Security Pros Get Caught Out By QR Codes

12/16/2012 6:14:27 PM

We explain how even IT security professionals get scammed, and wonders whether Myspace can make a comeback

I recently warned website readers  – about the hidden security threat posed by QR codes, those giant barcodes used for marketing just about everything these days. I’ve seen them in magazines, on posters and even a giant one on the back of a bus, although I’m still unsure how anyone was meant to scan that. Yet scan them people do, sometimes with the promise of a free something-or-other, but more often than not without any promise of anything (and that includes what web page you’ll end up on).

As I warned in that online feature: “QR codes present one of the biggest hidden security threats, precisely because genuine marketing campaigns rely upon the curiosity factor to get consumers to scan them; don’t think for a moment that the bad guys have failed to notice this.” Now you might think that such advice wouldn’t be required for those working within the IT industry, who tend to be a bit more security savvy than your average user, and certainly not for those whose particular niche within the industry is information security itself. Well think again, if the results of a little experiment perpetrated by GreenSQL founder David Maman are anything to go by.

During the course of a three-day security conference in London recently, a poster on the wall of the hall featured the logo of a well-known security vendor, the words “Just scan to win an iPad” and a QR code. That poster had been created and stuck there by David, but neither the organisers of the event, nor the security vendor whose logo was featured, bothered to ask what it was doing there or request that it be taken down. Some 445 people did scan the QR code and browsed the page that it linked to. At this point it’s worth a reminder that this was a conference for IT security professionals. All they actually got when they scanned that QR code was a web page featuring a smiley face, but it could have been a piece of malware, or one of a multitude of poisoned URL attacks.

The scanning was perpetrated via a variety of smartphones and tablets, and as we all know, most people don’t believe that such devices require any kind of antivirus or URL filtering to protect them. Even the usual advice of “don’t scan it unless it comes from a reliable source” wouldn’t help in this case, because it appeared to come from an impeccable source, and bad guys won’t shrink from pretending to be good guys if it will get you to click a link or scan a barcode. Personally, I adopt a simple solution to the QR conundrum by just saying no. After all, they usually just point to more marketing junk that you can do without...

Facebook friends who should know better

Did your mother never tell you that if something seems too good to be true then chances are that it is? Mine did, and it’s held me in good stead for close-on 40 years. Even if social networking had been around back then, I like to think that mum wouldn’t have added “unless it’s on Facebook” to her homily. Yet such suspension of common sense if something happens within the Facebook realm seems to be rife, even among my own circle of friends, whom I consider pretty clued up on technology and IT security.

Don’t let greed cloud your common sense online

Don’t let greed cloud your common sense online

Well you would, wouldn’t you, once you realise that these people are tech magazine editors, journalists and a fair smattering of network engineers and IT consultants. So how come my Facebook feed filled with friends “liking” a so-called voucher offer from Tesco that promised a $262.5 shopping discount if I were to click a link quickly enough and share the scam with all my own friends? That link appeared to land at Tesco, but it’s a simple task to steal the look and feel of a website, and run it on a rogue server. To get your non-existent discount voucher you had to complete a survey, and what could be the harm in that – other than giving the scammers your personal details for whatever purposes they fancy using them at a later date; providing them with referral cash for completing what is often a genuine and innocent third-party survey; and being tempted by adverts or pop-ups that offer to take you to more revenue-earning surveys or a malwareinstalling site or three?

Factory-fitted malware

Almost six years ago, I won a “best security news story of the year” award for a story at DaniWeb that exposed how some TomTom Go 910 satnav units had been shipped from the factory infected with what was, at that time, the first ever trojan to be discovered on such devices. This was a big deal, despite the trojans being unable to do any damage to the satnav itself, because that satnav unit needed to be connected to a PC to update its maps and manage the device, and the trojan could then potentially move across to the PC and wreak havoc there.

 The first ever trojan to be discovered on such devices: TomTom Go 910

The first ever trojan to be discovered on such devices: TomTom Go 910

It seemed likely that the devices were infected, ironically enough, during the quality-control process when they’d have been connected to a PC at the factory. Such instances are still pretty rare, and I can count on one hand the number of times I’ve heard of brand-new hardware being infected by malware of any kind. However, maybe that’s because neither I, nor my circle of business contacts and friends, tend to purchase hardware directly in China. On the other hand, Microsoft’s Digital Crimes Unit did exactly that, as part of an investigation into pirated copies of Windows, and bought a total of 20 laptops and desktops from a number of cities in China. Of these – all factory-sealed items, remember – no less than four were found to be pre-infected with malware.

