Friday, December 29, 2006

Strange E-mails Without Attachments Are Not Necessarily Harmless

By Coenraad De Beer

A couple of years ago it was safe to assume that e-mails without attachments are completely harmless, whether from a trusted source or not. Computer criminals became more advanced over the years, causing this simple rule to become less applicable to e-mail security. Spam is more than just senseless e-mails cluttering your Inbox, whether they have attachments or not.

Even e-mails from trusted sources cannot be trusted these days. What we never know is whether the PC of the trusted source is infected with e-mail worms and spam bots sending out these e-mails without the consent of the PC owner. So your e-mail may come from a trusted source but is the source still trustworthy? By that I do not imply that your best friend turned against you and is sending you harmful and indecent e-mails. Your best friend may be totally innocent and unaware of the fact that a virus turned his/her computer into a spamming zombie. The problem we are facing here is to determine whether a human or an infected PC sent the e-mail. A spam bot normally sends e-mails that are totally out of character, e-mails that no decent human will send, especially not your best friend.

But you need to open the e-mail to determine its contents. The perception still exists that e-mails without attachments are harmless and that it is safe to open them. But it is much safer to view the source of the e-mail in order to view its contents without opening it. This is not always possible with web based e-mail services but it is possible with e-mail clients like Outlook, Outlook Express and Mozilla Thunderbird. Viewing the source of an e-mail enables you to read the body of the e-mail without any trouble, just like when you actually opened it. The biggest advantage of this method is that any harmful scripts or attachments embedded into the e-mail cannot be run or executed while viewing the source of the e-mail. Some e-mails may appear scrambled when viewing its source, this is when the e-mail only consists of an image embedded into it and most e-mails compiled this way are normally spam. Disabling JavaScript in your e-mail client will also make it safer to open e-mails, in fact very few people use JavaScript in their e-mails, so I do not even see any sense in enabling something that is never really used.

Many people may argue that they open hundreds of spam e-mails, without attachments, on a daily basis without any harm done to their PC. This is true, but it is not only about the harm it can do to your PC, some of these e-mails contain content that is offensive to sensitive people and harmful to minors. Other e-mails may not contain offensive content, but they can easily make you a victim of advance fee fraud and phishing scams if you are not familiar with the characteristics of these scams. They play with your mind, abuse your feelings, it is a case of psychological warfare, brainwashing. They want you to step into their trap, but they need to deceive you first, gain control over your mind in order to achieve it.

It is not hard to identify spam these days, but people still go through the trouble of opening them while knowing that they are spam. Why open something if you know for a fact that it contains useless information? Have you ever thought of it as the spammer exercising control over your actions? Why do you think do they send you so many senseless e-mails everyday, e-mails that seem to be completely harmless? The only way of making you comfortable with something is to bombard you with thousands of the same kind of e-mail over and over again until you are so conditioned that you no longer can distinguish legitimate e-mails from fraudulent ones.

Spam is no longer aimed at damaging your computer, no those days are long gone. On the contrary spammers need your PC to help them distribute their unwanted e-mails, so they will not harm it, they will rather infiltrate it. They infiltrate your PC to steal your information, invade your privacy and involve you in their devious crimes. Next time you receive a strange looking e-mail think twice before opening it, whether it has attachments or not.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software.

Saturday, December 23, 2006

The Perfect Password Practice

By Coenraad De Beer

Our lives are filled with passwords, security questions, personal identification numbers (PINs) and security codes. Almost every digital device and software package has some security feature involving a password. We have hundreds of shopping accounts, email accounts, banking accounts, you name it and each and every one of these accounts has a user name and a password associated with it. Sometimes you feel you are loosing your mind keeping the security of all your accounts and devices together. Here are a few tips to make the job a bit easier and your accounts more secure.

With all the accounts we own and all of the places where we need to use user names and passwords, it becomes a full-time job keeping it all together. The easiest way for most people is to use the same user name and password for all their accounts when possible. Most of the times it is only the user name that differs, but the password often stays the same for every new account they open or device they use. This is extremely dangerous and I will explain why.

There are several ways of leaking out your password. You may just, accidentally, say the password out loud while entering it. If someone was standing nearby, he/she could have easily picked it up and may use it later to gain access to the restricted area protected by the password. Key-loggers installed on your computer can log your password and send it to their owners and spyware programs can extract saved passwords from your cookies or from the saved password list stored in your browser settings. People sometimes write their passwords on a piece of paper and do not keep it in a safe place. What is the use of a key if you leave it in the door? The same principle applies to passwords. A password is the key to a restricted area, you should not let that key lie around for anyone to use. Sending passwords via e-mail is not so wise either and it is 99% of times a sign of a fraudulent activity. You should be careful when people request your password to be sent over the Internet via e-mail. Companies often sent your login details via e-mail. You should print out the details, store the printed copy in a safe place and delete the e-mail. E-mail worms and viruses can easily scan your e-mails for passwords. The different ways of loosing your passwords are endless.

Now what happens when someone steals your password? Chances are good that the perpetrator will break into the account guarded by the password, cause damage and maybe change the password so that you cannot gain access to the account in the future. If you use the same password for all your accounts, you should regard all your other accounts as compromised. The only missing piece of the puzzle for the password theft is to obtain the user name of your other accounts and the chances are good that most of them will also accept the same user name as the breached one. The only comforting thing is to know that the theft has to figure out what other accounts you own. One cannot break into something one does not know the existence of. It is not always possible to change your user name, but it is always possible to change your password. When a widely used password is compromised, you should change the passwords of all your other accounts as quickly as possible to avoid further security breaches. You should also try to regain control of your breached account as soon as possible, by contacting the service provider of the account and explaining the situation to them. This is most important for bank and online shopping accounts.

How should I prevent my password from being stolen?
  • Memorise it. A password or PIN is useless if you need to carry it around with you on a piece of paper, or written on the back of your debit or credit card. Do not share it with anyone, not even your loved ones. Not out of lack of trust, but to limit the number of people knowing your password to one. When there is only one person who knows the password, there can be only one source of leaking it out. More people knowing your password, means more possible sources of leaking.

  • Choose an arbitrary password, a combination of uppercase and lowercase letters combined with numbers and special characters. For instance the password "aS33@bH1" is a good example of one that cannot be guessed easily. You can quickly memorise it by repeating the password over and over in your head. Refrain from saying it out loud, because you can easily compromise it if someone else overhears you saying it. If your name is Ashley, for instance, you can use the password "@$l3y". Although it is more secure than "Ashley", someone can still guess it if the person is familiar with your first name. Your password should not be connected to something like your birthday, social security number or anything that will make it easier for a hacker to guess it.

  • Change your password every now and then. It is not as important for individuals to change their password as it is for large organisations with hundreds of passwords and security codes protecting sensitive data and restricted areas, but it remains a good practice to change your password once in a while. After all, it can do no harm (unless you forget your password or the fact that you changed it).

  • Get yourself a small data organiser (not a PDA or your mobile phone) with a password feature. Store all your account information and passwords under the secure area of this little organiser and put it in a safe place. I also recommend that you write down all the information stored on this organiser on a piece of paper and put it in a steel safe, just in case you loose your data due to battery or device failure. These little data organisers are very suitable for this task because they cannot be connected to the Internet and you cannot load any software on the device to bypass the password. Unfortunately these devices rarely, if ever, encrypt the information stored behind the password, so a clever hacker can easily read the data from the memory chip if he/she has the necessary equipment.

  • Scan your computer regularly for spyware and viruses, preferably on a weekly basis. This will ensure that your computer is free from malicious software stealing your sensitive information or monitoring your activity while using the computer. If your anti-virus or anti-spyware software detects malicious software on your computer, do not enter any password on that specific computer until you are certain that all the threats are completely removed and destroyed.

  • Never store your passwords in a text file, Word document or PDF file. Rather use a password manager if you need to store it on a computer. If possible store it on a computer that is never connected to a network or the Internet. As a rule of thumb, never store your passwords on any computer.

  • Make sure that you enter your password on secure pages with a valid SSL (Secure Socket Layer) certificate. Entering your password on insecure pages could easily compromise the safety of your account.

  • Try not to enter your password while someone is standing nearby. Even if the password is masked on your screen, some people have the ability to memorise the keyboard buttons you press, while watching as you enter it, no matter how fast you type.
Passwords are the security systems protecting our digital assets. You will normally maintain the effectiveness of your security system at home or at the office and you will ensure that it provides adequate protection preventing intruders from trespassing on your property. You should do the same with your passwords to keep those filthy hackers out of your accounts.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software.

