Your are here: Home > Blog

Yet Another Phishing Example

August 16th, 2011 | Posted by Sid Herron in Best Practices | Computer Basics | Security - (0 Comments)

Today, we’re going to play “What’s Wrong with This Picture.” First of all, take a look at the following screen capture. (You can view it full-sized by clicking on it.)

Example of Phishing Email

Example of Phishing Email


Now let’s see if you can list all the things that are wrong with this email. Here’s what I came up with:

  • There is no such thing as “Microsoft ServicePack update v6.7.8.”
  • The Microsoft Windows Update Center will never, ever send you a direct email message like this.
  • Spelling errors in the body of the email: “This update is avelable…” “…new futures were added…” (instead of “features”) and “Microsoft Udates” (OK, that last one is not visible in my screen cap, so it doesn’t count).
  • Problems with the hyperlink. Take a look at the little window that popped up when I hovered my mouse over the link: The actual link is to an IP address (85.214.70.156), not to microsoft.com, as the anchor text would have you believe. Furthermore, the directory path that finally takes you to the executable (“bilder/detail/windowsupdate…”) is not what I would expect to see in the structure of a Microsoft Web site.”

If you want to know what sp-update.v678.exe would do if you downloaded and executed it, take a look at the description on the McAfee Web site (click on the “Virus Characteristics” tab). Suffice it to say that this is not something you want on your PC.

Sad to say, I suspect that thousands of people have clicked through on it because it has the Windows logo at the top with a cute little “Windows Update Center” graphic.

Would you have spotted it as a phishing attempt? Did you spot other giveaways in addition to the ones I listed above? Let us know in the comments.

,

Windows 7 and Security

November 10th, 2010 | Posted by Sid Herron in Best Practices | Microsoft | Security | VDI | Virtualization | Windows 7 - (1 Comments)

Volume 9 of the Microsoft Security Intelligence Report is out, and it makes for some pretty interesting reading. Among other things, it talks extensively about botnets – the various “families” of botnets, how they are used, how they work, and how access to them is sold and traded on the black market. Why? Because (quoting from the report), “When we look at that intelligence as a whole, it’s clear that botnets pose one of the most significant threats to system, organizational, and personal security.”

One of the things you’ll find in the report is a discussion of the infection rates of different versions of the Windows Operating System. You may have noticed that every now and then, as part of the critical patches and updates that Microsoft pushes to your PC, there’s something included called the “Malicious Software Removal Tool,” or “MSRT.” Microsoft keeps track of how often the MSRT actually finds malicious software when it runs, and that information is presented here as the number of computers cleaned of bot-related malware per 1,000 executions of the MSRT. Take a look at the following graph, which covers just Q2 of 2010 (click to view larger image):

Infection rate found per 1,000 executions of MSRT

I would like to particularly direct your attention to the fact that the infection rate for Windows XP SP3 is four times the infection rate for Windows 7, and the rate for Windows XP SP2 is five times the Win7 rate.

I understand that, for some people, the issue of upgrading from Windows XP to something else borders on being a religious discussion. But, honestly, if Windows 7 is that much more secure – which it clearly is – isn’t it getting a bit difficult to justify the “you can have my Windows XP when you pry it from my cold, dead fingers” position?

Of course, larger enterprises have some challenges to overcome. As we discussed in our September post about the cost of a Windows 7 migration, Gartner recently reported that, since most organizations weren’t planning to begin their Win7 migrations until 4Q2010, and with PC hardware replacement cycles typically running at four to five years at present, most organizations simply will not be able to complete a Windows 7 migration through the normal PC replacement cycle before Microsoft ends support for XP SP3. There just isn’t enough time left.

But even if there was enough time – why would you not want to move to an Operating System that’s four times more secure as quickly as you possibly can?

As Gartner pointed out, one alternative is to move some users to a “hosted virtual desktop” instead of a new PC. Translation: Making VDI part of your migration strategy can help get you out from behind the eight ball. It can also boost the overall security of your organization. Doesn’t that make it a conversation worth having?

