Does that email pass the smell test?

We get lots of email messages every day. How do you tell what's a fake (and likely to try to hurt you) and what's not? Carnegie Mellon's Software Engineering Institute produced a set of checks that are still valid. It's the KREVS "test".

• The Know test. Do you already know the sender?
• The Received test. Have you received safe emails from the sender before?
• The Expect test. If the email has an attachment, were you expecting to get it?
• The Virus test. Does the message pass a virus-check? (Make sure your Antivirus program also checks your email messages).
• The Sense test. Does it look right? Are there unexpected misspellings? Does it "smell" in any way?

If an email messages fails any of the above tests, delete it. Even if an email messages passes all 5 tests above, it still might be malicious. Be paranoid; the "bad guys" really are out to get you. Criminal attack attempts using email are increasing rapidly.

If the email is from a person you already know, still be careful. Call them and see if they really sent any unexpected attachment.

Malware worms its way into social networking

Social network site users tend to be more trusting than they should be about emails from "friends". They seem to assume that since they have to login to the account that messages from others are "safe". Criminals know that.

So with increasingly sophisticated social engineering, criminals are successfully attacking social networking services. Angry Facebook members created a special facebook page for victims of the Koobface worm.

Malicious software "scrapes" Facebook for all the user data it can find. People who give out real names, addresses, email addresses, and other information may find it cropping up in the hands of criminals. We teach kids to be wary of strangers, but then we turn around are and much too trusting in our online behavior ourselves. Parents, schools, and churches all need to start educating kids and even other adults about being wary of online personas and of being careful not to release personal information. Criminals now "mine" data from multiple sites to "fill in the picture" about victims identities and personal information.

Government agencies normally let their employees do personal surfing, yet they are starting to block access from the government offices to social networking sites. Why? It just too unsafe, at least for now.

Part of the challenge is that in order for social networking sites to be "fun", they have to encourage their members to share information. The default for most social networking sites is to be "open" rather than to have tight security. And most people are much more gullible online than in the "real world". So social networking sites like FaceBook and MySpace may continue to be a rich feeding ground for criminals.

If you insist on risking use of a social networking site, it might be a good idea to subscribe to a service that tracks your credit card actions as well as actions taken that relate to your credit rating. For example, you'd get an alert if someone was applying for a loan or credit card and using your credit record. And make sure to keep your Antivirus, AntiSpyware, and Firewall software up to date. You might also want to add prayer to the list. You may need it.

Be paranoid!

Be very wary of emails you did not expect to get and of any web pages they may link to. Just because an email or web page looks nice or is interesting or you are just plain curious is no reason to start clicking away.

A case in point is the recent malware that pretends to be about President Obama (or for you Irish folks, O'Bama). The Microsoft Malware Protection Center (MMPC) blog has more about this Waledac Trojan, including pictures of an email and the malicious web page.

Remember, it's perfectly OK to be paranoid -- the bad guys really out to get you!

Infected web pages increase

During 2008, the rate at which the number of web pages infected with malicious software (malware) increased rose from one every 14 seconds to one ever 4.5 seconds. [See "Forecast: Security Threats for 2009"]

So what can you do?

• Don't "assume" a web site is safe to visit.
• Don't "assume" a link in an email is safe to click on.
• Don't "assume" an email from a friend was really sent by them.
• Use anti-phishing software, antivirus software, and anti-spam software.
• Keep all your computer programs updated. If there is a security patch available for any of your programs, install the patch.
• Use a program like Secunia's free Personal Software Inspector to check for program updates.
• Use a program like Driver Detective to check for updates to program driver files.

Firefox less secure?

Firefox has often been touted as fundamentally "more secure" than Internet Explorer. If you have been led to believe that, you need to look at some cold, hard facts:

• From March to September 2005 (yes, even as early as 2005), FireFox had 40 vulnerabilities to IE's 10. [ZDNet article]
• From April through September 2005, the number of published Firefox exploits was 11 compared to IE's 6.
• The most recent FireFox-related security problem is that some Russian criminals are using it to add malicious software as a "Plug-In". The malware detects when you connect to any of over 100 banks and then steals your account name and password, sending them to the criminals. [read the SC Magazine article]
• In terms of vulnerability numbers reported in March 2008, Opera had the most, followed by Safari, FireFox, then Internet Explorer.

The biggest problem with malware is not the browser, it's the person using the browser. People are either too trusting of links and unknown sites or just think they will never get attacked.

Computing to help others

A recent New York Times story highlighted a couple of Computer Science students at Georgia Tech who show us all some of the exciting possibilities of helping others through computing.

The project students started out small -- based on some blood suppy spreadsheets at the CDC in Atlanta. As they delved into the real issue and talked with real users in Africa, the project has blossomed into a web-enabled application using Ajax.

In January, 14 African nations will start using this program. It must be impressive -- the United Nations Worldwide Health Organization (WHO) is discussing making this a program for reporting on blood supplies worldwide.