Wednesday, December 20, 2006

Safe Online Shopping Tips For Late Christmas Shoppers

By Coenraad De Beer

Because you are desperate for a gift you will not mind paying a little extra, but the price can be an expensive one to pay if you are not cautious when shopping online. Swindlers always bargain on the mistakes of their victims when they are under pressure. They want to strike when you are not paying attention to the finer details you normally pay attention too when you are not under pressure. The false sense of urgency in phishing attacks and advance fee fraud are examples of swindlers trying to force a victim to make a mistake while he/she is under pressure. With online shopping they bargain that you will not realise that their online shop is a fraud, that their products are fake or that they do not even possess these items. There are a couple of things to look out for when you do your shopping online, not only during the festive seasons, but each time when you transact online.

The very first thing you should do is to verify the legitimacy of the online shop. Make sure that their telephone number, physical address and postal address is valid. Make a phone call to the company and ask about their products. If you are shopping from a local online shop get into your car and visit their premises if possible, or ask a trustworthy person to verify their physical address for you. Write them a letter and request a product brochure. If the telephone number is valid, if you confirmed the physical address of their offices and if they reply to your letter, you will know how to get into touch with them should you have any queries after you made the purchase. If their web site does not supply a valid telephone number, postal and physical address, do not buy from them. If they want to sell products online they should make it easy for consumers to get in touch with them.

Make sure you read their privacy policy and terms of agreement. Read all the instructions and fine print carefully before clicking on the order and pay buttons. You want to make sure that you are familiar with all the procedures of the online shop before you bind yourself legally to a purchase contract. Make sure that you understand the way they calculate shipping and delivery costs, or any extra fees. If in doubt, request a quotation from their sales department. You do not want to get a surprise after you finalised the purchase. Find out if they have a refund policy. If they mess up your order or if you are not satisfied with their products, you want to be certain that you can get your money back.

Before you enter any personal and sensitive information, make sure that you enter this information on a secure web page with a valid SSL (Secure Socket Layer) certificate. You can verify this by looking for a little yellow padlock at the bottom of your browser window. If you double click on this padlock, you can see who issued the certificate and you can verify if the certificate is still valid. Ensure that the address in the address bar start with the letters "https". If they do not provide SSL protection, find another online shop. Any serious and professional online shop will give their customers peace of mind by providing a safe and secure environment where they can collect all the information they need about their customers, without compromising the safety of this information. Never reply to any e-mail requesting financial information. E-mail is very insecure and is not suitable for sending sensitive information over the Internet. A legitimate online shop will have a web site with safety mechanisms in place, protecting your personal and financial information from hackers and swindlers.

Maintain a thorough paper trail. Print every confirmation page, quotation, receipt, order summary and e-mail you receive from the company and remember to set your browser to include the date and time on the printouts to make it easier to see when you printed these documents. Always pay by credit card or a system like PayPal. You should never send the seller any cash. If you pay by cash you leave no paper trail and that makes it impossible to trace the payment or to prove that you already paid for the products. Leaving a proper paper trail makes it possible to trace the transaction back to the seller of the product.

There are many other things you can do stay safe while doing your shopping online. One of the safest ways to follow is to stick with well-known online shops like Amazon. Unfortunately Amazon does not cater for the needs of everyone and you may often find it necessary to buy from other online shops when you are looking for something specific. This is when tips like these come in very handy.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software.

Monday, November 27, 2006

Why EV SSL And The New Breed Of Anti-phishing Filters Won't Work

By Coenraad De Beer

Microsoft is planning to implement a feature in Internet Explorer 7, which will make the address bar turn green when the user visits a legitimate web site. Sounds good doesn't it? But there is a catch, to make the address bar turn green when people visit your site, you will need to have an EV SSL certificate. The new EV SSL certificate technology will have a negative impact on the small Internet business that cannot always afford such a luxury. Once again it is a case of everyone getting hit over the fingers because Internet authorities can't control the waves of computerised crime raging on the Web.

What is EV SSL? EV SSL stands for Extended Validation Secure Socket Layer. EV SSL certificates act exactly the same as your conventional SSL certificates, the only difference is the fact that the identity of each certificate holder will be verified and each one will be subject to a very strict, ongoing screening process. But this is nothing new, was that not the purpose of normal SSL certificates? Yes it was, but SSL issuers have become lazy and are not always adhering to the best security standards when they issue certificates for web sites. The problem does not lie with the initial issuing of the certificate, but with the lack of control and supervision over the web site thereafter. What certificate issuers are trying to achieve by creating a new type of certificate, is not clear to me. It is not going to solve the problem if you cannot improve your own security standards, in fact, why issue a new type of certificate when you only need to improve your standards and supervising methods? It is hard to believe that this is not only about money.

Developers of browsers like Opera and Konqueror are supporting the idea, while Mozilla, the makers of the very popular Firefox, is evaluating various solutions and looking for one that will suit everyone, not just high profile corporations. Supporters of the new technology use the ever-increasing threat of phishing scams as a reason to justify the importance of EV SSL. They are concealing their intentions with the smokescreen of “protecting” users against phishing attacks. But once again corporations are looking for ways to make money out of a corrupt system. They are not seeking a cure, but a way of making money by only treating the symptoms of the problem. The correct approach is to treat the root of the problem, namely ignorance. Swindlers will always find a way to circumvent anti-phishing filters and EV SSL protection, but it is hard to bypass common sense once the user has grasped the essence of phishing scams. Companies do not make money out of the common sense of witty users, they actually loose money because of them. The vigilance of informed users empower them to identify phishing scams easier without using advanced software or EV SSL protection.

The EV SSL approach is insulting the ethics of the honest small business owner running a decent web site. Law abiding web site owners are treated like criminals and criminals have the chance to break through the new technology to create an opportunity for another set of new SSL certificates, which means more money for certificate issuers. But in the end you are nowhere near the real solution. EV SSL is like having the burglar alarm of your retail shop activated during the day while consumers visit your shop. What is the use of EV SSL when people only browse your site for information? What is the use of encryption if there is no sensitive information to be transferred between the browser and the web site? What is the use of a green address bar if your site never engages in confidential transactions? I do not think software companies will like it when anti-virus companies start to demand that they buy a special signature to sign all their files with, only to have these files classified as safe by the anti-virus scanner. So what is the use of heuristic detection methods if everyone needs a certificate to comply with the safety criteria of an anti-phishing filter? How many people really know how to verify the validity of an SSL certificate?

The main reason why people fall victim to phishing scams is because of ignorance, curiosity, greed and lack of common sense. People blindly believe everything the computer tells them to do. You can make users click where you want them to, you can make users respond to e-mails in the way you want them to, you can make them visit web sites without letting them know what type of web site they will be visiting, you can even make them pay for things they do not really need. You see, people are computer slaves, they simply obey and believe without questioning the purpose of their actions. If the address bar does not turn green, users will simply believe that the site is not safe, or even worse, fraudulent, whether it is true or not. On the other hand, they will put their trust in a system that can always be bypassed, maybe not easily but there is always a possibility. Is a site really safe if the address bar turns green? How sure are you that a site with an EV SSL certificate was not maybe hacked? What if a malicious add-on hijacks your browser, making the address bar turn green for dangerous web sites without you even knowing it? You cannot put your trust in software that is constantly a target for hackers and hijackers. You cannot use artificial solutions for today's breed of computer criminals. Internet users need to stand on their own two feet, they need to be able to identify these threats on their own without counting on vulnerable software and security systems. You do not need to be a rocket scientist to identify a fraudulent site, but large corporations want you to believe that only they can tell you which site is safe and which site is not through their “wonderful” software. What happened to your freedom of choice, do you want a computer to make all the decisions for you?

Most of your common phishing scams start with an e-mail as the bait. No one will visit a phishing site at random, you need something or someone to take the user to that site. Taking this into account you soon realise that it is not the anti-phishing filter of the browser or an EV SSL certificate that is going to solve this problem. For instance, 419 scams can be done completely through e-mail without having the victim visiting a single web site, so no EV SSL certificate or anti-phishing filter is going to prevent a Nigerian 419 scam from succeeding. Spam is the vehicle of all types of scams on the Internet, but at the same time the least controlled problem in the online world. Authorities are aiming at the wrong target. The main purpose of EV SSL certificates is to reward ethical, trustworthy web sites with a status symbol of being safe and secure. But is it ethical to base your reasons for using this technology on the ignorance of people without combating the true root of the problem?

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against malicious software.

Monday, November 13, 2006

Why Distinguish Between Spyware And Adware?

By Coenraad De Beer

The difference between spyware and adware has been a heavily debated subject and has been the focus point of many laws and court cases. But it is more important to keep in mind that there should not be a distinction between the two. The whole idea behind the term adware was to confuse the general public and create loopholes in laws, conditioning the Internet user to care less about it.