, , , , ,

First Look at Citrix Access Gateway 5.0

October 28th, 2010 | Posted by Sid Herron in Best Practices | Citrix | Citrix Synergy | Remote Access | Security | Troubleshooting and How-Tos - (1 Comments)

At the recent Synergy Berlin conference, Citrix announced Access Gateway 5.0. We have confirmed that, as of now, 5.0 is available for download from the Citrix download site – both as an update for the CAG 2010 hardware appliance, and in Access Gateway VPX (virtual appliance) format. (Note: you will need a “mycitrix” account to download the software.)

One of the things I really like about 5.0 is that it now supports running two 2010 appliances in an active/passive HA configuration with automatic failover. This was a serious shortcoming of the original CAG appliance.

In earlier versions, if you were using the Access Gateway as a general-purpose SSL VPN, you could configure HA of a sort within the Access Gateway client plug-in, by defining primary and secondary Access Gateways for the client to connect to. However, if you were simply running the Access Gateway in “CSG replacement” mode to connect to a XenApp farm without requiring your users to first establish an SSL/VPN connection, you had no ability to provide automatic failover unless you had some kind of network load balancing device in front of multiple Access Gateway appliances. That meant, of course, that to avoid having the load balancing device become a single point of failure, you had to have some kind of HA functionality there as well. By the time you were done, the price tag had climbed to a level that just didn’t make sense for some smaller deployments.

NOTE: This specifically applies to the 2010 appliance. The CAG Enterprise models, because they are built on the NetScaler hardware platform, have always supported operation as HA pairs with automatic failover. Of course, a CAG MPX 5500 also carries a $9,000 list price, compared to $3,500 for a CAG 2010.

Now, with the release of 5.0, you can purchase two 2010 appliances (which will cost you less than a single MPX 5500), and run them as an active/passive HA pair. Thank you very much, Citrix CAG team!

Here are a couple of videos from Citrix TV. The first deals with how to upgrade an existing CAG 2010 to the 5.0 software using a USB flash drive, and then set up the basic system parameters:

The second video shows how to configure a pair of appliances for active/passive failover:

You can access several other “how-to” videos by going to http://www.citrix.com/tv, and searching on “Access Gateway 5.0.”

, , , ,

Urgent Security Alert – “VBMania” Email Worm

September 10th, 2010 | Posted by Sid Herron in Best Practices | Security - (0 Comments)

Watchguard LiveSecurity has released an urgent security alert for an email worm. It generally arrives with one of the following subject lines:

  • “Here you have”
  • “Just for you”
  • “This is the Free Dowload Sex Movies, you can find it Here”

The email contains a link to what appears to be a PDF document or WMV video, but is actually a link to a malicious Windows screen saver (.SCR) file. If you run the malicious .SCR file, it…

  • Copies itself to your Windows directory as CSRSS.EXE (the legitimate CSRSS.EXE is actually in your Windows\System directory), and modifies the Windows registry so it can restart after a system reboot
  • Sends itself to your email and IM contacts
  • Copies itself to mapped drives and removable USB media
  • Tries to disable popular security applications
  • Downloads and installs various other pieces of malware
  • Steals sensitive information (including passwords cached in your Web browser)

This worm does not appear to use any new techniques, and should be detected by most major antivirus vendors, so it is not cause for panic. You should, however, make sure you have the latest AV signature updates installed on your systems. Also, remind your users never to open unexpected attachments or click on unexpected Web links, even if they appear to come from friends, co-workers, or other trusted parties. The bad guys appear to be spamming this very aggressively, and it only takes one user to cause you a lot of headaches.