• Computing for Good: Web technology to solve human problems

Beware nasty Mebroot trojan

Beware of malware called Sinowal (also as Mebroot) captures bank and similar data. A gang of Internet criminals have been using this and even morphing the malware to temporarily fool antivirus software.

Windows Secrets contributing editor Woody Leonhard likens Mebroot to "a parasitic operating system that runs inside Windows". [Disclaimer: I subscribe to the paid version of "Windows Secrets" newsletter. Prior to that subscribed for years to the paid version of Fred Langa's "LangaList" newsletter, which is now integrated into Brian Livingston's "Windows Secrets" newsletter. I highly recommend Windows Secrets anyone concerned about or interested in PCs.]

Leonhard says that his experience is that a lot of systems get infected with Mebroot (Sinowal) because the owners did not keep up with Adobe Reader, Adobe Flash, or Apple Quicktime security patches. You can manually check for such patches, set the apps to automatically check for updates, or (even better), install the free Secunia Personal Software Inspector (PSI) and scan for programs that need updating.

In October 2008 Brian Krebs, Washington Post, alerted readers to the "virtual heist" going on. Mebroot infects the Master Boot Record (MBR) of your PC and sends personal data to its "owners". Krebs says that the criminals have stolen over half a million credit and debit card account in the past few years.

While Symantec lists the malware's risk as low, if your data gets stolen, it won't be a little thing to you. Here are some actions Symantec and I recommend to reduce your risk of malware infections:

• Use a firewall
• Enforce complex passwords for all users of your computer
• Use the lowest level access privileges.
• Never use an Administrator-level login account as your normal one. Always login as a lower level account and then "Runas" or login as the Administrator level only as needed. Vista security is a big advance in making this type security easier. Yes, you get pop-ups to login as Administrator, but that's much better than manually running a "runas" command and you don't need to know the runas command line syntax.
• Disable Auto-play
• Turn off "File Sharing"
• Turn off and remove unnecessary system services
• Always keep your programs patched (You can use the free Secunia PSI to monitor patch status)
• Don't open email attachments unless you were expecting them. Contact the sender separately (not by a "Reply") and see if they really did send you that email and attachment.
• Turn off Bluetooth via Windows Control Panel if you are not using it.
• If you really need to use Bluetooth, make sure every Bluetooth device's visibility is set to "Hidden".

Secunia PSI now in final form

Secunia Personal Software Inspector (PSI) is now officially out of beta and at version 1.0 (well, OK ... version 1.0.0.1). I have used versions prior to 1.0 and found them excellent. I'll be downloading, installing, and running PSI 1.0 today. I encourage you to do the same. This free software checks your programs for any updates.

While Microsoft Update (or the lesser Windows Update) does a great job, they naturally only deal with Microsoft products. Your computer has tons more programs, each of which may need a security patch, bug fix, or enhancement. Why check them all manually? Let PSI check for you. Try it; you'll like it.

To really stay on top of patches, I also use Driver Detective (not free, but very worth having).

• Secunia Personal Software Inspector (PSI)

Patch Adobe Reader, Acrobat!

If you use Adobe Reader 8.12 or earlier or Adobe Acrobat 8.12 or earlier, update them now! Adobe has released security updates to critical vulnerabilities.

Better yet, for Adobe Reader, upgrade to the version 9 -- it's free.

Both programs come configured to automatically check for updates, but some people turn that off. Leave the auto-check on -- protect yourself.

Firefox 3 leaps ahead

While not revolutionary or even truly evolutionary, version 3 of the Mozilla Firefox web browser looks very good. Some of its new features may even get me to use it as my default, which is now Microsoft Internet Explorer 7. Some of the new features I look forward to most relate to security and ease of use:

• Site ownership. The "Passport Officer" lets you know who really owns a web site. This helps reduce accidental visiting of malicious sites.
• Malware protection. A "Reported attack site!" message box with a red background pops up when the site you asked to visit is on a list of malware sites. Firefox blocks access and you must select the "Ignore" link if you really want to visit that URL. I also like that the link is small, in the lower right corner, and not a normal button. The two buttons are "Get me out of here" and "Why was this site blocked". This is a good security precaution.
• Page zoom now zooms both text and images.
• Multiple text select. You can now use the Control key to select and copy multiple blocks of text on a web page.
  

Features I an unsure about until I try them extensively include the new "keyhole" shaped navigation control. IE7 font rendering is better than FF2, so I am also curious about how well the font rendering in FF3 will work.

Features I already like in Firefox 2 include spell-checking in Web text areas, including Blogger, and the wide range of add-ons for blogging, editing, and web development.

I do wish Firefox would support the "standard" MSIE hot keys for such things as create a hyperlink (Ctrl+K), as using Firefox in Blogger is less useful than IE at this point (except for Spell-check).

It would help if at least Firefox and Mozilla had consistent hot keys. For example, Thunderbird uses Ctrl+L to insert a hyperlink. It doesn't match MSIE, but the Ctrl+L is easy to remember (L for "link"). But Ctrl+L in Firefox accesses its "Location Bar" (what IE calls the address bar. Bummer.

• Download Firefox (FF3 will be available as of 6/17/2008)