Advertising companies using spyware to market their products came with the idea to create a term for the software they use to infiltrate the systems of Internet users without breaking any laws. But there is more to the name adware than just a clever legal move. Over time the term adware created confusion among Internet users and made it harder to differentiate between spyware and adware. It did not take the Internet community long to adapt to this new term and all over the Web you see people referring to adware instead of spyware. Making people adapt to the term adware was done in a very subtle manner and its main goal was to make people more sympathetic towards the usage of adware. The term spyware is in essence a “bad” word and creates a more vigilant approach among users, an approach these advertising companies do not want. Nobody wants to be spied on, so you will automatically get a negative response from people if you approach them with the term spyware.

The consumer wants advertisements to stay up to date with the latest trends and specials. Many people support advertising and acknowledge its importance to any marketing campaign. When you call it adware, you are giving the consumer what they want, you use this positive psychological state of mind to your advantage and easily infiltrate computers of consumers without offending them or scaring them off. This is in essence misleading advertising, but adware is in the field of computers and you can’t prosecute it through conventional marketing laws alone. Even from the angle of computer laws, you can’t do much about it either, when the law speaks of spyware you can’t prosecute someone using adware.

Developers of adware always use the excuse that they only deliver ads and never spy on people, they only collect information about their online behaviour in order to deliver them targeted ads. Again they conceal their intention through clever word choice. What else do you call it when you collect information about someone’s online behaviour without his/her consent? You spy on people and that makes it spyware, the fact that the collected information is used to deliver targeted ads is besides the point. Sometimes people use the argument that adware is not bad when it discloses these information collection activities to the user. Is it disclosure when you hide it in a huge Terms of Use document? All of us know that the Terms of Use is never read and most users simply scroll to the end and click on the proceed button. Creators of adware rely on this behaviour. And when the program explicitly discloses program activity through a compulsory window that can’t be bypassed, is it still bad? Most novice users don’t understand this disclosure and don’t realise the implications of information collection and targeted ads. In the end they are annoyed by the endless advertisements populating their screen and can’t understand where they come from. If they are annoyed by these ads, it is clear that they would not have allowed the software to be installed if they understood the disclosure made by the program. You can’t justify your acts if you rely on the ignorance of users.

It is spyware when the “adware” invade programs like your web browser, e-mail reader or any other program on your system through the use of some kind of memory consuming toolbar, add-on or modification, whether you know about it or not. If they want to deliver ads, they should do it through their own program, within a single window, without collecting information about the user, without throwing ads in your face every five minutes or adding useless memory hogs in your Windows Startup. They can base their ads on the software the consumer is using, but only software developed by their organisation.

Lavasoft made a clever choice for the name of their anti-spyware software. The name Ad-Aware removes any confusion there may be. Be aware of ads, they are not as harmless as they seem. The software is developed to remove spyware, whether you call it spyware or not. If a hawker wakes you up every morning before sunrise to offer you his products, but a hawker must be called a consumer agent, does that make it less annoying or justify the invasion of your privacy?

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against malicious software. Also visit our Anti-Adware Section for supplementary information on this topic.

Saturday, November 04, 2006

The Dangers Of Chain Letters And Petition Lists

The Dangers Of Chain Letters And Petition Lists
By Coenraad De Beer

Have you ever thought about the purpose of chain letters? Do you think petition lists ever promote the specific cause they were created for? Very few people ask themselves these questions when they receive chain letters and petition list spam, simply because they act like mindless zombies when it comes to responding to these e-mails. Instead of ignoring them, they follow each instruction within these e-mails down to the very last bit of detail. Have people forgot to question the purpose of their actions or are they deliberately exposing themselves to the dangers of these unsolicited e-mails?

I think chain letters and petition lists are nothing new to the e-mail user of today. At some stage in your computerised life you will run across an e-mail requesting you to either support some cause or to mindlessly forward it to all your contacts. People have become slaves of spam and spammers are enjoying it every step of the way. Very few understand the dangers of chain letters and petition lists. They are the fuel for spam, scams, identity theft and online fraud. They are the mechanisms that cause your inbox to be polluted with buckets of unsolicited bulk e-mails and attempts to rob you from all your hard earned cash. The ever-increasing problem of spam is our own fault, because we continue to support useless, unwanted e-mails that simply eat up bandwidth and delay servers everywhere.

But how exactly can a harmless e-mail pose any dangers to my online security? It is ignorant questions like these that help spam achieve their goals. What people don’t realise is the fact that every time you take part in a chain letter you supply your e-mail address to hundreds of other e-mail users out there. Chances are good that this chain letter will land in the mailbox of a greedy spammer. The tragedy of chain letters is the fact that e-mail addresses of innocent people are sent all over the globe. This is the case when someone sends an e-mail for instance to six people, the first three recipients ignore it and the other three forward it to all their contacts. The e-mail addresses of the first three recipients are distributed along the chain without their consent, permission or even having a say against their inclusion in the mailing list. Your e-mail address becomes yet another dumping zone for endless junk e-mails. But it doesn’t stop at simple advertising e-mails for fake Rolex watches and stock market quotes. You get bombarded with continuous ‘phishing’ scams, viruses and hoaxes. Petition lists normally require the user to supply a name followed by an e-mail address and sometimes a telephone number and the city you live in. A petition list is a handy tool in the hands of a spamming swindler. You can supply more targeted and credible scam e-mails by addressing the e-mail to a specific person. This can create a false sense of security among the recipient of the e-mail and the chances of walking into a trap is much greater than in the case of your conventional impersonal scam e-mails.

I can hear thousands of people screaming that petition lists are for good causes, causes that really exist. Do all of them really exist? So many people respond to petition lists because they appear to be for valid causes. What do you know about the person you need to reply to for every 150th or 300th entry on the list? How sure are you that this person is not simply harvesting e-mail addresses for spamming purposes? And even if it is for a good cause that really exists, how do you know whether this person is not exploiting the circumstances? I have seen e-mails (even faxes and normal letters) circulating in South Africa where people send their names and banking details all over the world in search of riches. I have seen people blindly respond to lottery scams with the hopes that they will win something. How can you win a lottery if you never entered one, how can you receive e-mails from Barclays bank if you are not a client of them, how can you receive an order confirmation from Amazon if you never ordered from them and how can you be alerted about suspicious activity on eBay if you are not even a member? If it is not mindless ignorance it is greediness that cause people to step with open eyes into a trap, ignoring every warning light flashing in their faces.

The more information you supply when taking part in petition lists or chain letter scams, the easier you make it for swindlers to steal your identity, hack your accounts or turn your computer into a spamming zombie. Next time when you receive a chain letter or petition list, think about the consequences before taking part in the chain

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against malicious software. For examples of chain letters and scams visit our Hoaxes and Scams section.

Wednesday, October 04, 2006

Internet Explorer 7 RC1 Flagging Sites Wrongfully As Phishing Sites

By Coenraad De Beer

It all started with a web site owner receiving an e-mail from an unhappy client informing him that the anti-phishing scanner of Internet Explorer RC1 detected his site as a possible fraudulent web site. When Internet Explorer detects a possible fraudulent site, it warns the user not to enter any personal or sensitive information on the specific site in question. This means that if your site gets detected as a phishing site, you will most certainly loose clients because no one will want to buy from you (to sell products online you require information like e-mail addresses, shipping addresses and credit card information).

Which bothers me the most is the fact that web site owners discovered this and will possibly encourage their visitors to turn of the anti-phishing feature. This beats the whole idea of having the scanner there in the first place. Internet Explorer is causing a loss of confidence in two directions, the one being the web site and the other being the anti-phishing scanner. People will start to doubt respectable web sites and at the same time question the accuracy of the anti-phishing protection of Internet Explorer. The anti-phishing scanner is a great idea and an innovative way of battling the ever-increasing threat of online fraud. But when things go horribly wrong like this, you do more harm than good.

You have to take into consideration that it is still a release candidate and not the final version and bugs will most certainly be present. But you have to make sure that things like this won’t happen before you release it into the open. I can only imagine how much money has been lost because of this flaw and you might even see some lawsuits in the near future if the matter is not resolved in a timely matter.

The developers of Firefox are also implementing an anti-phishing feature for Firefox 2. This anti-phishing feature handles possible fraudulent sites fairly the same way as the Google Safe Browsing feature of the Google Toolbar. This brings an idea to mind. If you really feel you need anti-phishing protection then get Firefox with Google Toolbar, it is far better and safer using a stable browser than using a pre-release version of a browser with multitudes of security issues and flaws. To be honest, you should seriously consider an alternative browser to Internet Explorer, because it will be compulsory for all Internet Explorer 6 users to upgrade to Internet Explorer 7 once the final version gets released. Ask yourself the question, are you going to be bullied onto using an unreliable product or are you going to decide for yourself what is the best for your online safety?

For more information about this incident visit the following link:

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against malicious software.