That lowers the surprise factor a notch or two, because as any fool knows, you shouldn’t touch counterfeit software with a bargepole, and particularly counterfeit OS software. It would be bad enough to discover your cheap computer was running a bootleg version of Windows, since any savings you made may be wiped out by the cost of purchasing a kosher copy – but even worse, if you didn’t also discover it was running malware that connected it to the Nitol botnet used in hacking attacks. Nitol is part of the well-known hosting site that’s been linked to malicious activity for many years now, including the kind of cyberespionage enabled by malware giving access to webcam and microphone hardware on infected PCs.

Now you might think that such problems couldn’t possibly have an impact upon you, but I beg to differ, especially since more and more small businesses and consumers are looking to save money by taking a “buy ‘em cheap on eBay” approach to computer upgrades. I know folk who have, within the past six months, purchased very cheap smartphones of dubious origin, and equally cheap “unknown brand” laptops too. All of these could be traced back to China, and that’s where the real problem lives, because these low-budget/no-budget supply chains appear to be totally unsecured. At this bottom end of the industry, where every single cut that can be made will be made, bothering to secure a supply chain really isn’t an option – and that leaves the door open for malware infection at pretty well any point, whether it be at the factory itself, the wholesaler/distributor or at the final retailer in the supply chain.

As Mark James, technical team leader at security vendor ESET says, the supply chain “seems the logical place to start, if at all possible, from the malware writer’s point of view; a lot of ‘home’ users would just un-box and switch on, with antivirus software typically being one of the later items people consider installing once the machine is up and running, usually expecting it to be preloaded from day one. If the machine is already infected and talking to the outside world, the end user may be unaware and accept any strange occurrences as ‘normal for a new machine’. Often the end user notices when a new machine becomes infected and slow, but in this scenario, they may not notice until a specific problem arises. Apart from installing the OS yourself and installing a good antivirus from day one, there isn’t much users can do to protect against this type of abuse – and to be honest, this is often beyond the ability of the average home user. I’d hope a business environment would have a procedure in place to test new machines for any kind of infection before adding them to the domain or work environment, using a good antivirus program.”

Return of Myspace?

Knock knock. Who’s there? Myspace. Myspace who? Precisely. Long before Facebook, Twitter and LinkedIn conquered the social networking world (sorry Google+, but you really don’t count yet), the undisputed king of the hill was Myspace. This once News Corp-owned social network had all the media mentions, had all the members, had everything – or so it seemed. Launched in 2003 and acquired by News Corp for some $580 million in 2005, the future looked very bright for Myspace. Indeed, in 2006 it was officially the biggest website of them all, getting more visitors than Google and boasting more than 100 million registered members.

Meanwhile, Facebook opened its doors to everyone in 2006 – having previously been restricted to students – and by 2008 it had overtaken Myspace in terms of internet traffic. The reasons why Facebook went on to amass close to a billion members and Myspace ended up being sold to online advertising outfit Specific Media (and investor Justin Timberlake, who is now a part-owner of Myspace) for a reported $35 million last year could be debated until the cows come home.

Can Justin Timberlake’s new Myspace take on Spotify and Facebook?

Can Justin Timberlake’s new Myspace take on Spotify and Facebook?

Personally, I think it was a classic case of old media, in the shape of News Corp, not being able to grasp the social aspects of the new networking media quickly enough, by which I mean that Facebook was spearheading the whole “user-generated everything” approach to content and community building, with third-party developers bringing games and apps to the party, while Myspace remained a communications portal with an emphasis on teenagers, music and proprietary in-house-developed tools such as karaoke machines, video players and instant messaging clients. A three-year advertising deal with Google that brought in close to a billion dollars didn’t help either. Sure Myspace now had plenty of cash, but it also had a surplus of contractually required advertising that made the site slow and sloppy to access.

Fast forward to now and the Timberlake/Specific Media combo are about to relaunch Myspace – which has somehow managed to retain a none-too-shabby 25 million members – with a brand-new Windows Metro-inspired interface. Indeed, according to various reports it seems that this year Myspace has gone from a big fat zero of new member registrations to 40,000 per day, to gain a million new members. To put that into perspective, it was more than Pinterest could manage and more than Google+ as well. Much of this renewed member interest can probably be put down to its new policy of integration with both Facebook and Twitter, both of which remain firmly above Myspace in terms of traffic, along with LinkedIn. Perhaps not surprisingly, given the Justin Timberlake connection, Myspace is basing many of its hopes for social media resurrection on what used to be the not-quite-unique selling point of becoming an online music hub.

If you like the Windows 8 image-centricpanels- and-tiles interface approach, then you’ll probably like the new Myspace.

