_________________________________________________________________
Mac Flashback Trojan - The Death of Mac Invincibility
I'm going to start by referring you back to the opening line of my blog Macs can be infected AND be carriers of malware where I said, "Yes, Macs CAN be infected. Period." That was Mar. 21, 2012 (16 days ago). Today, even the staunchest of "Macs can't get viruses." believers find themselves staring into the eyes of a colossal 620,000+ gorilla of an "I told you so."
Here's the executive summary:
A Trojan is a computer infection that enters your computer by pretending to be something else. In this case, Flashback pretends to be an update for the Adobe Flash Player. Reports started 4 days ago and were confirmed today - Fri., Apr. 6, 2012 - by Kaspersky Labs. The full report is here: http://goo.gl/6zLzv.
Using some complex reverse engineering techniques, the smarties at Kaspersky Labs watched as 620,000+ unique computers logged into the pretend Flashback mother-server they created. They know the count is close to accurate because Flashback uses each computer's unique ID in the process. In a nutshell, the breakdown appears to be:
So, let's cut to the chase... what to do? Here we go... step-by-step:
Step #1: Run Apple Software Update.
Step #2: Disable Java in Safari and or Firefox.
Step #3: Determine whether your Mac is infected.
Step #4: What to do if your Mac is NOT infected.
Step #5: What to do if your Mac IS infected.
Until next time!
Bob
Phishing Scams Without Borders - From Germany With Love
Okay, I know I've already blogged about email phishing scams, but this one was close to home, so I thought I’d share. I received an email this morning, supposedly from ScotiaBank… NOT. Let’s review…
- banks NEVER send requests for confidential information by email; and
- banks aren’t going to make spelling and grammar mistakes on professional communications to clients.
So, here’s what the email looked like, marked up with the appropriate comments:
And how did this phishing scam of an email find yours truly? It took 6 jumps:
- it originated in Germany
- made a short visit to France
- then to another server in France
- it hopped across the Atlantic landing in Boston, Massachusetts
- it scooted up to Burlington, Massachusetts
- zipped from the east coast over to the west landing in one of Apple's servers in Cupertino, California
- and finally was delivered to my Apple iCloud account from which my mail program pulled it down.
It's trip took only a couple of minutes start to finish.
I'm going to split into two directions now: for those that don't want to know how I traced this back, stop here and take with you five things:
- if you receive an email from someone you don't recognize, DON'T OPEN IT, instead delete it
- if you open an email and it's asking you to click a link... READ the email... did you order the product or service it's about? If not, delete it
- if an email is asking you to click a link... hover over - DON'T CLICK - the click and check the URL in the yellow tool tip against what is displayed - if they aren't the same or at least look like they're going to take you to the intended website... you guessed it, delete it
- governments, banks, cell phone companies, and pretty much EVERYONE doesn't use email to verify personal/private/confidential information because email is largely UNENCRYPTED and NOT SECURE - if you get an email asking ANYTHING to do with personal/private/confidential information, delete it
- if you want to report the phishing attempt to the organization the attacker's email is pretending to be from, check the organization's website or call them since most have an abuse@ or phishing@ email address that you can forward the email to and they'll attempt to track the source and take appropriate action
How did I trace the source of this email phishing scam?
If you've hung on to this point, then you want to know how I traced this email to its origin, so here we go. Every email has a header... the part at the top that contains the "From", "To", "Subject", "Date", information. What you don't realize is that there's WAY more in the header than just what we normally see.
Our email programs are set to display the "friendly" headers we are used to seeing. In fact, the header of each email contains its routing information that accumulates as the email travels from its origin to its destination. Spammers and scammers rely on the fact that most people don't know about the routing info in the headers, how to access it and how to use that information to trace the origin of their phishing emails.
Let's pick apart the detailed header of this email so you can see how I traced the path of this Geschenk (gift):
The only extra step was in #4... 10.20.15.2 and 10.20.13.1 are internal network IP addresses, so I had to look up the external IP address of the eigbox.net domain. This is where the link from my info@ address to my @me.com address took place.