,

Citrix Formally Announces XenClient and XenVault

August 26th, 2010 | Posted by Sid Herron in Application Hosting | Application streaming | Application Virtualization | Citrix | Security | Virtualization | XenApp | XenClient | XenDesktop - (0 Comments)

Yesterday (August 25), Citrix formally announced XenDesktop 4 Feature Pack 2. It’s expected to be available by the end of September, and, of course, will be available at no charge to existing XenDesktop customers whose Subscription Advantage is current. The big news in this Feature Pack is the incorporation of XenClient and XenVault.

We’ve talked a lot about XenClient here, but haven’t said much about XenVault. It’s high time we did, because it’s a pretty cool piece of technology in its own right.

If you’ve used Citrix products in the past, you know that we have administrative control over whether, for example, users who are running applications on a XenApp server are able to save data back to a disk drive on their client device. With the advent of Smart Access (enabled by Access Gateway Enterprise policies), we can get even more granular: we might allow a user to save data to a client drive if they’re connecting from within the protected network, or connecting from a corporate-owned laptop, but deny that same user the ability to do so if they’re connecting from a personal device or public location like a hotel business center.

Unfortunately, once the data is on a client device, you now have a security risk. It could potentially be copied to a USB drive. The corporate laptop could be lost or stolen. (For some of the more high-profile examples, check out the “laptop losers hall of shame.”) Nevertheless, it’s often viewed as a risk we have to take so that our mobile users can be productive.

XenVault, which was first previewed at the Synergy event last May, is designed to address this risk. XenVault is a new plug-in for the Citrix Receiver. As such, its deployment and configuration are controlled through the Citrix Merchandising Server. To quickly review, Merchandising Server is the preferred tool Citrix has provided for installing and configuring client software. The first time a user authenticates to the Merchandising Server (through a simple browser interface), the Citrix Receiver will be pushed down and installed on the client device, together with whatever plug-ins and configuration details the administrator has defined for that user. Subsequently, the Citrix Receiver will check back with the Merchandising Server behind the scenes, and receive any configuration updates that may be available.

The XenVault plug-in creates a secure, encrypted (256-bit AES) storage area on the client hard disk. Typically, any application that is running remotely on a XenApp server or XenDesktop virtual PC will only be able to store data in the secure, encrypted location, if it is allowed to store data on the client drive at all. Same for an application that has been streamed via XenApp for local execution on the client (regardless of whether it was packaged with the Citrix streaming tools or with App-V). While the user will be able to use Windows Explorer to look at the secure location and see what files are there, the user will not be able to copy files from the secure location to a non-secured area of the hard disk, nor open the files with applications other than those specified by the administrator. For a deeper explanation of how this works, see Joe Nord’s blog post on the subject.

If the laptop is lost or stolen, the administrator can issue a “kill pill” that will cause the secure, encrypted area to be locked or deleted the next time the Receiver checks in with the Merchandising Server. Pretty cool.

If you can’t wait until the end of September to try it out, and you have a mycitrix login, you can download the XenVault technology preview now. And keep watching this space, because I’ve got a feeling that this will be a good subject for a future video blog.

, , , , , , , , , ,

And Just to Prove the Point…

August 5th, 2010 | Posted by Sid Herron in General | Security - (0 Comments)

Monday, I wrote a post about some of the latest trends in cyber crime.

Tuesday afternoon, our Web site was hacked.

We didn’t realize it until we landed on the Google blacklist this morning, although I should have suspected something when I noticed, on Tuesday afternoon, that both of our two instances of WordPress – the one that powers this blog, and the one that powers our “News” page – had stopped working. But, since I knew that I was a couple of revisions behind, I elected to upgrade my WordPress instances to the latest release. When they came back up working again, I didn’t probe any deeper. I should have known better.

Log analysis indicates that our FTP account was compromised. Beginning at about 3:18 pm PDT on Tuesday afternoon, a series of files were uploaded to our server from an IP address that appears to be located somewhere in the UK (in the London area, to be more precise). The file transfers were done using the FTP account for our domain. They went through our site and changed every index.* page. Specifically, they placed a “hidden iframe” immediately following the <body> tag.

