Friday, December 29, 2006

Strange E-mails Without Attachments Are Not Necessarily Harmless

By Coenraad De Beer

A couple of years ago it was safe to assume that e-mails without attachments are completely harmless, whether from a trusted source or not. Computer criminals became more advanced over the years, causing this simple rule to become less applicable to e-mail security. Spam is more than just senseless e-mails cluttering your Inbox, whether they have attachments or not.

Even e-mails from trusted sources cannot be trusted these days. What we never know is whether the PC of the trusted source is infected with e-mail worms and spam bots sending out these e-mails without the consent of the PC owner. So your e-mail may come from a trusted source but is the source still trustworthy? By that I do not imply that your best friend turned against you and is sending you harmful and indecent e-mails. Your best friend may be totally innocent and unaware of the fact that a virus turned his/her computer into a spamming zombie. The problem we are facing here is to determine whether a human or an infected PC sent the e-mail. A spam bot normally sends e-mails that are totally out of character, e-mails that no decent human will send, especially not your best friend.

But you need to open the e-mail to determine its contents. The perception still exists that e-mails without attachments are harmless and that it is safe to open them. But it is much safer to view the source of the e-mail in order to view its contents without opening it. This is not always possible with web based e-mail services but it is possible with e-mail clients like Outlook, Outlook Express and Mozilla Thunderbird. Viewing the source of an e-mail enables you to read the body of the e-mail without any trouble, just like when you actually opened it. The biggest advantage of this method is that any harmful scripts or attachments embedded into the e-mail cannot be run or executed while viewing the source of the e-mail. Some e-mails may appear scrambled when viewing its source, this is when the e-mail only consists of an image embedded into it and most e-mails compiled this way are normally spam. Disabling JavaScript in your e-mail client will also make it safer to open e-mails, in fact very few people use JavaScript in their e-mails, so I do not even see any sense in enabling something that is never really used.

Many people may argue that they open hundreds of spam e-mails, without attachments, on a daily basis without any harm done to their PC. This is true, but it is not only about the harm it can do to your PC, some of these e-mails contain content that is offensive to sensitive people and harmful to minors. Other e-mails may not contain offensive content, but they can easily make you a victim of advance fee fraud and phishing scams if you are not familiar with the characteristics of these scams. They play with your mind, abuse your feelings, it is a case of psychological warfare, brainwashing. They want you to step into their trap, but they need to deceive you first, gain control over your mind in order to achieve it.

It is not hard to identify spam these days, but people still go through the trouble of opening them while knowing that they are spam. Why open something if you know for a fact that it contains useless information? Have you ever thought of it as the spammer exercising control over your actions? Why do you think do they send you so many senseless e-mails everyday, e-mails that seem to be completely harmless? The only way of making you comfortable with something is to bombard you with thousands of the same kind of e-mail over and over again until you are so conditioned that you no longer can distinguish legitimate e-mails from fraudulent ones.

Spam is no longer aimed at damaging your computer, no those days are long gone. On the contrary spammers need your PC to help them distribute their unwanted e-mails, so they will not harm it, they will rather infiltrate it. They infiltrate your PC to steal your information, invade your privacy and involve you in their devious crimes. Next time you receive a strange looking e-mail think twice before opening it, whether it has attachments or not.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software.

Saturday, December 23, 2006

The Perfect Password Practice

By Coenraad De Beer

Our lives are filled with passwords, security questions, personal identification numbers (PINs) and security codes. Almost every digital device and software package has some security feature involving a password. We have hundreds of shopping accounts, email accounts, banking accounts, you name it and each and every one of these accounts has a user name and a password associated with it. Sometimes you feel you are loosing your mind keeping the security of all your accounts and devices together. Here are a few tips to make the job a bit easier and your accounts more secure.

With all the accounts we own and all of the places where we need to use user names and passwords, it becomes a full-time job keeping it all together. The easiest way for most people is to use the same user name and password for all their accounts when possible. Most of the times it is only the user name that differs, but the password often stays the same for every new account they open or device they use. This is extremely dangerous and I will explain why.

