We explain how even IT security
professionals get scammed, and wonders whether Myspace can make a comeback
I recently warned website readers – about
the hidden security threat posed by QR codes, those giant barcodes used for
marketing just about everything these days. I’ve seen them in magazines, on
posters and even a giant one on the back of a bus, although I’m still unsure
how anyone was meant to scan that. Yet scan them people do, sometimes with the
promise of a free something-or-other, but more often than not without any
promise of anything (and that includes what web page you’ll end up on).
As I warned in that online feature: “QR
codes present one of the biggest hidden security threats, precisely because
genuine marketing campaigns rely upon the curiosity factor to get consumers to
scan them; don’t think for a moment that the bad guys have failed to notice
this.” Now you might think that such advice wouldn’t be required for those
working within the IT industry, who tend to be a bit more security savvy than
your average user, and certainly not for those whose particular niche within
the industry is information security itself. Well think again, if the results
of a little experiment perpetrated by GreenSQL founder David Maman are anything
to go by.
During the course of a three-day security
conference in London recently, a poster on the wall of the hall featured the
logo of a well-known security vendor, the words “Just scan to win an iPad” and
a QR code. That poster had been created and stuck there by David, but neither the
organisers of the event, nor the security vendor whose logo was featured,
bothered to ask what it was doing there or request that it be taken down. Some
445 people did scan the QR code and browsed the page that it linked to. At this
point it’s worth a reminder that this was a conference for IT security
professionals. All they actually got when they scanned that QR code was a web
page featuring a smiley face, but it could have been a piece of malware, or one
of a multitude of poisoned URL attacks.
The scanning was perpetrated via a variety
of smartphones and tablets, and as we all know, most people don’t believe that
such devices require any kind of antivirus or URL filtering to protect them.
Even the usual advice of “don’t scan it unless it comes from a reliable source”
wouldn’t help in this case, because it appeared to come from an impeccable
source, and bad guys won’t shrink from pretending to be good guys if it will
get you to click a link or scan a barcode. Personally, I adopt a simple
solution to the QR conundrum by just saying no. After all, they usually just
point to more marketing junk that you can do without...
Facebook friends who should know better
Did your mother never tell you that if
something seems too good to be true then chances are that it is? Mine did, and
it’s held me in good stead for close-on 40 years. Even if social networking had
been around back then, I like to think that mum wouldn’t have added “unless
it’s on Facebook” to her homily. Yet such suspension of common sense if
something happens within the Facebook realm seems to be rife, even among my own
circle of friends, whom I consider pretty clued up on technology and IT
security.
Don’t
let greed cloud your common sense online
Well you would, wouldn’t you, once you
realise that these people are tech magazine editors, journalists and a fair
smattering of network engineers and IT consultants. So how come my Facebook
feed filled with friends “liking” a so-called voucher offer from Tesco that
promised a $262.5 shopping discount if I were to click a link quickly enough
and share the scam with all my own friends? That link appeared to land at
Tesco, but it’s a simple task to steal the look and feel of a website, and run
it on a rogue server. To get your non-existent discount voucher you had to
complete a survey, and what could be the harm in that – other than giving the
scammers your personal details for whatever purposes they fancy using them at a
later date; providing them with referral cash for completing what is often a
genuine and innocent third-party survey; and being tempted by adverts or
pop-ups that offer to take you to more revenue-earning surveys or a
malwareinstalling site or three?
Factory-fitted malware
Almost six years ago, I won a “best
security news story of the year” award for a story at DaniWeb that exposed how
some TomTom Go 910 satnav units had been shipped from the factory infected with
what was, at that time, the first ever trojan to be discovered on such devices.
This was a big deal, despite the trojans being unable to do any damage to the
satnav itself, because that satnav unit needed to be connected to a PC to
update its maps and manage the device, and the trojan could then potentially move
across to the PC and wreak havoc there.