If you like the Windows 8 image-centricpanels- and-tiles interface approach, then you’ll probably like the new Myspace.

If you like the Windows 8 image-centricpanels- and-tiles interface approach, then you’ll probably like the new Myspace. But if you like music then the chances are that you’re already using another social media service to discover and listen to new music – namely, Spotify. Whether or not Myspace can succeed remains to be seen, but it can already claim to provide access to more than twice as much free music as Spotify, with more than 40 million tracks. Myspace also seems determined to remain the free music choice, while Spotify seems to be moving more towards the paid-for subscriber model. The thing is that, despite the allure of the free and despite the jazzy new look (which you can preview at (, I’m not convinced that Myspace has what it takes to succeed – namely, the momentum of the moment. By which I mean that all the free music in the world is of no consequence if the music player itself is below par, and no amount of design revamping and hyperbole will make any difference if your target audience is talking about someone else. The combination of yesterday’s pop star with yesterday’s social network has a rather ominous ring of doom about it, don’t you think?

Mobile malware marches ever onwards

The latest McAfee Threats Report makes for slightly uneasy reading, not least because it shows the largest rise in malware that the firm has reported for four years now. In fact, McAfee reveals that there were 1.5 million more malware samples detected in the second three months of 2012 than the first three. The sample discovery rate has risen to around 100,000 per day, with malware variants jumping from traditional desktop targets to tablets and smartphones. Pretty well all the new mobile malware detected was directed firmly at Android, and included SMS senders, mobile botnets, spyware and data destroying ransomware trojans.

USB Immunizer protects against the rising threat from thumbdrive malware

USB Immunizer protects against the rising threat from thumbdrive malware

USB thumbdrives also proved a big target, with 1.2 million new samples of the Autorun worm discovered. This is distributed by way of a removable USB drive and executes malicious code as soon as that drive is inserted into a host machine. New thumbdrives attached to an infected machine also become infected, and so it goes on. I must apologise to McAfee for hijacking its research findings to plug a rival security vendor’s solution, but the Bitdefender USB Immunizer, codename “Peeved Panda” (don’t ask!) will disable Autorun-related threats by monitoring all newly inserted USB storage devices and immunising them on the fly. If an infected device is inserted, then the malware contained in it will not be auto-executed. It works well, and it’s free to download.

And finally, stating stating the bleedin’ obvious

The Information Commissioner’s Office (ICO) has finally got around to clarifying the data protection responsibilities of a business when using cloud services. It’s the usual fairly long-winded document, but free to take a look at the PDF. Alternatively, I can sum it up for you: you’re solely responsible for the protection of your own data. Just because you outsource to  a third party in the cloud, doesn’t relieve you of that basic responsibility. This just goes to confirm what I’ve been saying for yonks now, that you need to know where your data is stored and who can access it. Think ownership and think sovereignty of data when thinking cloud and you’ll be in the right ballpark.

Most View
Spring Is Here (Part 2)
Is 802.11ac Worth Adopting?
BlackBerry Z10 - A Touchscreen-Based Smartphone (Part 1)
LG Intuition Review - Skirts The Line Between Smartphone And Tablet (Part 5)
Fujifilm X-E1 - A Retro Camera That Inspires (Part 4)
My SQL : Replication for High Availability - Procedures (part 6) - Slave Promotion - A revised method for promoting a slave
10 Contenders For The 'Ultimate Protector' Crown (Part 3) : Eset Smart Security 6, Kaspersky Internet Security 2013, Zonealarm Internet Security 2013
HTC Desire C - Does It Have Anything Good?
Windows Phone 7 : Understanding Matrix Transformations (part 2) - Applying Multiple Transformations
How To Lock Windows By Image Password
- First look: Apple Watch

- 10 Amazing Tools You Should Be Using with Dropbox
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
Top 10
OPEL MERIVA : Making a grand entrance
FORD MONDEO 2.0 ECOBOOST : Modern Mondeo
BMW 650i COUPE : Sexy retooling of BMW's 6-series
BMW 120d; M135i - Finely tuned
PHP Tutorials : Storing Images in MySQL with PHP (part 2) - Creating the HTML, Inserting the Image into MySQL
PHP Tutorials : Storing Images in MySQL with PHP (part 1) - Why store binary files in MySQL using PHP?
Java Tutorials : Nested For Loop (part 2) - Program to create a Two-Dimensional Array
Java Tutorials : Nested For Loop (part 1)
C# Tutorial: Reading and Writing XML Files (part 2) - Reading XML Files
C# Tutorial: Reading and Writing XML Files (part 1) - Writing XML Files