For those who aren’t conversant with HTML, you can think of an “iframe” as a window on a Web page that displays content from another Web page. Except that, in this case, the height, width, and border width of that window were set to “0.” The point being that when your browser loaded the page from our site, it would also load the content from the other site, but it wouldn’t be visible on the page. That content was, no doubt, some kind of malware that was intended to do something bad to your system. The hidden iframe attack is one of the most common exploits out there, and is typically used for some kind of “drive by” malware distribution campaign where the bad guys try to place their hidden iframe on as many legitimate sites as possible. When you visit the site, your browser fetches the code, and now it’s a matter of how good the defenses are on your PC.

Obviously, we’ve changed the FTP account credentials. But, frankly, we’re still not sure how the account was compromised in the first place. It was a pretty strong password, and not one that you’d expect to fall victim to a dictionary attack. We’ve been running malware scans on the machines that we normally use when we work on the Web site, and have yet to come up with a “smoking gun” that would explain how the credentials were compromised.

So…what to take away from this? First of all, it’s no fun to become a statistic. Second, nobody is immune to this sort of thing. Even the CBS News Web site was hit by an iframe attack not that long ago. Nobody is too big or too small to be targeted. Third, change your passwords regularly, even if you think you have strong ones. Fourth, be suspicious when something unusual happens. I should have dug deeper Tuesday afternoon, but it was late in the day when it happened, and I settled for what looked like an easy fix. Finally, it’s a pain in the you-know-what to go through and clean up the aftermath of something like this. It’s cost me most of today, plus we’ve been on the Google blacklist all day and probably won’t come off of it until sometime tomorrow when they’ve had time to re-scan our site.

The bad guys are out there, and they do want your stuff. Be careful.

Causes and Costs of Cyber Crime

August 2nd, 2010 | Posted by Sid Herron in Security - (0 Comments)

I read a couple of items today about security and cyber crime that I found rather interesting. One was an article that came out a week ago on infoworld.com about the “First Annual Cost of Cyber Crime Study,” conducted by Ponemon Institute. The study involved 45 midsize and large organizations, ranging in size from 500 to more than 105,000 employees. They represented a mixture of industries and government agencies. The study revealed that cyber crime cost these organizations an average of $3.8 million dollars per year…each. The reported costs ranged from a low of $1 million to a high of $52 million per year.

The reported costs represent the direct cost of coping with attacks, including such things as, for example, the amortized annual cost of a Web application firewall purchased to respond to an attack on a Web application. They also included the time spent responding to attacks, the cost of disruption of business operations, lost revenue, and the destruction of assets. They found that it took an average of 14 days to respond to a successful cyber attack, at an average cost of over $17,000 per day.

Admittedly, a sample size of 45 companies is relatively small. But still – $3.8 million per year, average? Holy smoke!

The other piece of light reading will help to flesh out the picture and add some perspective. It’s the 2010 Data Breach Investigations Report conducted by the Verizon RISK team, in cooperation with the U.S. Secret Service. It combines data from Verizon’s 2009 case load with additional data contributed by the USSS to form a data set that spans six years and over 900 security breaches, representing over 900 million compromised records. About two-thirds of the breaches covered in the report have either not yet been disclosed, or never will be.

While the cases worked by the USSS more frequently involved insiders, in Verizon’s own cases, almost all data stolen in 2009 – 98% – was the work of criminals outside the victim organization. 85% of that data was stolen by “organized criminal groups.” For a definition of “organized criminal groups,” see Appendix A of the report…it’s pretty interesting reading in and of itself.