Wednesday, September 20, 2006

Is My Anti-virus Software Bogus?

By Coenraad De Beer

A golden rule in life is to stick with the proven and trusted. The same rule applies when choose security software for your computer. There are many well-known names in the industry that has been securing computers for years and have build up trust with consumers over the years. But in the ever-changing world of computers you have to stay ahead of competition and keep improving and enhancing your products. Unfortunately this has caused some companies to loose the focus they had and the quality of their software suffered because of this, they were constantly trying to tamper with a formula that has been working for millions of users. You can’t fix something that has not been broken.

New, intuitive and creative companies were needed to provide the same quality of no-nonsense security software we were used to. Luckily we have seen a few of them rise to the occasion but unfortunately this created an opportunity for unethical and criminal practices that has taken the world by storm. So-called security software companies have come to the foreground with “incredible” solutions to the security issues of your computer. They provide you with a demo of what their software can do and if it finds problems on your computer you can buy it at a ridiculously low price. This sounds more than marketing hype than anything else. You even get some companies that offer you the software you can test for “free” for a specified period (normally 14 to 30 days). But there is no such thing as a free lunch. You have to buy the software first and then you can return it for a full refund within this specified period if you are not completely satisfied with it. What part of free does these companies not understand. If you have to pay for something its not free anymore. This is unethical misleading marketing and people should not support companies like this. We live in a world of free trial versions and demos (the try before you buy policy) that expire after a specified number of days. If they can’t even develop a self-expiring demo, how can expect that their software will provide adequate security for your computer?

But even a free trial version can be a dangerous piece of software. Spyware (adware) is normally hard to get rid of and once you install them you have to go to great lengths to get them removed from your computer. Many of these companies develop trial versions (they are actually spyware programs) that block other security software from getting installed on your computer and make you believe that your computer is infected with malicious software and the only way of removing them is by buying the full version. And even after buying the software you still receive constant pop-up ads and annoying windows throwing all the other junk developed by these companies in your face. Other trial versions do report on low priority threats that are really on your computer but over inflate their security risk. A cookie is much less dangerous than an executable file.

So how exactly do you distinguish between the legitimate and illegal software on the Internet. This is no easy task, but there are a few things you can do to verify if the company has honest intentions with their software.

  1. If there is no trial version to download, look the other way. If you can’t try the software before you buy, don’t waste your time with it.

  2. If you get buttons and links telling you to download the software and once you click on them you are taken to an order form, get out of there. Legitimate companies make it clear when you are taken to a download page and when you will be taken to an order form. There is a huge difference between “Download Now!” and “Purchase Now!” the first one creates the impression of a free download, while people will only click on the latter if they are willing to buy. Unethical companies don’t want to miss out on the chance of a click and they put the visitors under the false impression that they can download the software for free.

  3. Contact details are very important. Large organisations have telephone numbers, a physical address, postal address and e-mail addresses on their contact page, not just an e-mail form with no other way of contacting the organisation. Be wary of companies with only a single contact form and no direct way of communication.

  4. Verify the statements they make. They normally claim that their software has been acknowledged as the best security software by some other well-known organisation. If the well-known organisation exists, verify it on their web site or contact them, if they do not exist, how can you trust the software of a company who lies to their customers? Legitimate acknowledgements are normally backed up by a logo of the company who did the acknowledgement with a link to their web site. If this is absent you can’t add any credibility to this statement.

  5. Do some research with your favourite search engine and visit forums asking for the opinion of other people about the software. But be very careful here, the people providing an opinion may be affiliates of the company and will not tell you the truth about the software. You have to get an honest opinion so ask for several opinions, don’t base your decision on one person’s opinion. If you can’t find anything about the software on the Internet, rather stay away from it.
There are many trustworthy, effective and well-known brands of security software available today, many of them are free for home users. It is good to see that there are companies providing free effective security software to the individual. This clearly shows that these companies are not just out there to make money but they are making a valuable contribution to the battle against malicious software and protecting the consumer against fraudulent and cheap imitations of security software. I’d rather stick with the proven and trusted.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against malicious software.

Cyber Crime Made Easier Through Impersonality

By Coenraad De Beer

What makes you suspicious when someone from your bank comes to see you to update your personal details? The most obvious answer is the fact that the bank never does this. Why can’t they call you and ask you to come to the bank, why do they need to send someone in person to come and see you, in fact why do they need to update your details in the first place? This seems rather obvious to many people but once they get an e-mail asking for the very same thing, they seem to loose their reasoning ability. The main reason for this is the fact that the e-mail is impersonal and your normal instinctive reactions that kick into place when someone personally asks you for this information do not necessarily do their job when you are confronted in an impersonal way.

The impersonal nature of e-mail makes it an easy way of asking for things that would have been hard to ask when you were facing the person face to face. Unfortunately fraudsters discovered this and are using it to steal critical and personal information from people with a technique called phishing. They disguise their request for information with the logo, letterhead and e-mail address of a well-known and trusted company and create a false sense of security among the recipients of the e-mail and lure them into a trap. Anyone can create a web site that looks like a corporate site, so you can’t trust any site that looks like a corporate one. If you look more closer to the content of these sites (and e-mails) you soon discover certain inconsistencies, some are small and some are more obvious. But little things like spelling errors, bad grammar should start flashing warning lights right away.

People should realise that real organisations never ask for critical and important information though e-mail, nor the telephone or any other means of communication. You have to supply these details in person to an official of the company at one of their offices. E-mail is very insecure and can be intercepted in many different ways. And by the way, why would banks want to confirm your credit card information or pin numbers, they have it on record and they were the ones who issued you the credit card number, why would they want to confirm or update it, what is there to update when it comes to a credit card number, pin or password?

It seems like people have a different set of rules for reasoning in the real world and on the Internet. People are more suspicious on street than on the Internet. One of the main reasons for this may be a lack of knowledge of how things on the Internet work. Everyone knows you can’t trust a hawker on the sidewalk but many people trust almost any web site because they can’t see what’s going on behind the scenes. For all you know a bum can run a corporate looking web site from an Internet cafe. It is general knowledge that you can’t trust the hawker on street, but several decades ago people did not know it. Once it becomes general knowledge how fraudulent web sites look and how they operate, you will see a decline in phishing scams of this nature. Unfortunately, fraudsters always find a new way of tricking people and the educational process of identifying scams and fraud will start all over again.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against malicious software.

Firefox 1.5 vs. Internet Explorer 7 - It Is A Matter Of Trust

By Coenraad De Beer

Firefox has been around for a much shorter time than Internet Explorer and still it is much more secure and reliable. Microsoft has released the newest version of their web browser, Internet Explorer 7 Release Candidate 1. Already you can see complaints everywhere about bugs and problems experienced by people who upgraded to the newest version. Internet Explorer 7 boasts an array of new features, but almost all of them have been around in Mozilla Firefox for quite some time.

I guess the one feature Microsoft is bragging with the most is the new tabbed browsing interface. This is nothing new to Firefox users and I would rather trust a browser that has been using this feature for a couple of years because it had enough time to straighten out all the bugs and problems associated with it. Internet Explorer 7 is new to the world of tabbed browsing and one wonders how many problems will one experience with this feature before Microsoft gets it right. I’m not saying that there are any problems with its tabbed browsing feature, but if they could not even get the basics right in the past one does not have much trust when they come up with a brand new feature.

Later versions of Internet Explorer 6 introduced a built-in pop-up blocker. Users of Mozilla Firefox has been enjoying pop-up blocking long before Microsoft decided to add it to their browser. With its pop-up blocking feature and enhanced security, Firefox has been much less vulnerable to virus and spyware attacks than Internet Explorer. Firefox may not be 100% secure but security issues gets fixed in a much more timely fashion than the ones in Internet Explorer. The main reason for this effective attention to bug fixes is the fact that Firefox is Open Source software. Many people argue that it poses a great security threat having your source code available to the public, because it is easier to discover and exploit vulnerabilities when you have access to the code. This may be true, but the fact that the source code is available to anyone, creates a bigger pool of software developers contributing to the development and enhancement of the software, which results in faster and more effective releases for bug fixes and security issues. You are left at the mercy of Microsoft to get the problems in Internet Explorer fixed and all of us know how slow their response sometimes are when it comes to resolving security issues.

Another feature of Internet Explorer 7 is the new anti-phishing scanner. It scans the pages you visit for the possibility of phishing scams. This is a welcomed feature for any browser because there has been an increase in phishing scams over the ears and action has to be taken against them. Now, many people may take the opportunity and throw some stones at Firefox saying that it does not have a built-in phishing scam scanner, but Internet Explorer does. I’m sorry to burst your bubble, but you can add the same feature to Firefox with the Google Toolbar extension. The newest version of Google Toolbar has a feature called Google Safe Browsing that stops the user from visiting a possible phishing site. The fact that you can enhance Firefox with extensions makes it a very versatile browser.

