Germany is Using Trojan Spyware on its Citizens?

Today, I received a letter from Emsisoft that explained how a well known group of hackers in Germany discovered and tested a trojan program that’s used by the German Federal government to spy on its citizens. These white hat hackers, known as the Computer Chaos Club, determined that the “R2D2″ or “State Trojan” is not only able to spy on an infected target computer, it’s also able to download more software and remotely control the target computer. So far, it’s designed to work only on Windows based PCs.

Spy Man

Back in 2008, Computerworld reported that WikiLeaks documents provided information that Germany had hired a company named “Digitask” to create a trojan spy program for them. A few days ago, ZDnet was confirming that a few of the German State agencies have admitted to using this trojan in their investigations. Naturally, these were “legal” uses of the trojan, and required a judge’s signature.

The Electronic Frontier Foundation was curious to see if the U.S. Government had similar trojans, and in 2008, they submitted  a FOIA request. Unlike many other attempts to get information released, the EFF received documents that revealed how the FBI was investigating ways to intercept Skype conversations. I think we can assume that since then, the U.S. has done more than just “investigate” how to spy on Skype.

What does all of this mean to the average Windows user? It means that you not only have to worry about threats from the usual hackers after your money, you also have to worry about “Big Brother” trojans from your own government. Fortunately, companies like Emsisoft, F-Secure and Sophos have assured us that they intend to search and elimate government trojans as well as the typical spyware we’re used to seeing.

For those of you who are using Macintosh or Linux instead of Windows, feel free to stick out your tongue and say “na na na na na na“. You don’t have to worry about these trojans … for now.

Google Launches Online Safety and Security Campaign “Good to Know”

In an attempt to help people stay safe on the Internet and manage the way of sharing information online, the Citizen’s Advice Bureau (CAB) has teamed up with Google to promote online safety in the UK and the rest of the world.

The campaign, which will include adverts in newspapers, on public transport and online, is basically done to create awareness about online safety and teach users to take suitable steps to ensure that they’re more secure when surfing the web (and other online activities). It also provides an overview of some of the security tools that Google offers.Data on Google - Good to Know Campaign

The site “Good to Know” has 4 main categories, namely –

  • Stay safe online –
    This section provides you with helpful tips and advice for staying more secured on the web. Some of the terms explained here are choosing strong passwords, phishing and malware attacks, identifying secure sites (https), safe networks, mobile security, family safety, shopping safety, and so on.
  • Your data on the web –
    This particular section explains how you can keep your data safe from hackers and phishers.
  • Your data on Google –
    Google here tries to explain its five privacy principles that describe how they approach privacy and user information across all of our products

  • Manage your data
    Lastly, Google elaborates on some of the ways of managing what you share online, with Google and with others. This section enlightens you about Google Talk, Incognito mode in Chrome, Google+ and +1 button, Google Docs, and so on.

The campaign also provides you with the following tips –

  • Use two-step verification for accounts, which will add an extra layer of security to your account.
  • Pick strong passwords, which are not-so-easy to crack.
  • Always look for “https” websites.

Manage Data - Google Good to Know CampaignCampaigns like this are pretty good to learn, since they explain complicated stuff (safety advice) into simpler and easily understandable terms. This is Google’s first campaign advertising, other than their products like Google Chrome and Android mobile operating system.

Anthony House, Google Communications and Policy Manager said: Everyone wants to stay safe online, but many people aren’t confident that they know how to. We’re launching the Good to Know campaign and website to provide easy steps everyone can take.”

Gillian Guy, chief executive of the Citizens Advice Bureau added: We are delighted to be working in partnership with Google. Citizens Advice is all about straightforward, simple advice on the issues that matter, so helping people take control of their safety and privacy online is right up our street.

The Layman’s Guide to Computer Security

With a world full of malware, identity thieves and hackers, securing your computer properly is of at most importance. But unfortunately, most of us do not think further than installing security software. Mostly it is only after you get infected or hacked, that you realize you have done too little. But it would be too late by then.