Not surprisingly, financial services organizations were most frequently targeted (33% of cases), for the same reason Willie Sutton robbed banks: that’s where the money is. But you may be surprised to learn that the hospitality industry wasn’t that far behind (23% of cases), followed by retail (15% of cases). And here are some other things that might surprise you (note that the following percentages add up to more than 100%, meaning that some cases involved more than one factor):

  • 48% of breaches involved “privilege misuse” (that’s up 26% from the year before). The report defines this as any use of resources or privileges in a manner contrary to that which was intended, whether malicious or non-malicious. This category includes obvious actions such as embezzlement or deliberate theft of information by an insider, but also losses that resulted from abuse of system access, use of unapproved devices, violations of an organization’s Web or Internet use policy, abuse of private knowledge, use of unapproved software or services, unapproved changes and workarounds, and violations of an organization’s asset / data disposal policy.
  • 40% resulted from hacking (down 24%) – the majority of which involved either the use of stolen login credentials, or SQL Injection attacks. A fair number also involved exploitation of default or guessable credentials (or cases where no credentials were required), and brute force and dictionary attacks.
  • 38% utilized malware (unchanged)
  • 28% employed “social tactics” (up 16%) – using deception (spoofing, phishing, forgery), manipulation, intimidation, bribery, extortion, etc., as a means of breaching an organization’s security. Social tactics are often combined with other categories, for example, malware designed to look like antivirus software.
  • 15% were physical attacks such as theft, tampering, and surveillance (up 6%)
  • And what may be the most astounding finding of all: “…there wasn’t a single confirmed intrusion that exploited a patchable vulnerability.” Does that mean you don’t have to pay attention to patching your systems? No, of course not. But what it means is that just because you are current on all of your patches it doesn’t mean you’re safe!

Here are some more commonalities in the attacks:

  • 98% of all data breached came from servers.
  • 85% of attacks “were not considered highly difficult.”
  • 61% were discovered by a third party(!)
  • 86% of victims had evidence of the breach in their log files(!!)
  • 96% of breaches were avoidable through simple or intermediate controls.
  • 79% of the victims that were subject to PCI/DSS regulations had not achieved compliance with the regulations. Admittedly, that means that 21% had achieved compliance, and were breached anyway, but why stack the deck against yourself? If you’re subject to the regulations, make sure you’re in compliance.

So what are the takeaways from all of this data? Although I would encourage you to download and read all 66 pages of the Verizon report, here are a few points to consider:

  • 86% of victims had evidence of the breach in their log files, yet 61% of the breaches were discovered by a third party. That suggests that, just maybe, we should be paying more attention to our log files. Now, I understand that there aren’t many cures for insomnia that are better than trying to parse through several servers worth of log files looking for anomalies. But that’s why there are automated tools these days that will do that for you.
  • SQL injection has been around for over ten years, and still causes a large number of data breaches. Here’s a high-level example: you have a form on your Web site that is intended to capture user input and stuff it into a SQL database. Maybe it’s the billing information for your on-line shopping cart. But instead of entering the data you’re expecting, an attacker enters a SQL language statement that’s intended to either extract data from the database, modify data in the database, or deliver malware to the system.

    You can’t fix this by applying a patch, modifying a setting, or changing a Web page. It’s almost always an input validation failure. That means you have to fix the code behind the application so that it actually validates that the information that’s being typed into a field is really the kind of information that’s expected. It isn’t necessarily easy, and it isn’t necessarily inexpensive. But data loss isn’t cheap, either.

  • The use of stolen credentials was the top hacking method used. Two-factor authentication (e.g., RSA’s SecurID), which can largely render stolen credentials useless, has been around for years. Apparently not enough organizations are using it.
  • One of the more interesting (to me, anyway) recommendations in the Verizon report is to filter outbound traffic. That way, even if malware does get in the door, you have some measure of control over what information leaves your network. This is sometimes referred to as “Data Loss Prevention,” or “Content Security.” Here’s what they had to say about it:

    Most organizations at least make a reasonable effort to filter incoming traffic from the Internet. This probably stems from a (correct) view that there’s a lot out there that we don’t want in here. What many organizations forget is that there is a lot in here that we don’t want out there. Thus, egress filtering doesn’t receive nearly the attention of its alter ego. Our investigations suggest that perhaps it should. At some point during the sequence of events in many breaches, something (data, communications, connections) goes out that, if prevented, could break the chain and stop the breach. By monitoring,understanding, and controlling outbound traffic, an organization will greatly increase its chances of mitigating malicious activity.

