It’s an interesting morning. I received three spam messages in rapid succession, each alleging to come from “NSA online security” and reporting a “critical vulnerability” in “a certain types of our token devices.” While I don’t expect perfect grammar from a government functionary, the mistakes in this email were pretty obvious. The alleged link to “fix” the problem point to “” which looks pretty plausible until you remember (or look up) that the real NSA uses the domain

What’s interesting about this case is that it’s a fairly blatant example of an attempt to turn your computer into a zombie using the ZeuS Command&Control attack. If I had been stupid enough to click the link, I would have launched an executable program that would log every keystroke that I make on the machine and that would grab a copy of every form I fill out online. Since that would include my online banking login page, it would have given the hacker access to all my banking information.

ZeuS is a moderately old Trojan Horse but it is remarkably difficult for anti-virus programs to detect, even when kept completely up-to-date. ZeuS is alleged to be one of the largest botnets in the world, infecting some 3.6 million computers in the US alone.

The continued success of attacks like this show why you can never rely only on your anti-virus software. Read your email carefully, be suspicious and never click a link if you’re not sure that it’s safe to do so. Remember – it’s not paranoia when they really are out to get you.

I seem to be thinking about privacy as much as security lately. Unfortunately, much of that privacy is from our own government. The Fourth Amendment protects us from unreasonable government searches and seizures but there’s a great deal of confusion about what that means in the context of your computer, cell phone, iPad, thumbdrives, etc.

The Electronic Freedom Foundation published a short quiz (10 questions) to test how much you really know about the Fourth Amendment. I strongly recommend it. Even if you think you will never be pulled over or served with a warrant, you have a responsibility to be an informed citizen.

Facebook’s new tag suggestion feature works by using facial recognition technology to evaluate photos in which you’ve already been tagged and then suggests your name when friends upload a photo that looks like you.

Like most new Facebook features, this is turned on by default, once again proving that Facebook just doesn’t get it about privacy. If you would prefer not to have Facebook store your “photo comparison information”, you need to opt out manually. The Electronic Freedom Foundation published a great video showing three ways to delete your “facial fingerprint” from Facebook.

The short version is:
Account/Privacy Settings/Customize Settings/Suggest photos of me to friends/Disable
followed by
Help Center/Photo tagging/How can I remove the summary information stored about me for tag suggestions? and click “contact us”

It’s a short video but well worth watching.

Here are a collection of articles about applying Bronze and Iron Age concepts to modern security. Some of the ideas seem a bit radical but I think they are worth contemplating.

Yesterday, I had the chance to get a security briefing from the local FBI office. They are reporting a wave of ATM skimmers discovered in the last 30 days in Kent, Stow and Cuyahoga Falls. So far, the financial losses have been low and they are working hard to catch this ring of thieves before they move to some other area.

In the meantime, the FBI recommends that you use the “wiggle test” at ATMs and gas pumps. ATM skimmers are glued onto the front of the existing machine. If something looks even slightly out of place or sticks up from the face of the machine, give it a good yank. If it feels loose (or worse, something comes off), immediately report it to the merchant. And if it just looks suspicious, well, take your business somewhere else.