The Privacy BlogThoughts on privacy, security, and other stuff.

CAT | Phishing/Pharming

In a new attack, some websites have been set up to show visitors a slash page that says the vicim’s computer has been blocked because is has been used to access illegal pornographic content. The user is then presented a link to pay an instant “fine” of $300 to the scammers.

This is a new variant of “ransomware”. The most common of which is “fake AV”. A fake anti-virus website or software will claim to scan your computer for free, then charge you to remove malware that it has “detected”.

Details and screenshots here.

· · ·

Play

Welcome to The Privacy Blog Podcast for May 2013.

In this month’s episode, I’ll discuss how shared hosting is increasingly becoming a target and platform for mass phishing attacks. Also, I’ll speak about the growing threat of Chinese hackers and some of the reasons behind the increase in online criminal activity.

Towards the end of the episode, we’ll address the hot topic of Google Glass and why there’s so much chatter regarding the privacy and security implications of this technology. In related Google news, I’ll provide my take on the recent announcement that Google is upgrading the security of their public keys and certificates.

Leave any comments or questions below. Thanks for listening!

· · · · · · ·

The BBC has an article that powerfully reinforces what I have been saying for years about spear phishing. It is worth a read if just for the specific examples.

The short version is, if an attacker is going for you specifically, they can do enough research to craft an email and attachment that you are almost certain to open. The success rate against even very paranoid and sophisticated users is shockingly high.

In Bruce Schneier’s blog post about this he quotes Brian Snow, former NSA Information Assurance Director. “Your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents.”

Sobering….

· ·

Germany wants to spy on suspects via Web

Germany is proposing to use trojan horse software to enable surveillance of target computers. I have to wonder how effective this will actually be. They are talking about distributing it in an apparently official email from a government email address.

  1. Now that the bad guys know this, it seems likely that they will take more care with the attachments from the government.
  2. Anti-virus / anti-malware programs should be able to identify and block this software
  3. If the anti-virus software makers are convinced to leave a hole for this software, it will be a huge back door for other hackers to use to deploy their trojan horse software.

In general this seems like a high risk operation for the Germans. I suspect that it will be used rarely and very selectively.

No tags

The Motley Fool has a nice blog post on issues involved in electronic filing of tax returns.

There are a couple of important points to be made here. First of all…

  • The IRS has all your information and it will be in digital format (accessible by computer);
  • You are exposed to some points of vulnerability when filing electronically, rather than on paper;
  • The information on your PC is vulnerable to theft (whether you send it electronically or just use tax software);
  • Your information is vulnerable on the Internet-accessible servers to which you upload your data; but
  • On the flip side of the coin, paper returns are subject to loss, theft and mishandling as well, both in transit and within the IRS.

It is somewhat similar to using a credit card. You can risk online theft when conducting an e-commerce transaction, or real-world theft when handing over your card to a minimum wage worker over a store counter. Risks exist both ways.

At this time I think the jury is out on which is safer, but, for the record, I file electronically.

No tags