming your computer is infected by a virus). By putting you in a state on anxiety, the hope is that you will pay to make the threat go away.

And it works. As of last year, roughly 15 percent of all malicious software on the internet was of the "scareware" variety, a trend that continues today. One of the most popular methods is to imitate antivirus software and hope that you won't realize that it's fake. By preying on users' combined trust of and lack of familiarity with their computer's defenses, scammers can often con them into paying for fake antivirus software they don't need. Consider the following dialog box:


I'd rate anything with "monster" in its name as critical, too.

Since most people aren't intimately familiar with their antivirus software, they'll assume that a message like the one above is real. But alas, it isn't. The above image is from an online scam, and all it needs is a single click (and maybe a password) from you to open the floodgates to much worse.

Infiltration


The scammer's ultimate goal is to install malicious software onto your computer. The tricky part, though, is that they generally can't do it without your permission (it is your computer after all). This is where scammers rely on that little thing I mentioned earlier: many people don't know exactly what their antivirus software looks like. The idea is that if you see a message like the one above and think it's coming from your real antivirus software, you'll go ahead and approve whatever actions it suggests to take.

This little bit of participation is crucial: by explicitly giving the program permission to do whatever it wants, you've indeed given it a green light to do whatever it wants. This kind of trickery is called "social engineering," and it's one of the most reliable tools in the hacker arsenal. Rather than force their way onto your computer, if a hacker can convince you to let them on, they can easily proceed with the rest of their insidious plan. And they've found that a great way to do this is by masquerading as your computer's security software.

Below are some of the many different 'brands' that fake antivirus software will represent themselves by, as given by a recent Microsoft Security Intelligence Report.


Better install all of them, just to be safe.

In fact, each of the above is actually a variation of the exact same program. Many of them have a very professional appearance, and to the untrained eye look like they might be a part of the Microsoft Security Essentials package, a legitimate antivirus program. Of course, they're all about as illegitimate as can be, and they're here for your money.

Extortion

Once the fake antivirus software is installed onto your computer, three things will tend to happen: first, you will see the results of a (fake) 'virus scan' that will claim that viruses were found on your computer. Second, the functionality of your computer will be limited so that you are forced to deal with the fake antivirus software and its bogus scan results (the software will often claim that this is for your own protection). Third, you will be prompted to pay for the 'full' version of this worthless program so that it can remove all of the (fake) viruses it detected.

This, of course, is the crux of the scam: to get you to open your wallet. Even if you don't believe the results of the scan, the functionality of your computer is still compromised. Some will even go so far as to hide your files from you until you pay up. The idea is that even if you know it's a con, you might consider paying just so that you can have your computer back again. Software of this kind is often referred to as "ransomware" because it effectively holds your computer hostage until you pay a ransom for its release.

What to Do

Fortunately, a little education goes a long way toward avoiding scareware in the first place. First of all, only trust messages from your real antivirus software. Familiarize yourself with its name, its interface, and its general appearance. If a pop-up claiming to have found a virus on your computer looks nothing like anything you've seen before, don't automatically give it permission to do whatever it asks. Treat it with suspicion, and proceed with caution. Second, realize that you shouldn't have to pay your existing software to remove a virus. If you bought antivirus software, it's already paid for and will do its job without additional surcharge. If the message purports to be from Windows or OS X, you certainly shouldn't have to pay. Be suspicious of anything that combines an immediate threat with an immediate need for your credit card information.

If you're browsing the web and suddenly receive a pop-up message decrying the state of your computer's security, again, take caution. If you think it might be a scam, close your browser window immediately. If the window won't close, use Ctrl+Shift+Esc (Windows) or Cmd+Opt+Esc (Mac) to select your browser application and force it to quit.

Most importantly, do not pay the ransom! This is crucial, not just because you don't want to be the victim of a scam, but also because you're just asking for your credit card and other personal information to be misused. Even if you are only charged for the fake antivirus software, a scammer is not the kind of person to entrust your credit card information with. You're better off seeking professional help and paying someone trustworthy to remove the rogue software for you.

Of course, this isn't to say that you should automatically treat every security alert as a scam. The point is that you should be aware that these kinds of scams exist, and know that they're fairly common. Knowledge is power, and by becoming familiar with the legitimate security software on your computer, you can easily avoid being tricked into installing bogus scareware in the first place.


Duct tape: the original hack.

Monday, May 30, 2011

Updates: Who Needs 'Em?


I'd check the expiration on that can of Java.

Don't you just love updating Javascript Runtime Environment? Or better yet, have you ever not seen that little yellow shield icon down in the system tray?

The programs on your computer are always asking to be updated, and it can quickly go from annoying to borderline intrusive. Why do these programs need so many updates?