The truth is, by following some very simple practices, you can easily minimize chances of being infected. Here’s a rundown of some of basic tips to secure your computer.

Install reputed Anti-virus software

You should make it a habit of installing an anti-virus (AV) software right after you install your OS. There is free antivirus as well as paid security software. If you are ready to shell out a few bucks, you can go for paid solutions. But the free ones work just fine. When you buy/download security software, make sure that it is a reputed one. A simple Google search can give you an idea whether the software is good or not. There are lots of Fake AVs doing the rounds and you don’t want to end up getting one of those. So this is an important step before getting a security suite.

Also Read: Protect Yourself from Internet Threats

Some examples of paid security software are Norton, NOD32, and Vipre etc. Free ones include AVG, Avast and Microsoft Security Essentials.

As I mentioned before, just having the anti-virus installed is not enough. You have to use it wisely. And by using wisely, I mean turning on the real-time protection, updating the AV and scanning your PC in regular intervals. The real-time protection mechanism monitors you PC all the time and will warn if there is any suspicious activity. Almost all major AV software has this feature.

Malware of different types are being released to the internet every minute and running an out-dated anti-virus makes your PC more susceptible to those malware. A common trend nowadays is that people tend to use trial versions of paid security suites that come pre-installed even after the trial has expired. Do not do that. As the trial is expired, you won’t be getting updates and your AV will be of no use unless you have the latest updates. So pay to get the full version of that software or else choose a free one to get those valuable definition updates. Remember! Updates are the spirit of your AV.

Do a system scan once in a while. A full scan every week would suffix. Most of the modern AVs allow you to schedule regular scans and automatic updates so that it requires minimum intervention from the end user.

Update the OS and all other installed software

While trying to break into a PC, it’s not just the vulnerabilities in Windows that the hackers take advantage of. Vulnerabilities in third party software are also an important issue. So make sure that all of the programs that you have installed are fully updated and not just your OS or security software.

Use a strong and unpredictable password

Your password is the key to your data and it is extremely important that you use a strong password. Here are some tips on creating a strong password.

  • Your password should have more than 8 characters.
  • Use a password that is not easily predictable. People tend to use passwords that are related to them such as their own names, date of births, favorite quotes etc. A hacker who stalks their victim’s social networking accounts such as Facebook can find this kind of information very easily. So it is very important that you use an un-related word, preferably a non-dictionary word as your password.
  • Try to include upper case letters, lower case letters, numbers and special characters to strengthen your password.
  • Do not use a single password for all your accounts. If you use a single password and your account gets hacked, your other accounts are also compromised.

Also Read: Tips to Create Easy-to-remember Strong Passwords | 4 Tools to Generate Strong Passwords

Practice safe browsing habits

Bad browsing habits are one of the major sources of malware infection. Always be vary of things that your download from the internet. Even if you download something from a trusted source, scan it before opening or executing the file. Do not download pirated software or media as there’s a big probability that they might be infected with malware.

Use your browser’s security features such as the smart screen and phishing filter while browsing. All of the major browsers such as IE, Firefox and Chrome come with these features.

While using social networks, be careful about whom you befriend and the level of data that you want to share with. For more on Facebook security, check out this guide.

Backup your data

Even if you are following the above practices, it is better to have a backup’ plan. The best method is to backup your data to an external hard drive. There is lots of software that will do this for you. Using Windows built in tools; you either do a full PC backup or choose which data you want to back. These settings can be found in the Backup and Restore Center in Windows 7 and Vista (just type backup in the start menu and press enter to open the Backup and Restore Center).You can also use paid software like Acronis True Image or Norton Ghost if you need more features.

Whether you use paid solution or the native Windows tool, make it a habit to backup important documents and media so that even if your system gets infected or corrupted, you don’t lose your important data.

You can also use websites to backup your data to the cloud. We have covered several services which allow users to backup files for free online, you will find most of them in our Online Storage section.

With the help of security software and by using our very precious common sense, we can easily reduce the chance of getting infected up to a great extent.

So stay safe and happy browsing!