To look up the IP addresses I used WhatIsMyIPAddress.com and for looking up the hostname to get the IP address in step #4, I used the hostname to IP address lookup page from the same website. This website also has a page that will attempt to trace the source of an email automatically by allowing you to paste the full header of the offending email into their webpage - what I did the long way - but in my case it wasn't able to figure out the route. You may want to try this before you roll up your sleeves and do it my way.
How do you display the full header information on your email program?
To set your own email program to display the full email headers, follow the instructions for your program by checking your help file. Here are the instructions for some of the more popular email programs borrowed from the Google Email Support Page:
Gmail
- Log in to your Gmail account.
- Open the message you'd like to view headers for.
- Click the down arrow next to Reply, at the top of the message pane.
- Select Show Original.
The full headers will appear in a new window.
Hotmail
Yahoo! Mail
Apple Mail
Mozilla
Outlook
Outlook Express
Until next time!
Bob
URL Shorteners - Not Just for Tweetaholics!
When you post to Twitter you only have 140 characters per Tweet… so EVERY character counts. What chews up your Tweet allotment the fastest? URLs or Uniform Resource Locators which is a synonym for “web addresses”.
So, what’s a Tweetaholic to do? Cue the fanfare… doo-doo-doo-dooooo! URL shorteners to the rescue! These services take your holy-crap-that’s-never-going-to-fit web addresses and squish them down to approximately 18-23 characters… a lifesaver of precious Tweet space! Now this isn’t just good for Twitter… if you look around you’ll find shortened URLs all over the place. They stand out because they start with the name of the shortening service followed by what looks like goobledegook.
For example, both of these will take you to my blog about avoiding bogus emails (a.k.a. phishing scams):
the actual URL comes in at a lengthy 61 characters: http://www.digitalhero.ca/hero-blog/avoid-phishing-scams.html or… shortened to a Twitter-friendly 19 characters: http://goo.gl/RsbQA
How do URL shorteners work? Each service takes the holy-crap-that’s-never-going-to-fit URL you throw at them, then create an entry in their database of the actual URL while generating a unique, short version of it. When someone clicks that shortened URL, it goes to the URL shortener’s website, the shortened URL is looked up, its actual holy-crap-that’s-never-going-to-fit version is located and sent to your browser along with a redirect command routing you to that web page.
Here are some of the top shortener services listed in no particular order, but oddly enough… shortest to longest URL:
- http://goo.gl/ (Google)
- https://bitly.com/ (Bitly)
- http://tinyurl.com/ (TinyURL)
- http://is.gd/index.php (is.gd)
- http://ow.ly/url/shorten-url (Ow.ly)
Each of these allows you to use their service as a "guest", but if you opt to create an account, you are able to see how many times your shortened URL has been followed.
One final note: beware of “Twishing Attacks”… yes, if you read my blog about bogus emails (phishing scams), then you’ll recognize the term “Twishing”… from Twitter and phishing. Although not as prevalent in its original form: back in 2009 Twishing attacks tried to lure Twitter users to bogus Twitter look-alike websites with the intent of stealing their username and password.
Many social media lovers use the same/similar username and password for their various accounts so once they were tricked into entering them on the bogus site, the attacker could use them to get control of any social media accounts they were used with.
Combat Twishing attacks by:
- keeping your anti-virus/anti-malware software up todate
- reading tweets, emails and any communication carefully BEFORE clicking on links they contain
- using the techniques from my blog about bogus emails (phishing scams) to help spot fake web links, if they haven't been shortened... what works in attackers favour is that you can’t tell whether shortened URLs are legitimate by looking at them and comparing them against the link displayed in the tool tip when you hover over them… so make sure you trust the source of the message that contains them
Until next time!
Bob
Macs can be infected AND be carriers of malware.
Yes, Macs CAN be infected. Period.
Granted that because of the way their operating system is built (largely thanks to the UNIX core it draws from) it is more difficult to infect them, but none the less they can be infected. More importantly, your Mac can be a carrier for malware spreading that malware to others you email, etc.