Generally, these updates fall under one of three categories: functionality updates, bug fixes, and the ever-pervasive "security update." I find that home and small business users tend to ignore the last kind, probably because a) they're the most common and, thus, the most annoying, and b) many users don't really understand what a "security update" is.

Well, if you learn only one thing today, it's that you shouldn't ignore them.

Risk

Online criminals have a myriad of reasons to try to gain access to your computer, whether it's to steal your personal information or to turn your computer into a remotely-controlled zombie. This is most commonly achieved through computer viruses and other malicious code, but that's why you have antivirus software, right?

Well, yes, but online criminals do everything they can to try and 'hide' their bad code from your virus scanner. It doesn't always work, but they generally try to accomplish this by tricking another program on your computer into letting the bad code in (unbeknownst to your antivirus software). To this end, and in an effort to infect as many computers as possible, they focus on finding 'holes' in software that many people have installed already: Windows, Internet Explorer, Adobe Reader, Flash, Java, etc.

Of course, companies like Microsoft and Adobe are aware that their software is being leveraged to deliver malicious code, so they develop patches to fix known vulnerabilities and send them out to their users as security updates. Unfortunately, these are the same users for whom closing a dialog box asking to install updates is like a reflex. These updates are stopped dead in their tracks, leaving their associated security vulnerabilities unpatched.

Facts

Inconvenient or not, this kind of behavior is a mistake. Online criminals all but rely on the fact that users never install security updates, and design their attacks accordingly. That's right: computer viruses generally take advantage of security holes for which patches already exist. According to Orange, CA-based M86 Security, this is a trend that turns up consistently in their research. In the second half of 2010, the 15 most commonly exploited vulnerabilities had already been patched, meaning that basic software updates could have stopped all of them. Their most recent Internet security report concludes:

We continue to see the most popular exploits targeting older vulnerabilities that have already been patched, with Adobe Reader/Acrobat and Internet Explorer remaining a consistent choice for attackers. Our research suggested that Java-based vulnerabilities would increase significantly, and they did. We continue to caution users that the best way to avoid becoming a victim is to ensure that all of their applications are updated to the most recent versions.

Following up on this recommendation, they go on to say:

Stay up to date. Keep Web browsers, add-ons/extensions, and desktop applications up to date with their latest versions. We have seen time and again that [internet] attacks target vulnerabilities found in old versions of Web browsers or applications. Organizations are not blocking the latest spam and Web threats simply because their products are not up to date.

What to Do

I'll admit that keeping so many programs up to date can be daunting, and to many it will seem like a significant drain on (waste of) their time. Fortunately, the most vulnerable programs all have automatic update features (automatic inasmuch as you will be notified whenever updates are available). Of the programs that ask, you absolutely should oblige the following:
  • Windows (via Windows Update), OS X (via Software Update)
  • Internet Explorer, Firefox, Chrome, Safari (any web browser, really)
  • Browser Plugins (especially for Firefox)
  • Microsoft Office
  • Adobe Reader
  • Adobe Flash
  • Java

It's hard to narrow down the list any more than that. Hackers are always on the move, and constantly target different platforms to keep computer users guessing. Early last summer, nearly 50% of all web-based attacks targeted Adobe Reader (via malicious PDFs), yet by October the Java platform had grown to become the most-exploited. The lesson here? Hackers target all common software packages, and your best bet is to keep all of them, not just some of them, up to date.

To find out which of your applications need to be updated, check out Secunia Online Software Inspector (Windows users only). Once you run the scan, you'll get a list of which programs are out of date, along with links to download the latest versions. The links you get, though, are to the software vendor's individual websites, which will generally require a complete (re)install of each program. I'd recommend using the update features of the individual programs instead, as they'll do a better job of getting you exactly what you need.

You know, those update prompts you've been ignoring?

;-)


011110010111010101101101

Monday, May 23, 2011

Untangling Your Computer


Illustration by Yevgeniya Mikhailik - www.yevgeniyadraws.com

Believe it or not, computers always do exactly what they're told.

You may not ever see the faulty piece of code that brings your productivity to a grinding halt, but this doesn't herald a breakdown of the laws of cause-and-effect. If something goes wrong, the computer was probably just following orders, whether from you or some unknown program running in the background.

This idea is helpful, even in the abstract, because it illustrates the fact that computers, as complex as they are, can actually make sense too. You really don't need to know much to solve basic problems on your own, because once you learn a few things, even the things you don't fully understand will begin to make more sense.

My plan is to empower you with the basic knowledge that every computer user should have so that the most common problems you face will leave you with a sense of empowerment rather than a sense of helplessness. With the right mindset, you can use your computer as the productivity tool it is, rather than some unruly machine to be coaxed into behaving desirably.

Computers were designed by people to be used by people. They shouldn't be alienating. My goal is to break down these barriers, not with the intent of making you into a computer expert, but simply to bring you and your computer closer together.

<3