Hackers Get Paid $40k from Facebook for Reporting Security Loopholes

Just three weeks after the launch of the Bug Bounty Program, social networking giant Facebook, announced that is has paid out US$40,000 in rewards so far to expert hackers who have successfully identified and reported security loopholes on the site.

Facebook introduced the Bug Bounty Program in an aim to encourage security researchers to report loopholes and glitches on the social networking site, and as a token of appreciation, Facebook offered them a monetary bounty of $500.

Facebook Bug

In a blog post by the Chief Security Officer of Facebook, Joe Sullivan stated that, During the past three weeks, Facebook has paid more than $40,000 to security experts around the world, with one individual receiving over $7,000 for identifying 6 different issues, while another person earned $5,000″.

He also clarified that the $500 bounty is a minimum payout, thus attracting more security researchers to participate in the program and earn big bucks. However, it is also clear that the bounty program is only applicable to the Facebook website and has nothing to do with Facebook applications.

In addition to that, the researcher who reports a bug first is only rewarded. For instance, if two researchers find the same bug individually, the first one who reports it will be eligible to claim the reward.

If you are a security researcher, then you might be interested in taking part in the Bug Bounty Program? Here are some eligibility criteria that every researcher must follow –

  • You must be the first person to responsibly disclose the bug.
  • Give Facebook a reasonable time to respond to your report before making any information public.
  • You must live in a country not under any current U.S. Sanctions.
  • You agree to report issues that may compromise a user’s information including Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF) and Remote Code injection.
  • Only one payment per bug will be awarded.
  • Bugs in third-party applications, third-party websites that integrate with Facebook, Denial of Service Vulnerabilities or Spam or Social Engineering techniques will not be eligible.

To know more about this, click here  here.

While Facebook is being extremely loyal and generous to security researchers by paying them what they deserve, other companies like Google and Mozilla offer similar services. Earlier in August 2010, it was  reported  that Google gave away a total estimate of $10k of rewards. Mozilla  also has the bug bounty program which pays $3,000 in hard cash plus a free  Mozilla  T-shirt for finding bugs!

On a similar note, in 2007 the Business Software Alliance announced that tipsters who report their company’s illegal use of unlicensed software could earn payouts of up to $1 million.

Watch out for Hurricane Irene Scams and Phishing Attacks on Facebook and Twitter

Any major event that occurs will certainly draw people’s attention on the Internet. We had seen a huge chaos when the news of Osama Bin Laden’s death came in. When such events occur, scammers take advantage of users’ curiosity and create scam messages (including phishing attacks), and post them across social networking sites like Facebook, Twitter, or send phishing emails.

When the  Osama Bin Laden’s death news came in, people were curious to know if there were any leaked images or videos posted on the Internet. Scammers took advantage of this curiosity and created scam messages like – “Osama Bin Laden’s Leaked Death Video” and “Pics of Osama Bin Laden Are Finally Released“, and posted them on Facebook and Twitter. These scams spread through the Internet within minutes targeting user accounts by stealing their login credentials.

As the Hurricane Irene barrels up the East Coast, users on the Internet should lookout for scam messages and phishing attacks related to the storm news. It is likely that scammers will create phishing attacks and other malicious activity, and publish them across the Internet.

Facebook Scams

Newsworthy events, like in this case – Hurricane Irene, usually trigger malicious links and phishing attacks that spread across Facebook. Users on Facebook should stay observant of links promising them to show leakedvideos, pictures and other information related to Hurricane Irene.Hurricane Irene

Facebook users are tricked very easily. When users click on scam links, they will be taken to bogus websites where they will be asked to complete online surveys or download malicious programs, such as a codec to watch a video. These malware programs are designed to gather user information including email ids,  user names, passwords and credit card details. Sometimes these malicious programs are downloaded automatically where users are blindly infected.

I suggest all users on Facebook to be cautious, and do not blindly click on links that promise you to show videos or pictures, including those which are posted by your friends. This implies to users on Twitter as well. Watch out for re-tweets and DMs with links that lead to fake (clone) login pages where you will be asked to re-enter your username and password, causing a potential threat to your account.