One reader of my blog sent me an email they received, apparently from PayPal, telling them that a payment had been deposited into their account. Fortunately, after reading my earlier blog item about avoiding bogus emails and phishing scams, they were able to recognize the warning signs. First, they didn't recognize the person who had supposedly paid them. Second, they hovered over the links and none of them matched their displayed counterparts.
They wanted me to check out this phishing scam and forwarded me the offending email. When I received it, my anti-virus immediately kicked in and grabbed the attachment. Here's the payload that was trying to launch before I even opened the email:
Notice the "370163.emlx" piece... that was the attachment this email contained. As soon as the attachment was touched by my Mac's operating system, to write it to the hard drive, Kaspersky... my anti-virus-of-choice grabbed it allowing me the privilege of hitting the "Delete" button and bringing this potential nasty to a swift end. By the way... you can set your anti-virus to automatically deal with malware when it's detected. Don't think you need to be bothered every time one is found... I like to know because it's my business.
Here's what this malware was trying to do to my Mac:
I contacted the reader and told them to immediately update their anti-virus definitions, run a complete scan of their computer and told them what to look for. Sure enough, the outdated definitions had allowed the malware to run. Fortunately, the scan was run soon enough after that the compromise was stopped.
The moral of this story?
- Mac users still clinging to the old paradigm that our computers are invulnerable... wake up and smell the malware, baby! Stop being harbingers of malware for everyone you electronically connect with and throw down some anti-virus protection for your Mac. Here's a couple of the best choices: Kaspersky and Intego's Virus Barrier family of products. The latter is especially good right now because the app is also available for your Apple mobile devices. The tablet version of Kaspersky is being worked on for the iPad (no release date available), but currently they cover only Android devices.
Until next time!
Bob
Multifunction Copiers - Protect Your Privacy When Their Lease is Up
Let's cut to the chase on this one... if your company owns or especially if it leases a multifunction copier, make certain the hard drive inside that copier is left with you or destroyed BEFORE the device leaves your premisses.
Multifunction copiers use a hard drive - exactly like the one in your desktop computer - to store every copy, scan and fax that goes through them. The result? Once that copier leaves your premisses, you have no idea where that copier will wind up and who will have access to the data its hard drive contains.
Watch these two videos... they reference American investigations, but can be easily applied to Canada, too. They are worth the time.
If you have electronic waste (E-waste) you can contact Paul at Artex Environmental... tell him that Bob Kyriakides of Digital Hero sent you!
Until next time!
Bob
Passwords, Passwords, Passwords...
Okay, let's be honest... who isn't sick and tired of having to remember their password, oh, I mean passwordS? We have passwords for our computer logon, email, banking, iTunes, YouTube, VPN, Gmail, Rogers account, Bell account, social media accounts, parental control software on our computers, parental control on our TVs (does anyone ACTUALLY use them on their TV?), routers, mobile devices... we are drowning in passwords. That's why most of us tend to use one or MAYBE two passwords for EVERYTHING.
To ensure you reduce your risk of being a victim of identity theft, have separate passwords for your logon, email, banking, social media, etc. Don't use your banking PIN for any of them.
Passwords and remembering them has become the bane of our digital existance. Here's a tip on creating strong, easy to remember passwords based on mnemonics - a fancy word that "refers to the study and development of systems for improving and assisting the memory":
- use a favourite quote, line from a play, movie or book using 8 to 12 words
- take the first letter from each word
- capitalize the first letter
- take the number of people in your family and put that number between the 5th and 6th letter
- finally put any one of the punctuation characters in front of the number
Once caveat: not all password fields allow punctuation, so be prepared to roll with it.
Here's an example following the steps above:
- my example saying is: Revenge is a dish best served cold. It's cold in space, Kirk. (look, it's just an example, okay??)
- the first letter of each word gives us: riadbscicisk
- capitalizing the first letter gives us: Riadbscicisk
- the number of people in my family gives us: Riadb5scicisk
- finally, we get: Riadb%5scicisk
I know what you're thinking... "Riadb%5scicisk"... seriously... how am I supposed to remember that?? You can because you aren't going to remember "Riadb%5scicisk"... let's face it, unless you are gifted, a Navy Seal or part of some other Covert Ops team, your brain isn't programmed to remember meaningless sequences of characters. BUT, your brain CAN remember a favourite saying, say like "Revenge is a dish best served cold. It's cold in space, Kirk." with %5 thrown in the appropriate spot. Try it with a saying that is near and dear to you and you'll be amazed at how easy this is.
