Do You Want Big Brother Spying on You?

Back in 2006, the   U.S. Attorney General, Alberto Gonzales, under the Bush Administration, called for new rules that would require ISPs and cell phone companies to collect more data (spy) on all of their users. It’s called Mandatory Data Retention. At the time, there was enough opposition to this idea that it never got far.

Recently, the  House Judiciary Subcommittee on Crime, Terrorism and Homeland Security held a hearing to promote this controversial idea once more. Several members of congress have already proposed legislation on data retention, and support for it is coming from both Democrats and Republicans. The Obama administration’s Department of Justice is also expected to support forced data retention.

Currently, ISPs and phone services already keep transaction records for 90 days, in accordance with the 1996 Electronic Communication Transactional Records Act. After 90 days, the records are deleted, and some law enforcement agencies would like to see these records kept much longer.

Big-Brother-is-Watching-YouSince it’s obvious to many that this is another case of Big Brother is watching, how can these politicians justify their call for more intrusion into business’s and customer’s internet and phone traffic?

Most of this call to action is the result of law enforcement and defense agencies wanting longer retention periods, and politicians that want to look like they are tough on internet crime, such as child pornography. However, privacy advocates such as the Electronic Frontier Foundation (EFF) and the Center for Democracy & Technology (CDT), see it as having bad unintended consequences for user privacy, First Amendment anonymous speech, and ballooning costs for retaining the information.

In my opinion, new laws requiring data retention are going to cause more problems than they solve.

Law enforcement agencies can already ask internet and telecom providers to collect extensive information on suspects. Collecting more data will help law enforcement and Homeland Security catch criminals and terrorists, but these new laws will treat all of us like suspects.

The collected information will seriously clamp down on anonymous speech and whistle blowing. Do you trust the government to stop itself from trying to track down sources of leaked information or people who voice strong anti-government or opposition party speech?

Government and law enforcement won’t be the only ones able to access this data. How many websites are hacked every day? How many government agencies have data stolen from them? We’ve already seen what’s happened with WikiLeaks and government employees who get fooled into giving out information.

It will also make simple visits to legal sites more ominous. Would you want everyone to know you’d visited a site about STDs, mental health, bankruptcy, adult entertainment, or any other normally private topic.

Civil courts will be able to get access to this information. It could be used in divorce cases, to prove infidelity. It could be used in law suits to prove prior knowledge or associations.

The internet and telecom providers can handle the additional open-ended costs of mandatory data retention, since those costs will be transferred to the consumers. It will be the same as a new hidden tax. Smaller businesses, and start-ups may not be able to bear the added costs, thus reducing innovation, and killing competition with the big internet companies.

In summary, new data retention laws would be good for big government, law enforcement and big business. They would be bad for the average joe consumer, free speech and free association. If you don’t agree (or you hate freedom), you have the freedom to comment below.

CARBERP – a New Browser Trojan to Worry About

malwareHow would you feel about a computer infection that could lie to your bank about your online transactions? What would happen if details such as who you are paying and how much, could be changed without you knowing it?

That’s exactly what can happen with the current crop of transactional trojans.   This is called screen injection, HTML overlayor the man-in-the-browser attack.

This type of infection can spy on you while you are online at many banking sites. ATM PINs, social security numbers and answers to secret questions are the types of information that will be stolen.

Previously, we’ve written about the Zeus trojan, which is the current king of the transactional trojans. Zeus used some very unique command-and-controlinterfaces that actually fooled security experts into giving up information. The Zeus trojan was also used to infect hundreds of U.S. Government employees when they opened a fake Christmas Card email from the White House.

If that’s not scary enough, there are more trojans out there that are being bred to compete with Zeus. According to TrustDefender, a well known security provider, a trojan named Carberp has recently added a whole slew of new features. These new features are intended to make it just as useful to black hats as Zeus. Here are some of the features:

  • It can run on non-administrator accounts.
  • It can infect XP, Vista and Seven machines.
  • It doesn’t make changes to the Window registry.
  • It hooks into the web browser to control all internet traffic.
  • It’s able to transmit real-time data to it’s masters.

It also covers it’s identity by appending random data into itself to foil normal anti-virus detection. The fact that it can run in non-admin mode and doesn’t write to the registry also makes it harder to detect. To most security software, Carberp could appear to be a simple browser add-on or extension.

The older Zeus trojan hasn’t been improved recently, and it looks like there’s a battle brewing that will decide the next popular trojan. Carberp is in the running with two or three others, such as SpyEye and Gozi.

It’s a rat race, with security experts always trying to build a better trap for the fast rats that keep breeding even faster rats. The security field profits from this race and so do the hackers.

We are the big losers.


My Total Facebook Views Scam Spreading On Facebook

Just a couple of days after the Facebook surprise message scam was unleashed another new Facebook scam is currently underway where users are posting messages on their profile saying "My total facebook views are: xxx. Find your total profile views link".