Here’s an article that will help you Prevent Your Facebook Account from Getting Hacked.  We constantly report scams and hoax messages that are spreading on Facebook. You can always stay updated by bookmarking this link –

Charity Scams

Watch where you donate! There are thousands of fake charity websites that are created, which attempt to collect donations to help hurricane victims. Do a research before making any donations and make sure that you’re donating to the right charity.

If you’re making any donations, then make sure that you avoid third party sites and organizations, and head straight to the charity’s main website that you want to reach out to.

The FBI has issued warnings about Hurricane Irene charity scams, and has offered some excellent tips  to protect you against charity scammers:

  • Do not respond to unsolicited (SPAM) e-mail.
  • Be skeptical of individuals representing themselves as officials soliciting via e-mail for donations.
  • Do not click on links contained within an unsolicited e-mail.
  • Be cautious of e-mail claiming to contain pictures in attached files, as the files may contain viruses. Only open attachments from known senders.
  • To ensure contributions are received and used for intended purposes, make contributions directly to known organizations rather than relying on others to make the donation on your behalf.
  • Validate the legitimacy of the organization by directly accessing the recognized charity or aid organization’s website rather than following an alleged link to the site.
  • Attempt to verify the legitimacy of the non-profit status of the organization by using various Internet-based resources, which also may assist in confirming the actual existence of the organization.
  • Do not provide personal or financial information to anyone who solicits contributions: providing such information may compromise your identity and make you vulnerable to identity theft.

If you believe you have been a victim of a charity related scheme, contact the National Center for Disaster Fraud by

You can also report suspicious e-mail solicitations or fraudulent websites to the Internet Crime Complaint Center at

How to Prevent Your Facebook Account from Getting Hacked

While scams and phishing attacks are issues of serious concern, it’s not an easy task for several users on Facebook to identify and avoid them. Hackers try to hack user accounts by sending them phishing mails, and eventually steal personal information and other credentials like credit card details and bank details.

There are several ways how hackers carry out the hacking process. Scammers Hackers go through users’ account and gather publicly available information, and send phishing emails to obtain secured information like credit card number and bank details. Sometimes, they create malware programs that are automatically downloaded on your computer which help them gain access to credentials like email id, passwords and so on.

However, hacking isn’t as easy as pie. It goes without saying after all that hacking does require some – considerable amount of knowledge. Here are four common methods that hackers use to target and hack the accounts of Facebook users  –

  • Phishing Attacks
  • Key logging Programs.
  • Password rest via Mobile
  • Revealing saved Facebook passwords on web-browsers.

Phishing Attacks

Difficulty Level: Moderate

The term phishing means the fraudulent attempt to steal a person’s confidential information like username, password, bank account numbers, credit card number, and so on. It is one of the most commonly used and easiest methods to gain access to a user’s account.

When you go fishing, you obviously need to have some bait. Similarly, phishers send spoof emails pretending to be from the Facebook team. Typically the email will direct you to click on a URL, which will lead you to a fake webpage, and you will be asked to provide your private information.

The most common and popular phishing attack involves creating a fake login page. Fake login pages appear exactly like the original Facebook login page. When a user attempts to login on this page, the entered username and password will be sent to the hacker, who will then have control over your account.

Here’s an attempt by a hacker that sent a fake security message –

Facebook Security Phishing Attack

From the above screenshot you can notice that the link provided to verify your account is a fake. It has the link – which redirects again to Facebook does not create any short URLs when it comes to security related issues. Clicking on the link will take you to a page where you will have to go through the verification process.

Please Read Facebook Security Network – Phishing Attack for complete details.

The Impact of Facebook Scams and How Scammers Make Money

In the past, we reported a number of Facebook scams that were spreading like wildfire. Scam messages including Girl Killed Herself After Dad Posted On Wall Scam, Marika Fruscio Spam, OMG Can’t Believe Justin Beiber Did This To A Girl Spam, which were reported earlier are still spreading on Facebook. As Facebook scams continue to boom and spam news feeds, Websense, a web security firm conducted an interesting study that explains how scam messages spread and how they work.