Until next time!
Bob
Use HTTPS and Encryption Whenever Possible
Often passwords are transmitted from our computers to the destination unencrypted, as plain text. Yup... plain, readable text. Don't believe me? Here's a capture I made of the communication between my computer and a test FTP site. First, using standard unencrypted FTP (File Transfer Protocol):
Now the same communication over secure FTP:
This is why email settings on your incoming and outgoing servers (regardless whether they are set up for POP or IMAP) should be set to use "SSL" or Secure Sockets Layer. This is the same reason why when using your browser you should use "https" rather than "http" in the address bar... the former allows your browser to connect to Facebook, Twitter or any website that supports a secure http (HyperText Transfer Protocol) connection. This is REALLY important for the tech junkies (you know who you are) that just HAVE to jump onto free WiFi... where anyone can be spying on your wireless connection.
Until next time!
Bob
Avoid Bogus Emails (a.k.a. Phishing Scams)
I'll get calls from people whose computer has been compromised after they opened an email and or clicked on a link it contained. They don't understand why their anti-virus software didn't protect them.
Let's have a look at a potentially nasty email spoof (bogus, fake email) a client received just this morning. No worries - it's safe in the form I'm presenting it here since these are just screen captures.
Here's the email showing a relatively innocuous link at the bottom and a "trusted source" at the top - apparently from a department in Staples:
This is what we learn when we hover - DON'T CLICK - over the link:
When the URL you WOULD go to is researched (the one in the yellow tool tip), we find it's associated with a number of phishing scams. As defined by Wikipedia, Phishing is:
a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
How did this get past the anti-virus software? There are two types of email spoofs: active and passive. The example above is of a passive email spoof.
Active Email Spoofs: The active email spoofs contain an attachment - a file, photo, song, video, etc. These are particularly bad because as soon as the email is opened, its payload (the attachment) is deployed (activated). Sidebar: this is why having your email preview pane option on is dangerous - you have no chance to think about a suspicious email before your software auto-opens it. In those first few seconds, unless your anti-virus software is up todate and able to detect that email spoof's particular payload, your computer will be compromised. Period.
What to do? Pull the plug!
- IMMEDIATELY unplug your computer's wired connection to the internet. Literally, unplug the ethernet cable that delivers the internet to your computer.
- If your computer uses a wireless connection to the internet, disable it. Know where the hard button is on the outside of your notebook and use that since the infection may render your ability to turn off the wireless capability using your mouse impossible.
- Get your anti-virus scanning your entire computer - NOW, not 2, 15, 30 or more minutes later... NOW!
- Contact your I.T. support person/people of choice and make them aware that you may need them.
Time is of the essence in computer infections/hijacks/compromises! The faster you get your computer's defence systems on the offensive, the better your chances of containing the potential infection. The longer a compromised computer has access to the internet the more likely it is that your personal information can be stolen, the more likely it is that secondary, tertiary and more infections can take place to the point where the system is so badly compromised that the computer is beyond saving.
Passive Email Spoofs: Like our example, above, have nothing actively malicious in them. Instead, they wait until the user clicks their link(s) to take the user to a website that isn't the intended destination. Upon the user's browser arriving at the malicious site, depending upon the browser settings, any number of components may be downloaded through the browser which hijack it or infect the computer. In this case the anti-virus may not kick in because the components downloaded were allowed by virtue of the browser settings... Active-X components, Flash media, etc. the elements that our browsers need to provide a full experience to the websites we visit. Sadly, among the first components that can infect computers this way are ones that redirect browsers to the same or other infected websites only to download even more malware, knock out anti-virus software, change the administrator account password, and the list goes on. Again, having an updated anti-virus program is a good defence, but being aware of the links you are clicking is really the first line of defence.
What to do? The same steps as detailed above for the active email spoofs.