    By a happy coincidence, one of our primary vendor partners, WatchGuard, recently introduced a line of appliances that are specifically designed for precisely this task. I’ll be writing more about that in a future post.

  • Don’t assume that you’re too small to interest the criminals. 9% of the breaches were in companies with ten or fewer employees. Another 18% in companies with 11 to 100 employees. 23% in companies with 101 to 1,000 employees.

And, finally, don’t assume that the situation is hopeless. Remember that only 4% of breaches were judged to have required difficult and expensive measures to avoid. To quote from the conclusions of the Verizon report, “Configuration changes and altering existing practices fix the problem(s) much more often than major redeployments and new purchases.” We do have the tools to get the job done. We just have to make up our minds to do it.

,

Citrix Has Your Back – Again

July 21st, 2010 | Posted by Sid Herron in Citrix | General | Mobile Computing | Remote Access | Security | XenApp | XenDesktop - (0 Comments)

I just read an interesting blog post over on ZDnet, entitled The Changing Face of IT: Five Trends to Watch. As I read through the article, I was struck by how Citrix solutions can enable IT organizations to deal with these trends. Consider:

  1. The consumerization of IT – “Workers are bringing their own laptops and smartphones into the office and connecting them to corporate systems. More people than ever are telecommuting or working from home for a day or two a week. And, the number of Web-based tools has increased dramatically…”

    Yep. In fact many companies are instituting “BYOPC” (Bring Your Own PC) policies, because in the long run it can be less expensive to give employees a fixed allowance and allow them to buy whatever they want than it is to issue – and maintain – a company-owned laptop. Citrix themselves instituted this policy a few years ago.

    If you’re using XenApp or XenDesktop to provide access to your key line-of-business applications, you don’t care what the endpoint is. If your employee prefers a MacBook, fine. Want to use an iPad? No problem. Connecting in from your home PC because your kids are sick? We’ve got that covered, too. Just install the Citrix Receiver and you’re good to go.

  2. The borderless network – “…today’s IT security model is more about risk management than network protection. Companies have to identify their most important data and then make sure it’s protected no matter who’s accessing it and from wherever and whatever device they’re accessing it from.”

    Citrix likes to say that their products are “Secure by Design,” meaning that security is built into them from the ground up. First of all, when you’re accessing your virtual desktop remotely, or running a published application from a XenApp server, the data never leaves the data center. The remote endpoint (whatever it is) is just sending keystrokes and mouse movements to the data center and getting back pixel updates. On top of that, we can encrypt that data connection using the Citrix Access Gateway.

    Citrix also gives you very granular control over whether files can be copied between client and server, and/or whether print jobs can be directed to a client-attached printer. In fact, using Advanced Access Control policies, those controls can be context-sensitive, i.e., you might allow files to be copied to the client device if the client device is a company-owned laptop, but not if it is a home PC; or you might allow client-attached printing if the client is connecting from a branch office, but not if the same user, using the same client device, is connecting from home, or from a hotel.

  3. The cloudy data center – Let me go on record as saying that the most cloudy thing about the cloud is trying to understand what someone means when they say the word. Not unlike the word “portal” a few years ago, the first question that usually needs to be asked in any discussion about cloud computing is: “When you say ‘cloud,’ what exactly do you mean?”

    But the point to remember is that when you’re delivering applications via Citrix, users don’t know and don’t care where the data center is or where the applications are being executed. It doesn’t matter. Want to move your entire infrastructure to a co-lo? Fine. Want to have multiple data centers with automatic failover from one to the other? We can do that, too. By some definitions of the term, we’ve been building “private clouds” since the release of WinFrame back in the mid-90s.

  4. The state of outsourcing – “Outsourcing is thriving in many different forms, and it’s reasonable to expect that it will accelerate.”