Websense conducted their study by choosing two scams which are still very much actively spreading. The study showed that nearly 1800 Facebook users clicked and interacted with the scam every few seconds. Assuming that every user spent at least 1 minute on the scam website completing surveys, then there will be 2,592,000 hits (visitor count) per day! That’s a bomb!

Calculation: (24 hours X 60 minutes) X 1,800 users = 2,592,000 hits per day

Users are tempted to click on such scam messages that increase their curiosity. And that’s why scammers create scams with enticing titles and descriptions along with images (thumbnails) of half-naked girls.

How do scams spread?

There are two ways on how scam messages spread. One, when users click on a scam message, they will be taken to a fake page where they will be asked to verify their age by clicking on the “Jaa” button twice. The “jaa” button is coded with functions that will post the message on their Facebook wall automatically.

Second, when a user clicks on a scam message, the user will be taken to a webpage where it contains an image which appears like a normal YouTube player (Or any other video player). These sites will not have any age verification procedure. However, in this case the play button is coded, so when the user clicks on the play button, it will automatically “like” and share the scam message on their Facebook wall.

Here is the code that is used to automatically share the message in the background –

Facebook Scam Share Code

The scam the spreads across the news feed when users’ friends start clicking on the message.

Official Guide To Facebook Security – Protecting Your Facebook Accounts from Scammers

It looks like the Facebook Security team have started to take scam messages and phishing attacks seriously. They have come up with a 14 pages long document called Guide To Facebook Securitywhich will help its users understand the social network’s security features and possible ways to protect  their  account from threats like malware and phishing attacks. It also includes tips on how users can avoid click-jacking and like-jacking scam messages and scam apps.

The 14-page guide was authored by three key persons, the former Senior Director of Internet Safety at Symantec Linda McCarthy, Purdue University security researcher Keith Watson, and teacher/editor Denise Weldon-Siviy.

The authors state – “This guide is all about empowering you to Own Your Space — to understand what Facebook is doing to make the site safe and secure and to take the actions that are needed in this new digital world to protect yourself and your account,”

Guide To Facebook Security

Here are the top tips for Staying Secure on Facebook provided by the Facebook Security team –

  • Only Friend people you know.
  • Create a good password and use it only for Facebook. Don’t share it with anyone and change it on a regular basis.
  • Share your personal information only with people and companies that need it.
  • Log into Facebook only ONCE each session. If it looks like Facebook is asking you to log in a second time, skip the links and directly type into your browser address bar.
  • Log out of Facebook after using someone else’s computer.
  • Use secure browsing whenever possible.
  • Only download Apps from sites you trust.
  • Don’t paste script (code) in your browser address bar.
  • Use browser add-ons like Web of Trust and Firefox’s NoScript to keep your account from being hijacked.
  • Beware of goofyposts from anyone—even Friends. If it looks like something your Friend wouldn’t post, don’t click on it.
  • Scammers might hack your Friends’ accounts and send links from their accounts. Beware of enticing links coming from your Friends.

The document is a Creative Commons licensing,  and is available for free! You can  download  your copy from the  Facebook Security Page.

Additionally, the document elucidates how to avoid scammers, and configure advanced security features, like HTTPS encryption, one-time passwords, log-in notifications and recovering a hacked account. It is a must read to every user on Facebook. Especially the ones who are always tricked by scammers.

However, I wonder if this would stop users from clicking/spreading scam messages. I personally feel that Facebook needs to come with a strong way on how they themselves can prevent scams from spreading, rather than educating users with tips and relying on them to put an end to scam messages.

We have compiled a list of  Most Actively Spreading Scams on Facebook  that you might want to have a look at. In addition to that, don’t forget to check out our article about  Avoiding Facebook Likejacking and Clickjacking scams. Here’s an article on how you can  Identify and Avoid  Facebook scams.