So, let's review:
- if you receive an email from someone you don't recognize, DON'T OPEN IT, instead delete it.
- if you open an email and it's asking you to click a link... READ the email... did you order the product or service it's about? If not, delete it.
- if an email is asking you to click a link... hover over - DON'T CLICK - the click and check the URL in the yellow tool tip against what is displayed. If they aren't the same or at least look like they're going to take you to the intended website... you guessed it, delete it.
- governments, banks, cell phone companies, and pretty much EVERYONE doesn't use email to verify personal/private/confidential information because email is largely UNENCRYPTED and NOT SECURE. If you get an email asking ANYTHING to do with personal/private/confidential information, delete it.
BEFORE you get hacked, check out:
- the RCMP's website on scams at: http://www.rcmp-grc.gc.ca/scams-fraudes/index-eng.htm
- the Canadian Anti-Fraud Centre at: http://www.antifraudcentre-centreantifraude.ca/english/home-eng.html
AFTER you get hacked or you think you've been a victim of identity theft or fraud, use the RCMP Identity Theft and Identity Fraud Victim Assistance Guide or download it as a PDF. Remain calm and work through the steps.
If you are feeling like firing one back on the bad guys, forward the offending email to the organization that the email purported to be from. Most organizations have an email address specifically for reporting email abuse/scams.
Until next time!
Bob
Backup - Do You or Don't You and Why?
For me, the topic that I've been asked about most often is... backup, backing up, backups... it doesn't really matter what you call it as long as you do it.
Backing up is the act of making a copy of your digital life: your business data, financial data, family photos, videos, emails... you know... the digital stuff that makes us who we are. "I have a digital life, therefore I am."
For business, losing our data can mean going out of business. Read more about this on my Disaster Recovery page. On a personal level, the thought of losing family photos, videos, etc., well, that's just positively horrific. As a husband and father, I can't imagine losing my personal digital life... I'd find it harder to deal with that than losing my business's digital life.
Regardless of what the information IS that you deem valuable, backing up is a MUST DO. Without a backup (copy) of your digital life, it's only a matter of time before catastrophe strikes and you find yourself in one of the nastiest situations EVER. With storage devices, whether they are hard drives with moving parts or static memory without moving parts (e.g. USB sticks, tablet computers, camera cards, etc.), DVDs or CDs, there is always the possibility of the information we entrust to them being damaged and or lost completely. There's a very old saying in I.T.: "It's not IF a hard drive will fail, but WHEN?" In other words: it's not a question of WHETHER your computer's hard drive will fail, instead it's a question of WHEN will it fail?" Granted, today's static memory drives (the ones without moving parts like USB sticks, the memory of tablet computers, camera cards, etc.) are less likely to fail, but they too, do fail.
So, to my original question: Backup - do you or don't you and why? Click here or on the comment link at the bottom of this post and let me know your thoughts on this. I'll post the comments as they come in.
Until next time!
Bob
You Don't Know What You Don't Know
After 32 years of service in the I.T. field, I realized that I'd been asked about one topic repeatedly... backups!
I've always believed in giving back and have been an active member of our church... I chair the I.T. Committee - big surprise, right? As well, I've volunteered at the local Food Pantry sorting food. This time, though, I wanted to give back to my local community of Newmarket.
In January I approached my friend, Maureen Burleson of The Montana Group, who sports 30 years of bookkeeping experience along with being a QuickBooks© ProAdvisor and tested the waters. "Hey Maureen, I was wondering if you'd be interested in running a seminar with me? I'd like to give back to local businesses, especially those just starting out." Well, that's all it took. In short order Maurren had pulled in her friend, Donna Harwood of The Office Tutor. Donna's a Microsoft Certified Office Specialist Outlook, PowerPoint, Excel, and Word. There we had it... the 3 amigos.
Within two months we had "You Don't Know What You Don't Know" setup at www.ydkwydk.ca... the concept, logo, website and most importantly, the organization we were going to support: The Women's Centre of York Region to which we're donating 10% of our net proceeds.
Come join us on Thu., May 10, 2012 for a full day experiential seminar:
Click the image for seminar details and to register!