Web developers are jumping for joy with the introduction of the Developer Toolbar in Internet Explorer 7. The toolbar includes tools that assist web developers in troubleshooting and manipulating web pages. Again you can add the same (if not better) functionality to Firefox with the Web Developer Toolbar Extension. This extension for Firefox is packed with so many features that you will ask yourself: “What can this toolbar not do?” There is also better CSS (Cascading Style Sheet) support in the newest edition of Internet Explorer compared to previous versions, but any web developer knows that Firefox has always handled CSS much better than Internet Explorer.

RSS (Really Simple Syndication) feeds are starting to become a web standard and providing support for it is becoming inevitable. Firefox caters for RSS feeds through its Live Bookmarks and the Google Toolbar also supplies its own way of subscribing to RSS feeds through Google Fusion. Windows Vista will be geared towards RSS feeds and that is why Microsoft decided to incorporate support for RSS feeds in Internet Explorer. So once again, Firefox has been supporting this feature long before Microsoft decided to add support for it in their browser.

It took 7 versions of Internet Explorer to get it up to similar standards as Mozilla Firefox that is only at version 1.5 at the moment. Users upgrading from Internet Explorer 6 to version 7 will be introduced to new features, some may be confusing for people not used to things like tabbed browsing and RSS feeds. So if you are willing to learn new ways of browsing the Web, why not switch to Mozilla Firefox, the trustworthy browser that has been doing things right from the beginning.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against malicious software.

For fast, safe and secure browsing, download Mozilla Firefox with Google Toolbar.

Sunday, August 20, 2006

Mars Coming To Large View – Is This Hoax Amnesia Or Ignorance

It is unbelievable how many people believe all the nonsense that is circulating the Internet these days. Last year, 30 October 2005, we had the occurrence of Mars being close enough to Earth so that you could be spot it with the naked eye. But many people complained the next day that they saw nothing. The reason was that they have been hoaxed to believe that Mars will be as big is the moon, while it was in fact a bright star in the sky. This year we again have an e-mail circulating the Net, propagating the same lies again and the best of all, the e-mail states that this will only happen again in the year 2287, but according to NASA, this happens every two years.

This phenomenon occurred last year (and in 2003), so this means that the next occurrence is in 2007, not this year. This e-mail is such a classic example of a hoax, that it is totally unbelievable that people still fall for this and distributes these lies to everyone they know. The e-mail states “This month and next, Earth is catching up with Mars”. It takes Earth 365 days to complete an orbit around the sun. Earth’s orbital track is smaller than the orbital track of Mars, therefore it takes Mars longer to complete an orbit around the sun. Now explain to me how do Mars orbit around the sun twice in a matter of two months?

“Mars has not come this close to Earth in the Last 5,000 years, but it may be as long as 60,000 years before it happens again.” It looks like the creators of this e-mail could not make up their minds about how long it will take for the next occurrence. The year 2287 is 281 years from now, almost 3 century’s, now they suddenly speak of 60 millenniums. There are references to several scientific words and phrases in this e-mail that only a NASA scientist will understand, so how is it possible that they can’t do simple maths while they possess the knowledge of an astrologist? NASA states that Earth has not been this close to Mars for the last 60000 years, I guess that is what got them mixed up.

“The encounter will culminate on August 27th when Mars comes to within 34,649,589 miles of Earth”. Notice how they don’t reference the year. This makes it extremely easy to use the same message next year and the years thereafter. It will be really silly if people forward this e-mail in September, but it is not impossible, people tend to miss little details like this because they read their mail like zombies, they don’t always think about what they read. This is maybe the biggest reason why we get so many spam and chain letters forwarded to our inboxes these days.

“Mars will look as large as the full moon to the naked eye.”

I guess once Mars looks as large as the full moon we should start worrying seriously.

Coenraad de Beer - Platinum Author

Cyber Top Cops - The Cyber Security Specialists Platinum Author

Thursday, August 10, 2006

Don't Become A Victim Of Identity Theft

Identity theft can happen in many different ways. Some are out of your hands and you can do nothing about them, for instance when your information are leaked by institutions due to negligence. But your identity can get stolen in several other ways, ways that can be prevented.

A week ago I received an auto-responder from an U.S. University informing me that the person I contacted was on leave at that moment and would get back to me as soon as he was at the office again. What made my eyes pop out of their sockets was the subject of e-mail they were referring to. Someone sent this person an e-mail about something I don’t even want to mention here, an e-mail, according to them, that was sent from my e-mail address associated with my cyber-security web site. This has been a clear case of identity theft. I guess the spammer who sent the original message did not think I would get an auto-responder informing me about it. I was lucky in this specific case because you never know how much people send e-mails under your own e-mail address.

Some advice to webmasters. Never use the “mailto” tag on your web pages. Spam spiders crawl your website looking for e-mail addresses and specifically “mailto” tags. You make it too easy for spammers to get your e-mail address when you use “mailto” tags. Rather embed your e-mail address in an image with a font that is readable to your visitors and at the same time hard to be converted to text by spam spiders. This will decrease the chances of having your e-mail address spoofed in some kind of spam e-mail and you will also have a smaller chance of receiving spam. This is not foolproof, but will certainly fool less advanced spam spiders.

Never reply to spam e-mails. Many spam e-mails contain a spoofed e-mail address. You will only supply your e-mail to somebody you don’t know a thing about and the best of all, the person may not even be associated with the e-mail in the first place. Other spammers count on the possibility that you reply to their message in order to confirm that your e-mail address is active. If you ignore their e-mail you will have a better chance of not receiving an e-mail from them in the future. The vast majority of spam e-mails do not even contain a valid e-mail address you can reply to. Your reply will most of the times bounce back. It is also dangerous to click on the links of spam e-mails. They sometimes link to web sites that contain malicious software that will turn your innocent computer into a spamming device to do their dishonest promotion work for them.

National lottery e-mails are nothing other than information harvesters. You normally have to supply your social security number or some kind of identification number, telephone numbers, postal addresses, fax numbers, e-mail addresses, even physical addresses. You can’t win a lottery if you haven’t entered one and even if you entered one you should have lottery numbers that correspond with the ones in the e-mail. Lottery competitions normally work on a basis of collecting your prize with a valid lottery ticket. You never receive a notification via e-mail that you have won, you have to watch television or read the newspaper to see if you have the winning numbers. Never reply to these e-mails or phone the numbers supplied in them, these people are only harvesting your personal information, nothing else.

Chain letters is another way of getting your identity stolen. Ever noticed the large number of e-mail addresses contained within chain letters, especially if they have come a long way? By forwarding chain letters to all your contacts, not only makes yourself guilty of spamming, you also walk the risk of supplying your e-mail address to other spammers.

Petition lists is a very clever way of harvesting personal information. These lists are normally about sensitive matters that stir up emotion from the readers in order to move them to forward the list with their name and contact details to everyone they know. Petition lists normally have a statement that if you are, lets say number 100, on the list you have to send the list back to person listed at the top. Now think clearly about this. Lets say you are number 50 on the list and you forward this to 5 other people and each of them forward the list to 5 persons each. You end up with multitudes of the same list, where the first 50 people on the list are the same every time. Do you really think the creator of this list is going to filter trough all these lists and remove all the duplicate entries? No, petition lists is only a way of creating a never-ending source of personal information for spamming and illegal activities.

The FBI is stepping up its fight against online fraud with a new initiative called Operation Identity Shield. It is nice to see the authorities doing something about this, but the root of the problem still lies with the uninformed Internet users. If you don’t have the knowledge to identify these threats, you will take part in identity theft practices without even knowing the dangers they impose.

Coenraad de Beer - Platinum Author

Cyber Top Cops - The Cyber Security Specialists Platinum Author

Protocol Against Spam

There has been heavy debate over the effectiveness of the SMTP protocol in a world polluted with spam. There is an urgent need for a new protocol to replace this age-old technology to help battle the ever-increasing problem of spam. But is it really necessary to replace this trusted protocol, is e-mail protocol not the solution to spam we are seeking for.

I guess I have you a bit confused now. The e-mail protocol I’m referring to is not the technology protocol, no I’m speaking of a set of rules that has to be applied to make sure your e-mail reach its destination. This set of rules will make it easier to define the behavior of spam when developing anti-spam controls. Web developers who want their web sites to reach high rankings in search engines have to keep within the rules of the search engines, if they don’t, they won’t reach their targeted audience. Moderators of Internet Relay Chat rooms do not tolerate any behavior that does not comply with the set of rules of the chat room. Crossing the line in a chat room will get you kicked from the room. The same rules apply for discussion forums. Some members like to spam forums with affiliate links and scams. Some forums allow you to place a link to your web site in your signature where other forums disallow the use of HTML altogether. It is very simple, if you don’t stick to the rules you don’t get to use the service.