Facebook Profile Views Scam

The new Facebook scam is similar to another one which we had unearthed earlier where people were enticed to click on a link to know "who checked your Facebook profile". Both these scams are similar in nature as to providing users with data that does not provide them with.

However, you are better off staying away from clicking on the links accompanied with this message. All Facebook is reporting that the number accompanied with the update are inflated and that the survey users are forced to take is basically a waste of time. However, for the developer of the said app, it could mean a lot of money. Remember how Zynga asks users to  complete surveys to getting additional virtual money for their games?

So if your friend has updated their profile saying that their profile has been viewed so many times, kindly tell them about the scam and ask them to delete the update from their profile, lest someone else clicks on it.

How to Keep Kids Safe Online – Talk to Them

parent-childYou’ve heard about the danger. It’s out there in many places, such as Facebook, Twitter, Chat rooms, Texting, and File Sharing. What do you know about safe online practices? How can you help protect your kids?

According to many experts, the best thing you can do to protect your kids is to talk to them about internet safety. Two websites can help you and kids avoid the worst dangers on the web. You’ll find plenty of advice at On Guard Online and Net Smartz.

onguardonline top-ncmec netsmartz-logo

Below, I’ll offer a few tips I’ve found. However, if you have time, take a look at this video: Chatting with Kids About Being Online.

Chatting with Kids About Being Online

More videos from OnGuard Online

Videos from NetSmartz

Why do you need to talk to kids?

At NetSmartz, I ran into some survey stats from 2006, showing how important it is to influence your kids online behavior.

33% of 13- to- 17-year-olds reported that their parents or guardians know very littleor nothingabout what they do on the Internet.

48% of 16-17s said their parents or guardians know very littleor nothing.

Fully 22% of those surveyed reported their parents or guardians have never discussed Internet safety with them.

On the other hand, 36% of youth—girls and younger teens most notably—said that their parents or guardians have talked to them a lotabout online safety, and 70% said their parents or guardians have discussed the subject with them during the past year.

Most importantly:

Fewer teens whose families have talked to them a lotabout online safety have an IM name or pictures of themselves on the Internet, compared to kids whose families have not talked to them at all. More teens who’ve talked to parents or guardians also ignore messages from unfamiliar people, refuse to reply or chat, block unknown senders, and report these occurrences to trusted adults.

How can you get a conversation started?

I also found some good questions to get you started. (from NetSmartz)

Can I take a look at what you have been posting online?

Does anyone else have access to your passwords?

What information is okay to share online?

What information should you keep private?

What could someone learn about you from what you post online?

How might they use this information?

Have you ever regretted anything you posted online?

What advice should you give? What actions should you take?

I also found this advice at NetSmartz.

Make sure that your child takes advantage of the privacy settings on social networking sites.

Pre-approve the pictures and videos your child posts online.
Remind your child never to post e-mail addresses or cell phone numbers.

Tell your child that passwords should only be shared with parents and guardians.

Teach your child not to respond to any e-mails requesting personal information and to delete e-mails from unknown senders.

Discuss how to keep screen names and e-mail addresses gender-neutral, appropriate, and free of any information that could reveal identity.

Encourage your child to tell you right away if anything happens online that bothers or frightens him or her.

I’ve only covered a tiny part of the help and advice available to parents. Be sure to take a look.

On Guard Online / NetSmartz


Don’t be Tempted by the Kama Sutra Backdoor Trojan

appleIt’s difficult for some of us to resist clicking links or opening emails with provocative titles. That’s what hackers count on. Recently, one of many successful malware attacks was a file named Real kamasutra.pps.exe. Sophos reported that it really is a PowerPoint slideshow, but don’t get your hopes up. You’d have to infect your computer to see the images.

malwareWhat I will do is warn everyone, once again, not to be fooled by the old double extension trick. Even though you may think .PPS (slideshow), the .EXE on the end of the file makes it an executable file. When it’s launched, the slideshow above actually did display some rather unique images, however, it also installed a backdoor trojan. The trojan, called Troj/Bckdr-RFM, allows hackers to silently gain access to your PC. Once inside they can steal your data, your identity, and use your machine for any number of illegal activities.

Most of the time, you’ll see files with double extensions in email. One of the most famous email exploits was the I LOVE YOU.TXT.VBSfile. The .VBS on the end made it a Visual Basic Script, which installed a virus on millions of PCs back in 2000.

These days, your biggest risks come from clicking shortened links in social networking sites like Twitter and Facebook. Thankfully, most of the short URL providers, like Goo.gl and Bit.ly, try to make sure that the links don’t end up at known bad websites.

If you’ve waited patiently hoping for a glimpse of the images in that Kama Sutra slideshow, visit the Sophos blog.

WordPress Sites Being Hacked Over XSS Vulnerability

Earlier today the WordPress team released WordPress 3.0.4 which contained a critical fix for an XSS vulnerability. Sadly, the release made the problematic code public to everyone and there are reports that WordPress sites who have not yet upgraded are being hacked.

A post on DreamHost, one of the largest web hosting companies says that many sites who have not yet upgraded are being attacked through this XSS vulnerability. Many of their customers aren’t able to access their WordPress Admin dashboard.