Huge Security Hole Discovered in BSNL Internal Application Dotsoft

BSNL is India’s largest telecom provider, a game changer in the telecom industry in India and probably the  only organization that drives competition in this sector by going out of its way. The success of BSNL in India can be attributed to a number of factors, the primary one being its ties with the Government. The Government of India owns BSNL and it also forms a strategic partner for the Government of India. This makes BSNL a powerful organization when it comes to the telecom industry and as the good old saying goes, “with great power comes great responsibility”.

BSNL has been hacked numerous times in the past. Last year in August, Pakistani hackers pwned BSNL India’s Punjab website and managed to get hold of user data. There was a déjà vu in July (last month) when the Pakistani Cyber Army hacked a BSNL website (again!). Now, we are seeing another security hole in a BSNL website, which can compromise numerous employee accounts inside the organization.


The Dotsoft application used by BSNL for its internal operations is a flawed one when it comes to security. As you can see, the application allows public access, for anyone to modify any internal user account at BSNL. The Dotsoft project page (probably) at BSNL explains it as,

Dotsoft  is in-house developed software, integrating the Commercial Activities, Telecom Billing & Accounting,  FRS and Directory Enquiry. It has been implemented  in  171  SSAs (Districts) across the country.
All the SSAs of Andhra Pradesh,  Tamil Nadu, Karnataka, Assam, Punjab, Chhattisgarh and  Gujarat Telecom Circles  have implemented it. Rest of SSAs is from states of  Maharashtra, Madhya Pradesh, Uttar Pradesh, Rajasthan,  J&K and Haryana. Many Telecom Circles like Bihar Telecom Circle,  Orissa Telecom Circle and Uttaranchal  Telecom Circle  are in various stages of finalizing the plans for implementation of Dotsoft in their SSAs.

Clearly, this application holds extreme value inside the organization as it forms a critical part of their business. Severe security vulnerability like this should be fixed immediately. Any plans to extend this application across more states, without fixing this vulnerability might put BSNL in jeopardy.

Anonymous Decides to Take Down Facebook on November 5, but Not Everybody is Joining In

Facebook is notorious for its confusing privacy settings and for the way it handles personal data of its users. It changes privacy settings too often and the matters with Facebook privacy are so volatile, they are nothing less than annoying.

In response to Facebook’s outlook towards its users, a few members from the hacker collective Anonymous have decided to take down Facebook on November 5 as declared in OP_Facebook. This is their Vendetta-style justice for all of Facebook’s wrongdoings. You can see the YouTube video with a message announcing Operation Facebook.


The video claims that Facebook sells our personal information to government agencies and information security firms. It also names two governments in the message, one being Syria. This did not surprise me, as the website of the Syrian defense ministry was defaced a few days ago, and its contents replaced with a message from Anonymous.

Now, some things are clear from this YouTube video. The video is of inferior quality than what we are used to seeing from Anonymous. This means that either it is a prank, or it is from a much smaller sub-section of Anonymous, which will not draw support from the rest of them.

The YouTube account holding the video was created on July 16, as was the Twitter account for OP_Facebook. Moreover, the attack date of 5 November 2011 is nearly three months from now. Anonymous would never give a three-month notice. The Anonymous I knew would never lose its flair doing this!

The YouTube video does not sound like it really came from Anonymous, which talks in a very different tone than this one. This seems to be a big hoax and there is a good chance that Facebook might not face demise on November 5. For a service as widely distributed as Facebook, it would require all the Anonymous members to launch an attack and this OP_Facebook is a fail even before it will start. Perhaps, the AnonOps Twitter Account spoke for the better half of Anonymous (not participating) when they said,

We prefer to face the real power and not to face to the same medias that we use as tools.  #OpFacebook  #Anonymous

The message posted in this YouTube video is the views of only a few Anonymous members and the larger Anonymous does not seem to support the cause fully. If anything is interesting in this entire fiasco, it is Guy Fawkes Night.

Update: Gawker claims this video to be one of the remnants of the real OP Facebook, which was launched earlier this year, and abandoned later in July.