But applying this to e-mail is not that simple. It is very difficult to deny the usage of e-mail if they don’t stick to the rules. Yes we read that Internet Service Providers ban their members if they get caught using spamming techniques to deliver their message. But do we ever see these measures enforced on someone? Be honest, you would rather have the client use spamming techniques than to loose out on the money the customer is paying. The solution to this problem is to penalise spammers without banning them from using e-mail. Search engines have given us the guidelines to do this. I agree that search engine algorithms is not perfect mechanisms and people familiar with Search Engine Optimisation know that search engines constantly change their algorithms to stay ahead from people exploiting their vulnerabilities. Applying these algorithms to the SMTP protocol is yet another problem. Many ISP’s have spam filters installed on their servers to help filter out spam for their clients, so if you can apply the rules of search engines to these spam filters you will be closer to the solution.

Search engines scan pages for consistency in their content. If the header of a page does not conform to the body of the page you won’t get a good ranking on the Search Engine Result Pages. This will filter out a huge chunk of spam circulating the Internet. Companies who send e-mails with a single image embedded in the e-mail also make it hard for current spam filters to determine if it is spam or not. You need Optical Character Recognition software to scan the contents of the image and convert it to text. This will make anti-spam software very expensive and even the best OCR scanning software still makes errors when they convert images to text. What about pornography? You will also need a special scanner to detect pornographic images. The only solution to this is to make a general rule that it is not proper e-mail protocol to embed only images into an e-mail without proper content. I don’t understand why companies still use this method of marketing. Dial-up users normally download e-mail and disconnect from the Internet to read their messages offline. There is nothing more frustrating than opening a message with only images embedded into it and there is no way you can see what the sender is trying to offer you without reconnecting to the Internet again. People advertising like that never reach me because I simply delete messages like this. If everyone starts to do this it will automatically create a protocol and companies will stop sending e-mails like this. E-mail clients like Thunderbird allow you to hide images embedded into e-mail messages and an e-mail that consists only of images is therefore totally useless if it reaches the inbox of people using this feature. The only ones who will continue using this practice will be spammers.

Search engines detect when you simply place hundreds of keywords on a page that makes no sense at all. Pages like this never rank well and sites using this practice even get banned from most search engines. Have you ever received an e-mail with strange sentences or tons of words at the bottom of the e-mail. These words and phrases are used to confuse spam filters and to make it harder for the software to decide whether it is spam or not. Applying the technology of search engine algorithms here will get rid of yet another chunk of spam.

A protocol that is starting to become a common practice is the usage of text only e-mail messages. Many servers reject e-mails with HTML code embedded into them and only allow text messages to pass through. But this is the common example where little Johnny did something wrong and now the whole class gets punished. Respectable companies use images in their e-mails to compliment the content of their messages. If you can’t use HTML, you can’t format the message to have the look and feel of your company. If you can’t use HTML, you can’t make use of your company logo or include illustrative images of your products in your messages. Why should everyone get punished for people who abuse the same mechanism that respectable and honest organisations use to promote their products? This is why you have to design an e-mail message in such a way so that it still delivers the marketing message clearly without the images and HTML.

I have even seen people suggesting that closed circle e-mail protocols replace SMTP. These protocols are used in companies for internal communication. Servers only allow e-mails to pass through if they have your e-mail address on their safe-list. If you are not on their safe-list you won’t get through. But this is a very unpractical method of filtering out spam, what if a customer wants to contact the sales department or anyone contacting any department for that matter? Another similar method is one that was introduced by Hotmail. Only e-mails from your contact list lands in your inbox, every other e-mail is filtered to your Junk Mail folder. You will have to indicate which e-mails to allow in the future. The rest are deleted automatically after a specified number of days. This method has some merit but can be a daunting task if you want to implement it in a commercial environment. You will have to employ a full-time e-mail administrator to select which e-mails should go through. Both these protocols are very counterproductive measures.

Lets be honest, getting rid of spam is not an easy task. But if everyone starts to ignore spam or messages with the characteristics of spam you should see a decline in the spam circulating the Internet. Spammers will soon realize they are only wasting bandwidth with their useless e-mails and no one is falling for their moneymaking schemes anymore.

Coenraad de Beer - Platinum Author

Cyber Top Cops - The Cyber Security Specialists Platinum Author

Monday, July 31, 2006

Freedom Of Speech Is Not Exercised When You Mislead People

The Adam Walsh Child Protection and Safety Act of 2006 was passed into law this week by the US Congress. The law is aimed at protecting children from online predators and specifies how hyperlinks and domain names leading to sexual content should be presented. It prohibits "misleading" domain names and links. But so many people are complaining that this is taking away their freedom of speech? Since when is misleading people freedom of speech?

I have the right and the freedom to choose with what I want to be associated with and what not. If you mislead me to view pictures I don’t want to be associated with, then you are taking away that freedom. If you are using freedom of speech to take away that freedom, how can you still call it freedom of speech? One right to freedom should not take away another. But this is exactly the problem we have with all these freedom rights. Criminals and predators are striving on these rights and law-abiding citizens have to suffer because of them. Freedom and human rights only seem to be applicable to those people against whom we were supposed to be protected in the first place by these exact same rights.

People are more concerned about the fact that they no longer can use prank links, than the safety of our children on the web. I don’t think prank links to obscene and offensive content are funny at all. You are forcing junk down everybody’s throats. It is not only children who are at stake here, but adults who are sensitive to this material are also affected. This debate is heating up all over the world on blogs and forums. But the debates are doing the goal of this law no good. These discussions are filled with links to prank and indecent sites, with the excuse that they are used for illustrative purposes. I don’t understand why the owners of these blogs don’t moderate these comments, because they are only promoting these indecent websites by including their links in the posts.

If this law is enforced and applied correctly, the Internet will not only be a safer place for our children, but it will become a safer environment for every Internet user. We should also see a decline in spyware and spam related problems, because most pornographic websites install spyware on your computer and steal your e-mail address to spam you with junk e-mails. Just download a program like Spybot and have a look at the number of adult related sites that are blocked by this program. The worst-case scenario is where your children click on these misleading links, get exposed to the harmful content on the site and have spyware installed on your home computer. These malicious programs periodically redirect users to indecent sites, so your children get exposed over and over again, your computer becomes a host for several spyware programs and indirectly helps with the promotion of these sites. In the end you walk the risk of becoming an accomplice in child pornography, unknowingly and all this because of a misleading link. This is not freedom of speech at all, it is an infringement of so many rights that it is impossible to list them all here. You will never like it when a stranger walks up to your children in the park and shows them pornographic pictures and plants a spying device on them, so why don’t you mind strangers on the Internet misleading not only your children but also everybody else.

Coenraad de Beer - Platinum Author

Cyber Top Cops - The Cyber Security Specialists Platinum Author

Wednesday, July 26, 2006

Making The Move From Microsoft Internet Explorer To Mozilla Firefox

Internet Explorer is the preferred choice for 97% of my web site visitors. It was quite a surprise for me because since moving over to Mozilla Firefox a couple of years ago, I haven’t used any other browser for any of my browser needs, including the testing of my website. Was this maybe a costly mistake?

Mozilla Firefox was the solution to so many problems I encountered with Microsoft Internet Explorer. I had an effective browser that dealt with annoying pop-ups and spyware. The best of all was that it performed much better than its counterpart. On a security side you had a better solution than Internet Explorer. Firefox is the result of an open source project and as all of you know, the open source community provides solutions to the vulnerabilities of its software much faster than Microsoft does for Internet Explorer.

Firefox has dealt with various security issues long before Microsoft even discovered similar issues in their browser. There has also been a joke circulating among Firefox fans that there is only one thing that is more secure in Internet Explorer than in Firefox and that is a feature that has not been implemented yet in Internet Explorer. I’m not sure what the specific issue was that this joke referred to, but it is ironic that Firefox is still more secure while providing much more functionality than Internet Explorer and therefore has more possible areas for security holes.

After discovering that so many visitors to my site was Internet Explorer users, I immediately browsed my site with Internet Explorer to see if there were any critical issues I had to deal with. To my surprise I only found that certain images were not completely aligned in the same positions, as they appeared in Firefox, but not so much that they looked out of place, to be honest if you never saw the site with Firefox you would not have even known that the images were out of place. The reason for this misplacement was Internet Explorer’s lack of solid support for CSS (Cascading Style Sheets).

