Rossander’s Security Reader

As the holidays get closer, many of us will turn to online shopping. Done right, online shopping is about as safe as catalog shopping – and much more convenient. If you don’t take basic precautions, though, you could lose your shirt. Take the time to learn about the kinds of scams and cons that are used online.

The Federal Trade Commission hosts a terrific site with lots of content on identifying and deflecting these kinds of scams. If you haven’t already been out to visit www.onguardonline.gov, I strongly recommend the site. It has some excellent overview material on security at the personal and small business level. The site also has a set of games covering a variety of topics like spyware, online auctioneering, peer-to-peer, phishing and spam. Test your knowledge of internet security and safe shopping. It’s well worth the time to visit the site.

The site’s material comes from a number of public and private sources but is all released for public use. If you run your own personal website, you can post their games, videos and handouts to your own site and help spread the word. (Instructions are here.)

Addendum:
This tip has inspired me to create a more permanent set of links to some of the better games and awareness quizzes that I’ve run across. I’ll try to get them posted in a permanent sidebar on the blog but in the meantime, here are a few good links.

• CMU Anti-Phishing Game – Learn to identify fraudulent URLs
• Mission:Laptop Security – Protect your laptop while traveling
• Anti-phishing Father’s Day card – Flash video on phishing
• Auction Action – Test your knowledge of online auctioning
• P2P Threeplay! – a quick quiz on file-sharing
• Invest Quest|http://www.onguardonline.gov/games/invest-quest.aspx – a simple quiz but the ‘disclaimers’ are pretty funny
  From westfieldinsurance.com

For several years now, we’ve been telling everyone that email is a postcard – everything in the message is exposed to anyone who wants to read the message as it flashes by. A couple of companies have figured out how to solve this problem and their solutions are finally hitting critical mass. If you have a secure mail solution, you can finally put your message in an ‘envelope’ and keep outsiders from reading it.

The problem is that we’ve also told you as a reader to delete any message that appears suspicious or that asks you to click through some “convenient” link. The ‘envelope’ around a secured message looks a lot like a phish. (See “How it works” below.)

Here are some tips on telling the difference between a secure mail message and a spam or phish.

• In a legitimate message, you will still be able to read the subject line and the sender. If you are not expecting a message from that sender, be suspicious.
• Once you start working with a business partner who uses a secure mail system, all secure messages from that company should look basically the same. If the logo, the layout or the text look different, be suspicious.
• A legitimate message will take you to the sender’s website to verify your login. A phish will try to take you someplace else to steal your password. If the message alleges to come from someone at redcross.org but the link is trying to take you to yahoo.com, be suspicious.
  Reminder: The only part of the domain that matters is the part immediately before the top-level domain (.com, .org, etc). Ignore everything to the left or right of the dots. In the link voltage-pp-0000.westfieldgrp.com/mail/32/, only ‘westfieldgrp’ matters for verifying the legitimacy of the message. The rest is set up by the company’s IT department to point to specific places within the company’s domain.
• Legitimate messages are written by professionals. Scam messages want to panic you into acting without thinking and often use phrases like “URGENT” and “log in now or your account will be closed”. If the language seems inflammatory, be suspicious.

If you are suspicious, call the sender and confirm the message. Please do not just delete these messages, though. There’s a fair chance they are legitimate and you wouldn’t want to lose good messages.

How it works
There are several ways to put your message in the secure ‘envelope’.
One technique doesn’t actually put the content in email at all. What you really send is a placeholder saying “You have a message waiting. Please sign in at my website to read it.” The message content stays on the sender’s webserver and never actually travels by email. Some large financial and medical institutions use this kind of secure messaging.
The other way is to pull the content off the message, encrypt it and reattach it to the message. The content travels by email and but can’t be read except by someone who knows the password. (If you don’t already have a password set up, you will be asked to verify your identity and create one.)

A third technique is Transport Layer Security (TLS), a method that protects the message from one email server to another. This requires some setup between the two companies but is otherwise invisible to both the sender and the reader. These messages can’t be easily mistaken for a phish so we won’t discuss them in this tip.
An example of that second kind of ‘envelope’ – the encrypted attachment solution – is shown below.

PC World magazine put together a short tutorial on recognizing eleven common email scams. Each page includes an actual example, most culled from recent messages being sent out by the notorious Storm Warn gang, a group of hackers based out of Germany who not only run the scams themselves, but also sell their hacker toolkits to others.

Some of the scams seem pretty obvious (like number 10, the IRS scam) but others are very sophisticated in their tactics such as number 9 where the hacker is impersonating an indignant eBay customer accusing you of not responding to his question or number 11 where the hacker took the time to personalize the attack based on the victim’s alumni listing.

Number 5, the NFL stat-tracking software, is particularly effective because the webpage is so professionally done. And there really are some good free software programs out there. (Well, not completely free since they’re ad-supported but for an avid fan a few ads might not be too much to pay.) The problem is that there are a few very dangerous landmines hidden among the legitimate tools. Short of completely rewriting the code yourself, there is no way to tell the safe ones from the scams.

Never download "free" software unless you are completely sure of the reliability of the source and never load any software onto your work computer yourself. Always call your IT department.

I normally tell people to avoid ecards like the plague. Once upon a time, they were fun and cute. Now, they are too often loaded with phishes and viruses. Very few ecard announcements are legitimate anymore.

That said, here is a Fathers Day ecard from the Federal Trade Commission on phishing and other information security tips. This is a great card. (And, yes, I will certify that it’s legitimate. The music’s a little hokey, though so you might want to turn down the volume before you play it.)

Take a few minutes to check it out and maybe forward the link on to someone who taught you how to stay safe.

www.ftc.gov/dad

Phishers and hackers continue to get more creative and more sophisticated in their attacks. A recent trend is to write very specialized attack messages targeting rank-and-file employees. One example is a personal email that appears to come from the company’s HR manager. The message included the HR manager’s name (it was posted on the company’s website) and asked the employee to review a .pdf attachment to confirm vacation accruals. The attachment was a malicious trojan.

Luckily, many of these attacks are blocked by our anti-virus software but some will always get through. Be on the lookout for these kinds of scams. If you see a message that looks suspicious, do not open it, even if it appears to come from someone you know. If you’re unsure about the message, call the alleged sender and just ask if he/she really sent it.

If you run a business, make sure that your staff know about these scams, too. Make sure you set a culture of security where it’s safe for the employee to call you and confirm a message’s legitimacy. (If you’re the one writing the messages and you’re getting a lot of calls, check out "How not to look like a phish".)