    We made the point above that users don’t know and don’t care where the data center is. The fact is, for about 90% of what they need to do, neither do the administrators. Virtualization in general, and Citrix products in particular, make it very easy to administer, troubleshoot, and repair issues remotely. We built the entire Evans Fruit Company infrastructure without ever having our engineer set foot on site. In fact, actually dispatching an engineer to a customer location is now the exception rather than the rule.

  5. The mobilization paradigm – “While PCs still make sense on the desks of knowledge workers, for all of these other workers who regularly move around as part of their daily job, the stationary PC often changes the natural flow of their routine because they have to stop at a system to enter data or complete a task. That’s about to change. Mobile computers in the form of smartphones and touchscreen tablets (like the iPad) have taken a big leap forward in the past four years. They are instant-on, easy to learn because of the touchscreen, and they have a whole new ecosystem of applications designed for the touch experience…”

    Very true…but these same users are going to still need to access your traditional line-of-business applications, which will not be transformed overnight into touchscreen enabled apps. It is axiomatic that, in IT, nothing ever actually goes away – instead, new technology just gets layered over the top of old technology…which is why you’ll still find applications running on big mainframes in a lot of enterprises. So how do you manage that transition?

    Once again, Citrix comes through. There’s a Citrix Receiver for the iPhone, one for the iPad, one for Windows Mobile phones, one for the Android, and just a couple of months ago, Citrix released a version of the Receiver for BlackBerry devices. And, of course, Receivers for Windows, Mac, and Linux PCs have long been available. I don’t know of any other product or technology that offers this kind of flexibility in delivering applications to users regardless of location, connection, or endpoint device.

    6. So a big “Thank you!” to Jason Hiner for an excellent post. You’ve just described, in a nutshell, why Moose Logic is still excited to be a Citrix partner after all these years. Just remember, as you work to adapt to all of these trends that are indeed changing the IT landscape, we’ve got your back.

, , , , ,

More Facebook Phishing

June 10th, 2010 | Posted by Sid Herron in Computer Basics | Security - (1 Comments)

We’ve talked before about how the Internet threat landscape has changed over the past few years. Increasingly, malware is being distributed, not by sending you an infected email attachment, but by trying to entice you to visit a Web site that will drop the malware onto your computer. It should be no surprise to anyone that, given the explosive growth of Facebook, and given the fact that the fastest growing segments of Facebook users are people who are not “power users,” and who probably don’t know a lot about Internet security, these people are obvious targets for the bad guys.

Here’s a classic “phishing” example – one that recently showed up in my email. Let’s break it down and look at the things that are not quite right about it, and perhaps it will help you spot similar attempts in the future. As you read through this post, you may want to open the images in separate windows, so you can easily see what we’ll be discussing here.

If you’ve got a presence on Facebook, you’ve no doubt received one or more email messages that look like this (I’ve blanked out stuff that might identify the specific Facebook friend who sent me the message):

Legitimate Facebook Notification

Legitimate Facebook Notification


There are some things that are consistent across all of the legitimate notification messages that I’ve received:

  • The subject line contains the name of the person who sent me the message (“so-and-so sent you a message on Facebook”).
  • The first line in the message itself also contains the name (“so-and-so sent you a message”).
  • The name is repeated yet a third time next to the sender’s profile pic, along with the time stamp of when the message was sent.
  • The text of the message is included in the email.
  • The hyperlink that’s provided (“To reply to this message, follow the link below”) contains the email address that’s associated with my Facebook account.
  • The footer repeats my email address (“This message was intended for…”), and the big, long, cryptic number that’s provided in the unsubscribe link is the same big, long, cryptic number that was in the reply link.