There are several ways of leaking out your password. You may just, accidentally, say the password out loud while entering it. If someone was standing nearby, he/she could have easily picked it up and may use it later to gain access to the restricted area protected by the password. Key-loggers installed on your computer can log your password and send it to their owners and spyware programs can extract saved passwords from your cookies or from the saved password list stored in your browser settings. People sometimes write their passwords on a piece of paper and do not keep it in a safe place. What is the use of a key if you leave it in the door? The same principle applies to passwords. A password is the key to a restricted area, you should not let that key lie around for anyone to use. Sending passwords via e-mail is not so wise either and it is 99% of times a sign of a fraudulent activity. You should be careful when people request your password to be sent over the Internet via e-mail. Companies often sent your login details via e-mail. You should print out the details, store the printed copy in a safe place and delete the e-mail. E-mail worms and viruses can easily scan your e-mails for passwords. The different ways of loosing your passwords are endless.

Now what happens when someone steals your password? Chances are good that the perpetrator will break into the account guarded by the password, cause damage and maybe change the password so that you cannot gain access to the account in the future. If you use the same password for all your accounts, you should regard all your other accounts as compromised. The only missing piece of the puzzle for the password theft is to obtain the user name of your other accounts and the chances are good that most of them will also accept the same user name as the breached one. The only comforting thing is to know that the theft has to figure out what other accounts you own. One cannot break into something one does not know the existence of. It is not always possible to change your user name, but it is always possible to change your password. When a widely used password is compromised, you should change the passwords of all your other accounts as quickly as possible to avoid further security breaches. You should also try to regain control of your breached account as soon as possible, by contacting the service provider of the account and explaining the situation to them. This is most important for bank and online shopping accounts.

How should I prevent my password from being stolen?
  • Memorise it. A password or PIN is useless if you need to carry it around with you on a piece of paper, or written on the back of your debit or credit card. Do not share it with anyone, not even your loved ones. Not out of lack of trust, but to limit the number of people knowing your password to one. When there is only one person who knows the password, there can be only one source of leaking it out. More people knowing your password, means more possible sources of leaking.

  • Choose an arbitrary password, a combination of uppercase and lowercase letters combined with numbers and special characters. For instance the password "aS33@bH1" is a good example of one that cannot be guessed easily. You can quickly memorise it by repeating the password over and over in your head. Refrain from saying it out loud, because you can easily compromise it if someone else overhears you saying it. If your name is Ashley, for instance, you can use the password "@$l3y". Although it is more secure than "Ashley", someone can still guess it if the person is familiar with your first name. Your password should not be connected to something like your birthday, social security number or anything that will make it easier for a hacker to guess it.

  • Change your password every now and then. It is not as important for individuals to change their password as it is for large organisations with hundreds of passwords and security codes protecting sensitive data and restricted areas, but it remains a good practice to change your password once in a while. After all, it can do no harm (unless you forget your password or the fact that you changed it).

  • Get yourself a small data organiser (not a PDA or your mobile phone) with a password feature. Store all your account information and passwords under the secure area of this little organiser and put it in a safe place. I also recommend that you write down all the information stored on this organiser on a piece of paper and put it in a steel safe, just in case you loose your data due to battery or device failure. These little data organisers are very suitable for this task because they cannot be connected to the Internet and you cannot load any software on the device to bypass the password. Unfortunately these devices rarely, if ever, encrypt the information stored behind the password, so a clever hacker can easily read the data from the memory chip if he/she has the necessary equipment.

  • Scan your computer regularly for spyware and viruses, preferably on a weekly basis. This will ensure that your computer is free from malicious software stealing your sensitive information or monitoring your activity while using the computer. If your anti-virus or anti-spyware software detects malicious software on your computer, do not enter any password on that specific computer until you are certain that all the threats are completely removed and destroyed.

  • Never store your passwords in a text file, Word document or PDF file. Rather use a password manager if you need to store it on a computer. If possible store it on a computer that is never connected to a network or the Internet. As a rule of thumb, never store your passwords on any computer.