Another problem was my toolbar. All the buttons was glued together, while they are spaced apart from each other when you view the site with Mozilla Firefox. This was easily fixed, ironically with a specific CSS statement that Internet Explorer does not have support for. The last problem was the appearance of a button when you hover with your mouse over it. The last button of every toolbar was broken so that the hovering effect did not display correctly in Internet Explorer. Internet Explorer is so bug ridden that you simply can’t have a work-around for every issue. The point I’m trying to make is that the site looked not to bad after all, if you kept in mind that it was only designed and tested with Mozilla Firefox.

Another interesting thing I discovered from my visitor statistics was that 95% used a screen resolution of 1024x768. I’m still designing on a 14” screen with an 800x600 resolution but always make sure that my site displays correctly on a 1024x768 resolution. I have made the mistake in the past by designing sites for an 800x600 resolution only, because I simply did not think about a higher resolution at that time. This was a very stupid mistake to make, I was chasing visitors away, unknowingly, because I was too reluctant to get myself a bigger screen that could handle a higher screen resolution.

This is maybe the most ironic part of my discoveries. People don’t mind to spend money upgrading their screen in order to comply with the newest trend of screen resolutions, something that does nothing to enhance the security of your online activities, but when they get the opportunity to obtain a free browser, that provides better security than their current browser, they simply refuse to make the move. I have seen Internet Explorer fix common HTML errors, like using two double quotes next to each other while there should have been only one. Firefox did not display the image referenced after these two double quotes and pointed this error out when you viewed the page source.

Internet Explorer ignored the second double quote and displayed the image as if there was no error at all. It did the cover-up work for the coding error, while Mozilla Firefox exposed it. Internet Explorer is therefore not the type of browser a web designer would use to validate his or her HTML code. You would rather prefer an alternative like Firefox, which tells you when you are making coding errors. But this even holds a threat for the normal user. Would you continue to trust a browser that attempt to correct a designer’s mistakes, or would you rather trust a browser that does not allow the faulty code to execute at all? Hackers are always on the lookout for common mistakes to exploit. You have a bigger chance to exploit faulty code than code that never got executed in the first place. After all how confident are you that Internet Explorer will make the right choice when correcting HTML errors?

Mozilla Firefox has a much better track record, not only with security issues, but also various other features, many features that the current version of Internet Explorer does not provide for. Why should web developers waste hours of their precious time to make up for the shortcomings of a browser while they could have spent their lost time making their websites more solid, better and more entertaining to explore with a browser that really works? So next time when you get the opportunity to switch over to Mozilla Firefox, be clever, don’t hesitate, you will be making the right move if you decide to make the switch.

Coenraad de Beer - Platinum Author

Cyber Top Cops - The Cyber Security Specialists Platinum Author

Friday, July 21, 2006

Smelling A Hoax A Mile Away By Using A Little Common Sense

It seems like people in general have a problem identifying hoaxes, because our mailboxes are littered with e-mail hoaxes and scams. Most of the time these e-mails come from friends, colleagues and family. But isn’t there a general rule of thumb that will help people to identify these e-mails? To be honest, no! But it may help if people start to use a little common sense.

It is amazing how quickly the world knew in September 2001 that America was under attack, but years after discovering that a specific e-mail is a hoax, people still don’t know about it. The main problem for this is that people don’t really take the time and effort to inform others about the hoax and like I said, most of these e-mails come from friends and family and it is not always that easy telling these people that it is a hoax, some may feel embarrassed and react negatively to your information, others will simply not believe you. And it is because of these stumbling blocks that these e-mails make an appearance every now and then.

I will demonstrate how to identify a hoax by using a very common example, the Zero Sector Virus-hoax. This e-mail appeared years ago (it dates back to 2001) and are still in circulation, but only new variants of the original one. The text printed in italics is an extract from the e-mail. Below each extract is an explanation of the common signs of a hoax that appear in the extract.

For a copy of the complete e-mail visit the following link:


This e-mail is intended to inform the receiver about a virus, but the main focus of this e-mail is the spreading of it. Normally the subject of an important e-mail tells you a little bit about the contents of the e-mail, but the writer of this e-mail was more concerned about the distribution of this e-mail than the information contained within. So this heading should already flash some warning lights.

“Be alert during the next few days: Don't open any message with an attached file called "Invitation", regardless of who sent it.“

The first sentence says it all. The next few days are a bit vague. There are no specific dates specified, so the next few days can be any “next few days”. Hoaxes always have generalization in mind, so that the e-mail appears applicable at the time when you read it.

“It's a virus that opens an Olympic Torch that "burns" the whole hard disk of your computer.”

There is only one strange thing about this sentence. Notice the two spaces between the words ‘whole’ and ‘hard’. It is common among creators of hoaxes that they never give attention to style, grammar or punctuation when compiling e-mails like this. So when you get an e-mail like this with lots of grammatical errors and typos, you can be certain that it is some kind of hoax or scam.

“This virus will come from someone who has your e-mail address; that's why you should send this e-mail to all your contacts. It's better to receive this message 25 times than to receive the virus”

The first sentence is total rubbish. Of course an e-mail virus comes from someone who has your e-mail address, but it does not mean that you have the e-mail address of everyone who has yours. Hoaxes and scams thrive on circulation, if there is no circulation, there is no possibility of spreading. The fact that it is better to receive the message 25 times than to receive the virus holds some truth. Hoaxes are like chain letters, they keep coming back to you and never stop until everyone decide to break the chain. Again you will notice that the sentence does not end with a full stop.

“DON'T open it and shut down your computer immediately .. This is the worst virus announced by CNN, it's been classified by Microsoft as the most destructive virus ever."

This paragraph can easily be identified as a hoax by just confirming this on the websites of CNN and Microsoft. You will be surprised to find that there is no record of this on either or McAfee mentions this e-mail, but they also classify it as a hoax. It is strange that no virus name is mentioned in this e-mail, all viruses get a descriptive name to help people identify it, so what does it matter what Microsoft says if you don’t even know what virus they are talking about? Shut down your computer. Why? It won’t even help to shut it down even if it was infected with a virus. Shutting down your computer does not make the virus go away. An e-mail and its contents is completely harmless as long as you don’t open it, so there is no need to shut down your computer when you see this e-mail, simply delete it. E-mails can do harm if you use a preview pane, but if you never use a preview pane, it is totally harmless until you open it.

“The virus was discovered by McAfee yesterday, and there's no repair yet for this particular virus. It simply destroys the Zero Sector of the Hard Disk, where vital information is kept.”

No company in this world will ever confess that they can’t fix a problem that is related to their field expertise. What confidence will you have in an anti-virus company if it only tells you about viruses but never fix them. Again notice the use of time. Yesterday can be any day. Anti-virus companies normally gives a specific date when they announce new viruses.

“Also:- Emails with pictures of Osama Bin-Laden hanged are being sent and the moment you open these emails your computer will crash and you will not be able to fix it! This e-mail is being distributed through countries around the globe, but mainly in the US and Israel. Don't be inconsiderate; send this warning to whomever you know. If you get an email along the lines of "Osama Bin Laden Captured" or "Osama Hanged" don't open the attachment.


There is not much to say about this paragraph. It is added only to make the e-mail look legitimate, by giving the reader more information to consume. The original virus destroys sector zero of your hard disk and now they mention your computer will crash. There are no details about what happens when your computer crashes and there is no consistency about the symptoms of the virus so you can only assume that they are referring to another virus in this paragraph. Again no virus name is mentioned and the tone of this paragraph is almost like “Oh and by the way…” or “I almost forgot…” which shows you that the writer of this e-mail only had distribution of the e-mail in mind and mumbled a bunch of nonsense just to make it look interesting and have you send it to all your contacts. The first and last sentence of the e-mail is proof of this.

One last thing to mention is the fact that you can’t find the name of party who created this e-mail. It is anonymous, but may fool the reader to believe that it comes from CNN, Microsoft or McAfee. Microsoft and CNN never announce security threats by e-mail and anti-virus companies only provide virus information to users who signed up for periodic e-mail announcements. These e-mails normally have the letterhead and logo of the specific anti-virus company.

People should be on the lookout for e-mails like this one and inform other about them, but most importantly, you need to break the chain! Keeping your silence about this will cause the problem of spam, hoaxes and scams to grow bigger and bigger. People may feel that some of these signs may not look that easy to identify, which is true, because you sometimes need some background information to be able to identify e-mails like this, but you should be able to identify other signs like the lack of specific dates and typos easily. You only need to use a little common sense.

Coenraad de Beer - Platinum Author Platinum Author

Thursday, July 13, 2006

Security Flaws, Hanging Them Against The Big Clock

Buffer overflows, insecure browsers, remote code execution, all common terms in the world of software security. We are surrounded by insecure applications and the big guns are not doing a thing about it. It seems like they are more profitable with insecure software applications than reliable and secure software. Everyone is fed up with the ignorance of giant software companies, but is that enough reason to go public with every security flaw you find in their software?