Another important thing being noted by DreamHost team is that once your site has been hacked, upgrading to the latest version won’t help since the inserted data sits in a file which is untouched by the upgrade. I am looking into what files are affected and will update this post as soon as I come across it.

Rest aside, this new problem has made me determined to release the WordPress Remote Upgrade and Manager within the next few days, so stay tuned for it.

Upgrading WordPress is easy and usually takes a few seconds. So drop everything else and upgrade your WordPress installation to 3.0.4 ASAP. 

(h/t @arpitnext)

WordPress 3.0.4 Released; Critical XSS Security Patch

It looks like the WordPress team have been fixing a lot of security issues in the past few weeks. The WordPress team has just released WordPress 3.0.4, which fixing a core security bug in their HTML sanitation library, called KSES.

The update on their blog says that this patch is critical and should be applied immediately. Your website may be open to XSS attacks if this patch is not applied immediately.

Earlier this month, the WordPress team had also released WordPress 3.0.2 and 3.0.3 which contained security fixes. If you were planning to put off your upgrade because of the holidays, please don’t do it since the bug is now in the open and can be exploited by the bad guys.

You will be able to upgrade WordPress from your dashboard.

Mozilla Slips Up, Publishes User IDs and Encrypted Passwords

Mozilla-Password-Breach Close on the heels of the Gawker Media security breach, Mozilla has disclosed that it had accidentally published a partial database of addons.mozilla.org user account information. As many as 44,000 user ids and password hashes were left publicly accessible.

The affected accounts were inactive ones, which were using md5-based password hashes. MD5 is a weak encryption technique that is crackable. Security firm Sophos explained:

MD5 has cryptographic weaknesses that permit creation of the same hash from multiple strings. This permits security experts to compute all the possible hashes and determine either your password or another string that will work even if it is not your password.

Active accounts on Mozilla’s add-on repository use SHA-512 password hash with salting that offers stronger protection.

The good news is that almost no one noticed. According to Mozilla, the database was accessed by only one person outside of the company. That person is the security researcher who alerted Mozilla about the issue under the Web bounty program, which offers $500 to $3,000 in cash rewards for valid security related bug reports. Nevertheless, Mozilla has deleted the password of all the affected accounts as a precautionary measure.

Facebook Account Suspended Hoax Virus Exploiting Users With Surveys

A new worm is quickly spreading through the internet, and it’s main target is 500 million users. When infected, users who visit facebook.com in their browsers are being displayed a message. "Your account is suspended. To make your account active you need to complete one of these surveys". It’s a hoax and a malicious virus that is looking to make money out of Facebook users.

Facebook Account Suspended Hoax

If you have been victim to a shock saying that your account has been suspended when you visit Facebook and have to complete a survey to be eligible to use it again, you are not alone. According to Symantec, a new worm W32.Yimfoca is spreading through computers and targeting Facebook users.

If you have been infected by this worm, you will be shown a message as seen in the screenshot above. The bad part is that you will be locked out of the website as long as the W32.Yimfoca worm exists on your PC. This worm is also capable of locking you out of other websites too. So you might get this popup when you visit or in future too.

If you fail to complete the survey you will be presented with this message:

You do not have access to you account because you do not complete any survey. Please come back later and tray again

Thankfully the good news is that the exploit only works with Internet Explorer, so you can safely use other browsers to browse your favorite websites.

Removing this virus is simple, just use a good Antivirus and anti-spyware software on your computer and your PC should be safe. If you don’t know, there are quire a few Free Antivirus software available out there. You might also want to read our guides about securing your PC and keeping your PC safe on the Internet.

Homeland Security is Now Working for the Recording Industry?

homelandIf you have been trying to smuggle bombs into the USA, you can feel a little less pressure now. It looks like the US Homeland Security services have gotten bored trying to find real terrorists and are now looking for websites hosting pirated music and videos.

According to FoxNews and TorrentFreak, Homeland Security has taken down over 80 domains on the internet. The sites were taken down because of copyright violationsof various types. According to the articles, no legal take-down notices are issued. Basically, the domain name is stolen from the owner, with no warrants or legal action needed by the US Government.

TorrentFreak mentions that the Motion Picture Association of America (MPAA) and Recording Industry Association of America (RIAA) have recently spent more than $1.8 million dollars lobbying the US House and Senate. They want to make it even easier to take down offending websites in the future, by way of a pending bill called Combating Online Infringement and Counterfeits Act(COICA).

It looks like the combination of the recent WikiLeaks controversy and the money from MPAA/RIAA are paying off. The US security agencies are becoming more like their counterpart agencies in China. If they don’t like a website, a simple phone call will take it down.

I don’t know about you, but I will feel much better as I walk bare-foot through the airport to get a personal pat down by the TSA. I’ll be perfectly safe from people carrying pirated MP3 files on their iPods.

It’s so reassuring to know that my tax dollars support Homeland Security’s new job; keeping the internet safe from terrorist file hosts.