Now, let’s look at the phishing message:

Phishing Message

Phishing Message


First of all, although this isn’t obvious by looking at the message, this email was sent to my personal email address, which is not the address that’s associated with my Facebook account. That was my first clue that something wasn’t right. But let’s look at all the other discrepancies:

  • The subject line just says “You have 1 unread message(s)…” with no indication of who may have sent the message to me.
  • In the body of the message, instead of the sender’s name, it just says “Facebook” sent you a message.
  • There is no time stamp provided.
  • The text of the message itself is not included – because, of course, the sender wants me to click on the link provided to see what it is.
  • The hyperlink provided does not include my email address.
  • The hyperlink is “cloaked,” that is, it doesn’t go to the location it claims to go to. As you can see, when I hovered my mouse over the link, the pop-up window showed that the hyperlink actually went to a totally different destination that had nothing to do with Facebook.
  • The footer does not contain the “This message was intended for” text with my email address
  • The unsubscribe link simply says “click here” rather than being specifically associated with the message ID.

Now that I’ve pointed out all of the differences, it’s probably pretty obvious that this isn’t a legitimate message – but taken one by one, the differences are all pretty subtle. Would you have spotted them if I hadn’t pointed them out? All in all, this is a relatively well-crafted phishing email, and I have no doubt that lots of recipients would click on the link provided without even thinking about it. And here’s what would have happened:

Malware Site

Malware Site


According to Google’s “Safe Browsing” diagnostics, 10 different pages within this domain were designed to drop malware on the visitor’s PC without their knowledge or consent: five scripting exploits, two other exploits, and one trojan.

The moral of the story is that you should always be suspicious of links that are sent to you by email. I used to own a motorcycle, and I always tried to drum into my kids the concept that, in order to survive as a biker, you have to ride with a certain amount of paranoia: you must assume that you’re invisible, and the other motorists can’t see you…and those who can see you are out to get you. Unfortunately, we’re at the point where the same kind of paranoia is required to stay safe on the Internet. Yes, in most cases, there are subtle clues that you can spot if you know what to look for. But you’re probably better off to simply assume that any message you receive is a phishing attempt unless/until you can determine otherwise.

And if there’s ever any question in your mind, don’t click on the link. You can always open a browser, type in Facebook’s URL manually, and check to see if you actually do have any messages instead of clicking on a link in an email. Same with email messages that purport to come from your bank.

Remember: just because you’re paranoid doesn’t mean that they aren’t out to get you!

Copy Machine Security Risk

May 6th, 2010 | Posted by Sid Herron in General | Security - (0 Comments)

Here’s a 5-minute video you really need to watch. It’s a report by CBS News on what could be a huge security risk that most companies probably haven’t even considered: the office copy machine. And I’m not talking about the risk of someone copying sensitive information that they shouldn’t be copying – I’m talking about what happens when the copy machine is retired.

Most modern copy machines contain a hard disk drive. That’s why you can feed a stack of originals into them and walk away while the machine prints and collates multiple copies of your stack. But what you may not know is that most copy machines do not automatically delete those page images from the internal hard drive when they’re done printing. So when you turn that copy machine in at the end of your lease, you’re also handing over thousands of images of documents that you’ve copied on that machine.

Those copy machines are typically re-sold, with the hard drives still intact. Many are shipped overseas. And your documents are shipped right along with them, easily readable by anyone with commercially available hard disk forensic software.

Depending on the nature of your business, that may or may not be a big deal. But think about this:

  • Have you ever made photocopies of a new employee’s driver’s license or social security card for your files?
  • Have you ever photocopied an order form that contained a customer’s credit card information?
  • Have you ever photocopied your company tax returns, forecasts, bugetary information, or financial planning documents?
  • Have any of your employees used it to make copies of their own tax returns?
  • What about proprietary information or trade secrets?

And, of course, if you’re a business that deals with sensitive documents – such as a law firm, an insurance company, or a business that handles medical records – you (and your clients or patients) may have even more at stake.

So, please, spend five minutes and watch this video. Then, the next time you’re ready to retire a copy machine, find a way to get the hard drive out of it and destroy it yourself before it goes beyond your reach.

,