  • Make sure that you enter your password on secure pages with a valid SSL (Secure Socket Layer) certificate. Entering your password on insecure pages could easily compromise the safety of your account.

  • Try not to enter your password while someone is standing nearby. Even if the password is masked on your screen, some people have the ability to memorise the keyboard buttons you press, while watching as you enter it, no matter how fast you type.
Passwords are the security systems protecting our digital assets. You will normally maintain the effectiveness of your security system at home or at the office and you will ensure that it provides adequate protection preventing intruders from trespassing on your property. You should do the same with your passwords to keep those filthy hackers out of your accounts.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software.

Wednesday, December 20, 2006

Safe Online Shopping Tips For Late Christmas Shoppers

By Coenraad De Beer

Because you are desperate for a gift you will not mind paying a little extra, but the price can be an expensive one to pay if you are not cautious when shopping online. Swindlers always bargain on the mistakes of their victims when they are under pressure. They want to strike when you are not paying attention to the finer details you normally pay attention too when you are not under pressure. The false sense of urgency in phishing attacks and advance fee fraud are examples of swindlers trying to force a victim to make a mistake while he/she is under pressure. With online shopping they bargain that you will not realise that their online shop is a fraud, that their products are fake or that they do not even possess these items. There are a couple of things to look out for when you do your shopping online, not only during the festive seasons, but each time when you transact online.

The very first thing you should do is to verify the legitimacy of the online shop. Make sure that their telephone number, physical address and postal address is valid. Make a phone call to the company and ask about their products. If you are shopping from a local online shop get into your car and visit their premises if possible, or ask a trustworthy person to verify their physical address for you. Write them a letter and request a product brochure. If the telephone number is valid, if you confirmed the physical address of their offices and if they reply to your letter, you will know how to get into touch with them should you have any queries after you made the purchase. If their web site does not supply a valid telephone number, postal and physical address, do not buy from them. If they want to sell products online they should make it easy for consumers to get in touch with them.

Make sure you read their privacy policy and terms of agreement. Read all the instructions and fine print carefully before clicking on the order and pay buttons. You want to make sure that you are familiar with all the procedures of the online shop before you bind yourself legally to a purchase contract. Make sure that you understand the way they calculate shipping and delivery costs, or any extra fees. If in doubt, request a quotation from their sales department. You do not want to get a surprise after you finalised the purchase. Find out if they have a refund policy. If they mess up your order or if you are not satisfied with their products, you want to be certain that you can get your money back.

Before you enter any personal and sensitive information, make sure that you enter this information on a secure web page with a valid SSL (Secure Socket Layer) certificate. You can verify this by looking for a little yellow padlock at the bottom of your browser window. If you double click on this padlock, you can see who issued the certificate and you can verify if the certificate is still valid. Ensure that the address in the address bar start with the letters "https". If they do not provide SSL protection, find another online shop. Any serious and professional online shop will give their customers peace of mind by providing a safe and secure environment where they can collect all the information they need about their customers, without compromising the safety of this information. Never reply to any e-mail requesting financial information. E-mail is very insecure and is not suitable for sending sensitive information over the Internet. A legitimate online shop will have a web site with safety mechanisms in place, protecting your personal and financial information from hackers and swindlers.

Maintain a thorough paper trail. Print every confirmation page, quotation, receipt, order summary and e-mail you receive from the company and remember to set your browser to include the date and time on the printouts to make it easier to see when you printed these documents. Always pay by credit card or a system like PayPal. You should never send the seller any cash. If you pay by cash you leave no paper trail and that makes it impossible to trace the payment or to prove that you already paid for the products. Leaving a proper paper trail makes it possible to trace the transaction back to the seller of the product.

There are many other things you can do stay safe while doing your shopping online. One of the safest ways to follow is to stick with well-known online shops like Amazon. Unfortunately Amazon does not cater for the needs of everyone and you may often find it necessary to buy from other online shops when you are looking for something specific. This is when tips like these come in very handy.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software.