The
first ever trojan to be discovered on such devices: TomTom Go 910
It seemed likely that the devices were
infected, ironically enough, during the quality-control process when they’d
have been connected to a PC at the factory. Such instances are still pretty
rare, and I can count on one hand the number of times I’ve heard of brand-new
hardware being infected by malware of any kind. However, maybe that’s because
neither I, nor my circle of business contacts and friends, tend to purchase
hardware directly in China. On the other hand, Microsoft’s Digital Crimes Unit
did exactly that, as part of an investigation into pirated copies of Windows,
and bought a total of 20 laptops and desktops from a number of cities in China.
Of these – all factory-sealed items, remember – no less than four were found to
be pre-infected with malware.
That lowers the surprise factor a notch or
two, because as any fool knows, you shouldn’t touch counterfeit software with a
bargepole, and particularly counterfeit OS software. It would be bad enough to
discover your cheap computer was running a bootleg version of Windows, since
any savings you made may be wiped out by the cost of purchasing a kosher copy –
but even worse, if you didn’t also discover it was running malware that
connected it to the Nitol botnet used in hacking attacks. Nitol is part of the
well-known 3322.org hosting site that’s been linked to malicious activity for
many years now, including the kind of cyberespionage enabled by malware giving
access to webcam and microphone hardware on infected PCs.
Now you might think that such problems
couldn’t possibly have an impact upon you, but I beg to differ, especially
since more and more small businesses and consumers are looking to save money by
taking a “buy ‘em cheap on eBay” approach to computer upgrades. I know folk who
have, within the past six months, purchased very cheap smartphones of dubious
origin, and equally cheap “unknown brand” laptops too. All of these could be
traced back to China, and that’s where the real problem lives, because these
low-budget/no-budget supply chains appear to be totally unsecured. At this
bottom end of the industry, where every single cut that can be made will be
made, bothering to secure a supply chain really isn’t an option – and that
leaves the door open for malware infection at pretty well any point, whether it
be at the factory itself, the wholesaler/distributor or at the final retailer
in the supply chain.
As Mark James, technical team leader at
security vendor ESET says, the supply chain “seems the logical place to start,
if at all possible, from the malware writer’s point of view; a lot of ‘home’
users would just un-box and switch on, with antivirus software typically being
one of the later items people consider installing once the machine is up and
running, usually expecting it to be preloaded from day one. If the machine is
already infected and talking to the outside world, the end user may be unaware
and accept any strange occurrences as ‘normal for a new machine’. Often the end
user notices when a new machine becomes infected and slow, but in this
scenario, they may not notice until a specific problem arises. Apart from
installing the OS yourself and installing a good antivirus from day one, there
isn’t much users can do to protect against this type of abuse – and to be
honest, this is often beyond the ability of the average home user. I’d hope a
business environment would have a procedure in place to test new machines for
any kind of infection before adding them to the domain or work environment,
using a good antivirus program.”
Return of Myspace?
Knock knock. Who’s there? Myspace. Myspace
who? Precisely. Long before Facebook, Twitter and LinkedIn conquered the social
networking world (sorry Google+, but you really don’t count yet), the
undisputed king of the hill was Myspace. This once News Corp-owned social
network had all the media mentions, had all the members, had everything – or so
it seemed. Launched in 2003 and acquired by News Corp for some $580 million in
2005, the future looked very bright for Myspace. Indeed, in 2006 it was
officially the biggest website of them all, getting more visitors than Google
and boasting more than 100 million registered members.
Meanwhile, Facebook opened its doors to
everyone in 2006 – having previously been restricted to students – and by 2008
it had overtaken Myspace in terms of internet traffic. The reasons why Facebook
went on to amass close to a billion members and Myspace ended up being sold to
online advertising outfit Specific Media (and investor Justin Timberlake, who
is now a part-owner of Myspace) for a reported $35 million last year could be
debated until the cows come home.
Can
Justin Timberlake’s new Myspace take on Spotify and Facebook?
Personally, I think it was a classic case
of old media, in the shape of News Corp, not being able to grasp the social
aspects of the new networking media quickly enough, by which I mean that
Facebook was spearheading the whole “user-generated everything” approach to
content and community building, with third-party developers bringing games and
apps to the party, while Myspace remained a communications portal with an emphasis
on teenagers, music and proprietary in-house-developed tools such as karaoke
machines, video players and instant messaging clients. A three-year advertising
deal with Google that brought in close to a billion dollars didn’t help either.
Sure Myspace now had plenty of cash, but it also had a surplus of contractually
required advertising that made the site slow and sloppy to access.
Fast forward to now and the
Timberlake/Specific Media combo are about to relaunch Myspace – which has
somehow managed to retain a none-too-shabby 25 million members – with a
brand-new Windows Metro-inspired interface. Indeed, according to various
reports it seems that this year Myspace has gone from a big fat zero of new
member registrations to 40,000 per day, to gain a million new members. To put
that into perspective, it was more than Pinterest could manage and more than
Google+ as well. Much of this renewed member interest can probably be put down
to its new policy of integration with both Facebook and Twitter, both of which
remain firmly above Myspace in terms of traffic, along with LinkedIn. Perhaps
not surprisingly, given the Justin Timberlake connection, Myspace is basing
many of its hopes for social media resurrection on what used to be the
not-quite-unique selling point of becoming an online music hub.
If
you like the Windows 8 image-centricpanels- and-tiles interface approach, then
you’ll probably like the new Myspace.
If you like the Windows 8
image-centricpanels- and-tiles interface approach, then you’ll probably like
the new Myspace. But if you like music then the chances are that you’re already
using another social media service to discover and listen to new music –
namely, Spotify. Whether or not Myspace can succeed remains to be seen, but it
can already claim to provide access to more than twice as much free music as
Spotify, with more than 40 million tracks. Myspace also seems determined to
remain the free music choice, while Spotify seems to be moving more towards the
paid-for subscriber model. The thing is that, despite the allure of the free
and despite the jazzy new look (which you can preview at (https://new.myspace.com/play), I’m not
convinced that Myspace has what it takes to succeed – namely, the momentum of
the moment. By which I mean that all the free music in the world is of no
consequence if the music player itself is below par, and no amount of design
revamping and hyperbole will make any difference if your target audience is
talking about someone else. The combination of yesterday’s pop star with
yesterday’s social network has a rather ominous ring of doom about it, don’t
you think?
Mobile malware marches ever onwards
The latest McAfee Threats Report makes for
slightly uneasy reading, not least because it shows the largest rise in malware
that the firm has reported for four years now. In fact, McAfee reveals that
there were 1.5 million more malware samples detected in the second three months
of 2012 than the first three. The sample discovery rate has risen to around
100,000 per day, with malware variants jumping from traditional desktop targets
to tablets and smartphones. Pretty well all the new mobile malware detected was
directed firmly at Android, and included SMS senders, mobile botnets, spyware
and data destroying ransomware trojans.
USB
Immunizer protects against the rising threat from thumbdrive malware
USB thumbdrives also proved a big target,
with 1.2 million new samples of the Autorun worm discovered. This is
distributed by way of a removable USB drive and executes malicious code as soon
as that drive is inserted into a host machine. New thumbdrives attached to an
infected machine also become infected, and so it goes on. I must apologise to
McAfee for hijacking its research findings to plug a rival security vendor’s
solution, but the Bitdefender USB Immunizer, codename “Peeved Panda” (don’t
ask!) will disable Autorun-related threats by monitoring all newly inserted USB
storage devices and immunising them on the fly. If an infected device is
inserted, then the malware contained in it will not be auto-executed. It works
well, and it’s free to download.
And finally, stating stating the bleedin’ obvious
The Information Commissioner’s Office (ICO)
has finally got around to clarifying the data protection responsibilities of a
business when using cloud services. It’s the usual fairly long-winded document,
but free to take a look at the PDF. Alternatively, I can sum it up for you:
you’re solely responsible for the protection of your own data. Just because you
outsource to a third party in the cloud, doesn’t relieve you of that basic
responsibility. This just goes to confirm what I’ve been saying for yonks now,
that you need to know where your data is stored and who can access it. Think
ownership and think sovereignty of data when thinking cloud and you’ll be in
the right ballpark.