It won’t hurt when you go public with security flaws of a certain piece of software, if there are only three or four users of the software worldwide. But it becomes a problem if billions of people use the software.

Flashing a security flaw around for everyone to see, puts more people at risk than would have been the case when you kept it quiet. Who are you actually doing a favour? The users? Prospective users? The software company? No not one of them. You are making the job of hackers and people exploiting the flaws that much easier. In fact, you are doing their homework for them and you are feeding their sinister thoughts with sensitive information.

Many people feel they are giving software companies a blow by announcing flaws out in the open. You get the chance of getting even with the companies you hate the most. But does this really have a negative impact on the really big companies? Yes I agree smaller companies will feel the blow much harder than the larger ones, but the big guns strive on controversy because publicity is a free way of marketing your product. You may not impress everyone, but when the word gets out, your product’s name will be mentioned, that’s for sure. Just make sure you take some kind of action, just to make it look like you really care.

Companies like Microsoft and Google make huge mistakes with their products, but almost everyone seems to support them. It will take some huge flops to make people loose confidence in companies like these. This article is a good example, I’m not a huge supporter of Microsoft products. I prefer Open Source products because they are most of the times more secure and effective. But still Microsoft’s name gets mentioned. Google kept doing things right until all their fame and success went to their heads. Today they are disappointing thousands of search engine users, webmasters and advertisers, but people still use their products.

You may give companies a temporary blow by following the public route, but in the end you create new opportunities for them to make something good from something bad. Your efforts will be futile and you end up creating more problems for the software community than helping them.

Why do people think it is a good thing to go public with security flaws? It is because they think in terms of the open source community. The only way of getting an open source application fixed is by going public with the flaw. The open source community comes up with fixes to their applications in next to no time because there is such a huge pool of contributors to the community. Unfortunately you can’t follow this route with closed source applications. You are at the mercy of the software company to get the problem fixed. But you are not making things easier for them by starting a fire in the woods. They end up putting out fires instead of focusing on the root of the problem. This leads to patching the software until a new flaw appears. More patching is done until the next flaw and the process repeats itself over and over until you are stuck with a patched up application, which still can’t battle the posing threat of security flaws. You can keep patching the software but below the patches lays the real nightmare.

Patches are the result of bad development in the first place and impatient users in the second place. I agree it is not the responsibility of the user to debug the software, you pay for the software so that the software company can pay their testers to do their job properly. So what is the bottom line here? Are the intentions of closed source users the same as open source users when they go public with security flaws? Undoubtedly no. Closed source users do it out of frustration with the software companies while open source users seek for a solution to a posing threat.

What do I suggest you do next time you stumble across a security flaw? Keep it quiet for as long as possible and report it to the responsible software company. By doing this you will prevent an uncontrollable spread of exploits for this specific flaw. If the company is dedicated to fixing their software you will allow them more time to focus on the core of the problem. This will be beneficial for the end-user as well as the software company. It will make their software more secure, which will lead to greater support and consumer confidence in their product. Better consumer confidence leads to bigger profits and a responsible company uses these profits to make their product even better.

I agree that the picture I’m painting is one from a perfect unselfish world, but it will do no good to do the opposite either. Encourage people to switch to more secure applications and stop revealing each and every exploit of the less secure application.

Spend your time and energy to promote and enhance promising software instead of bad mouthing software that does not deserve the attention at all.
Coenraad de Beer - Platinum Author Platinum Author

Article Source:

Thursday, June 01, 2006

Malicious Software, a Problem at a Deeper Level

How do you get a cold? You get exposed to a germ, right? This may be a very simplified explanation of getting a cold, but the basic principle is the same when it comes to malicious software. We all know what malicious software is, it is a program that does unwanted and in many cases destructive things on your computer. Typical examples of malicious software are viruses, spyware and ad-ware. You have to expose your computer to a malicious program to get infected by it. This can happen in many ways, by using an infected Floppy Disk, CD, DVD, hard-drive or flash drive. You may get infected when opening an attachment of an infected e-mail message. But if you use common sense you have a smaller chance of getting infected. Only use disks from trusted sources, don’t open strange e-mails and even if you use material from a trusted source, ensure that it is scanned by a respectable Anti-virus scanner.

There is one method of infection I did not mention and that is through the use Internet by browsing from web site to web site. Common sense also plays a role here. If a link looks strange, don’t click on it. If you are required to enter sensitive information that is not relevant to your visit, don’t do it. By using a browser with good security measures will make you less vulnerable. But one problem that can’t be fixed with security software is people’s moral values. Ignorance plays a significant role in infections but I don’t believe that it plays such a big role as people’s intentions when using the Internet.

Many infections occur when the user was either doing something illegal or immoral. The evidence is clear when you try to fix an infected PC. The Internet History and the Temporary Internet Files folder is most of the times cluttered with cookies and cache of pornographic and piracy sites. Piracy sites range from pirate music to pirate software. Many of the cracks downloaded from the Internet are actual Trojan Horses (a host program that gives malicious software access to your computer) but they usually imply to bypass the anti-piracy sections of a program to allow the user to use a full licensed version of the software. Sometimes they even do actually crack the software but installs a malicious program in the background without the knowledge of the user. Some sites require users to install specific software in order to gain access to their pirate or pornographic content. These programs are nothing other than spyware, which monitors activities like keystrokes from your keyboard to record passwords. They also spy on your online activity and store this information on their servers in order to send you relevant marketing material and spin you deeper into their web. What users often don’t realize is that their PC becomes a source of malicious activity. Many of these companies will load your computer with malicious software and try to infect everyone you communicate with, either through your local network or the Internet. Your PC may become a spamming engine, sending spam to all your contacts. Your PC will in the end earn revenue for these dishonest organizations and you may become an accomplice in illegal activities without even knowing it.

All these are consequences of the immoral and dishonest actions of the user in the first place. If people stay away from piracy and pornography sites we will deal with lesser malicious software threats. If lesser people use these websites, these organizations will make less money from these sites and will in the end be forced to shut it down. This will be to the benefit to the whole online-community, but also the music, television and software industry, due to smaller volumes of piracy. In the end it will put money back into the pocket of the end-user and keep our children safe from the filthy material on the Web.

It is a simple rule, if you keep your online intentions clean, your will have a clean conscience and a clean conscience will go hand-in-hand with a clean computer.
Coenraad De Beer - EzineArticles Expert Author

Article Source:

Saturday, May 27, 2006

Fighting or Financing Malicious Software?

Come on. Be realistic. How should I approach security for my computer in the same way as I would approach security for my car or home? The answer is simple, just apply the same principles, not the same mechanisms. Why do I want to protect my car and my home? It prevents people from invading my privacy. What else is it when someone breaks into your car? A thief has no respect for the private assets of someone else, he takes what he wants, and an arsonist has no respect for the private assets of someone, he burns what he wants. Squatters have no respect for any private property, they occupy whatever piece of land they want. That is why we have alarms, security systems and security guards to protect our assets and most important of all our privacy. We don't like strangers strolling round on our premises, we take the necessary precautions to keep them off our property by putting fences and walls around our houses.

Your computer is nothing other than your private electronic property. Why would you go to all the trouble to keep unwanted people away from your home if you don't mind it when unwanted software crawls through your PC? You make online purchases, do online banking transactions, log into your e-mail, enter several passwords to keep people from gaining unauthorised access your private and critical information. Sure, so why would you want a key-logger or password-grabber to infiltrate your computer and steal all your important and private information? You need an anti-virus program, a spyware and ad-ware scanner and some kind of resident shield to prevent all these malicious programs from accessing your PC. We are talking about millions of home users who don’t have the kind of budget to afford all these programs. That is why so many people ignore the threats of malicious software because it is just too expensive and not that important, to them, to battle them. It helps nothing to educate users against these threats if you can't empower them.

Many of the big anti-virus companies refuse to distribute free-ware versions of their software to help home users battle these threats. After all, it is home users that are the easiest targets for infections and they are the pawns for Denial Of Service attacks. This is where smaller anti-virus and -spyware companies made the difference when they introduced free, fully functional programs for home users. They even maintain these versions by updating them as new threats make an appearance. It clearly indicates that their main goal is to fight malicious software and not only profit. Companies like these make a positive contribution to the online community by empowering home users to battle the villains of the online world.

Home users no longer have an excuse for not protecting their computers. Not only companies, but also individuals have developed some useful tools to help their fellow man. The biggest problem users may face now is to make the right choice between all the free security software available today. That is why informed members of the online community have to share their knowledge with the uninformed to help them make the right choices and stay clear of fraudulent and malicious software.
Coenraad De Beer - EzineArticles Expert Author

Article Source: