Monthly Archives: August 2010

USB generated infections on the rise.


IT security company Panda has announced that 25% of the new worms in 2010 were designed to be spread via USB device.

What does this mean?

A growing number of computer infections are taking place via USB devices such as thumb drives, external hard drives, mobile phones, portable music players, etc.  These infections take place silently when the device is plugged into the computer via the autorun process in Windows.  While computer worms are still mainly spread via email, this report indicates that a newer method for spreading malware is gaining significant momentum and once again gives us cause to remain vigilant when it comes to computer security.  Of course, before you can get infected by a USB device, that device first has to be infected somewhere else which means this is something that is much less likely to come from your phone or mp3 player (unless you loan it to someone) than it is from an external hard drive or thumb drive.

What should I do?

First, never trust a foreign device.  If you don’t know the origins of the device, consider it hostile.   USB thumb drives are extremely cheap these days.  So cheap that many are given away as schwag at trade shows and expos.  How easy would it be for a bad guy to accumulate a bunch of these, infect them, then ‘lose them’ outside of targeted businesses or homes?  When an unassuming employee comes along, they pick it up, plug it in, and suddenly there’s a corporate infection for the IT department to deal with.    If this is an as of yet unidentified piece of malware, a considerable amount of damage could be done by the time it is found out.  If you find a USB drive, throw it away or hand it in to your IT department.  If you absolutely must know what is on it, boot up from an Ubuntu Live CD and check it out.  That will keep you from getting the infection.  If you are in an environment that requires you to swap flash drives with people, downloading the free USB Vaccine from Panda is a good move.  This will disable the autorun feature for USB devices in Windows.  Just be warned, it will stop the autorn feature from working with external CD drives as well.  But, if you are in an environment that uses flash drives, it’s worth the inconvenience.   Of course, following these steps is essential as well. Above all, be vigilant.  If for instance, you loan the compact flash card from your camera to someone, it could come back with malware on it.  When you plug your camera back into your computer, you’ve got it.   Treat every USB device like it’s a flash drive.  Treat every flash drive that’s been out of your possession as suspect.

Advertisements

Screening away talent. Why the phone screen is a bad idea.


Life is just getting faster and faster.  One of the ways organizations are trying to make the job search faster is with the ‘phone screen’.  The phone screen is something of a pre-interview, done over the phone to screen out applicants who are not qualified.  While I understand the reasons behind doing this, I don’t agree with them, and I’ll explain why.

The interview is a business meeting between two parties.  The potential employer being one party and the prospective employee being the other.  You are negotiating a business arrangement.   I’ve been on both sides of the table, interviewing potential hires and being grilled by a hiring panel.  Regardless of which side I’m working from, I want to be able to look that person in the eye as I dialog with them.  I want to read their body language.  I want to get a feel for whether I want to do business with that person.  If you are looking for a job, don’t go in with an attitude of just hoping that someone will hire you.  You’ve got to have an attitude that you  bring something to the table that a potential employer wants.  You have to know what you bring to the party and be prepared to communicate to them why you in particular will solve the problem they have.  In essence, you are a business owner and the service you are selling is you.  In order to do that, you need to be able to get a read on them, and they need to be able to see the message you are delivering.   That is just not as effective over the phone.  When I’m interviewing for a position, I want to see the next place I could be working.  Is the environment nice?  Do the employees look like they are genuinely happy to be there or do they look like they’ve just had an injection of pickle juice?  Is the place well kept?  These are things that must be seen with ones eyes.

As a manager, I’ve never been a fan of the phone screen.  Again, I want to look that candidate in the eye and see what they are made of.  I want to see how they carry themselves.  I want to see how they react under stress.  I want to know the things that I can’t know in a phone call.   Often the best candidate is not the most qualified candidate.  The best candidate is the person that will best fit in the company and help solve the problem at hand, as perceived by the person doing the hiring.  The best candidate is a complex decision that involves many factors and discarding potential candidates over a phone call is a great way to ‘let the big one get away’.  Now, granted there are exceptions.  Before you spend the money to fly someone across the country (or possibly across the globe), you should do some initial homework.  A tough look at the résumé and a phone call would be wise.  Also, if you’ve got a very large applicant pool, then maybe some simple filtering would be good, but in most cases, the résumé and cover letter are going to tell me whether I want to see this person or not.

As someone familiar with both chairs, I prefer to drop the phone and head straight to face to face dialog.  Trying to establish candidacy over the phone short changes both parties.  Lets go back to using the phone in the proper way.  Let’s use the phone to set up a face to face meeting.

PalmPad on the way, but too late for Christmas


According to PreCentral and intomobile, HP has officially confirmed a tablet based on WebOS.  No information on pricing or delivery just yet other than early 2011.  Will HP throw up a worthy competitor to the iPad or will it be an also ran?  Time will tell.

See also, CrunchGear.

NFC on the way. The smartphone is becoming the new wallet.


Francesco Marino / FreeDigitalPhotos.net

NFC World is reporting that Apple has picked up NFC (Near Field Communication)  expert Benjamin Vigier as their new mobile commerce product manager.

What’s that all about?

Near Field Communication is close range wireless technology that allows two devices to transfer data at close range (about 10cm), which basically means you tap them together to move information.  Apple’s hiring of Vigier along with a fistful of NFC patent applications would indicate that Apple is looking to add this technology to a future iPhone, perhaps even the next iPhone.  TechCrunch is reporting that Apple is already testing hardware from NFC hardware leader NXP.

What does that mean to me?

Short term, it should mean that you’ll be able to pay by tap and go with your phone at Apple partners through your iTunes account.   Of course, we’d imagine that the Apple Store would be first in line.  Go in, grab your new MacBook Pro, fire up the checkout application on your phone, tap your phone on a pad at the sales counter, and walk away.   The technology could be used anywhere from coffee shops and newspaper stands to big box retail to about anything you can buy with a credit card.  People could exchange business cards with a simple phone tap.

Longer term, imagine smart shopping carts that cross items off your list as you put them in the cart.  How about avoiding the lines and tapping your cart to checkout?  I would imagine it will take some convincing to get retailers to start ripping out their checkout counters, but that’s the kind of stuff that is possible with NFC.

Conclusion.

Apple won’t be the first to bring NFC to a mobile phone.  There are already a handful of phones that are equipped with the technology.  But, Apple will bring a ease of use to the equation and some big backing.  With 150 million iTunes accounts, the momentum should be there to get retailers on board.  Of course, you can expect Android and the rest of the phone world to step it up as well.

Personally, I’m not excited about paying by phone.  I don’t find paying by credit/debit card or cash to be an excruciating process.  NFC should be faster, but by how much?  If I have to pull up the app on my old 3G, it could actually be slower.  However, this is the future and I do see some other interesting uses for the technology.  If you embrace it, be sure to check out my post, Personal Insecurity and lock down your phone.

Return of Zeus. A New Wave of Malware that will Empty Your Bank Account.


Courtesy of Flickr

In a report by security company M86 Security, organized crime is using a new trojan variant called Zeus v3 to infect unsuspecting web surfer’s machines, then steal their online banking credentials.  Once the credentials are obtained, they are then used to drain your account.  This is a very sophisticated and organized attack.  It’s not something that the kid down the street who hasn’t come out of his basement in three years is capable of pulling off.  M86 has posted an in depth whitepaper on the matter which can be found here.   The report is both fascinating and disturbing.

For those who don’t wish to commit the time to understand all of the fine details about how the attack works, I’ll lay out the short version here.  First, the bad guys infect legitimate ad servers.  These are machines that serve the advertisements to websites you regularly visit.  From there, the infected servers start pushing out the trojan to computers visiting LEGITIMATE websites.  The trojan is delivered via advertisements through the infected ad servers.  That’s really the beauty of delivery.  They deliver the payload to infect your computer through regular websites because the advertising on them comes from somewhere else.  The ad servers are infected the same way your home computer gets infected.  Somewhere along the line, a vulnerability wasn’t addressed.  This can happen for a number of reasons.  The operating system wasn’t patched, a firewall rule wasn’t enforced, etc.  Once the trojan is delivered to the home users computer, it simply waits until the unsuspecting user logs into their bank account via a web browser.  That’s when it sends the credentials to a command and control (C&C) server.  Later, after it analyzes the information (bank name, country, etc) the C&C server communicates back to the victim’s computer and has it initiate a bank transfer.  It will drain the victim’s account, siphoning it off and covering tracks along the way.  Then, to put the cherry on top, when the victim logs back into their bank, the traffic is diverted to the C&C server where a fake statement is generated, thereby fooling the user into thinking they have money in their account.

This is a brilliant and complicated scheme.  The money trail is like following a single noodle through a bowl of spaghetti.  Thus far, attacks have primarily been on UK bank accounts, but don’t let that make those of you outside of the UK feel good.  This could very easily be perpetrated elsewhere.  To compound the matter, this particular attack seems to be very good at getting past the major virus scanners.

That’s the bad news.  The good news is, we can make it very hard to fall victim to this type of attack.  If you don’t bank online of course, you are immune.  If the benefits of online banking outweigh the risks, you can still protect yourself.  First, you should be following ALL of my advice in my recent post Lock Down!.  This alone will dramatically reduce your chances of infection by the trojan.  Another option is to switch to a Mac or use Linux.  While not immune, these operating systems are much more difficult to infect because of their Unix heritage and because they just aren’t as popular as Windows.  Windows is the low hanging fruit for virus writers.  Linux has become very easy to use and most versions of it are free.  I have my computer setup to give me a choice of booting to Linux or Windows.  That’s pretty easy to do.  Third, you could use a boot CD as I described in my post A Temporary Solution for your online banking activities.  While not as convenient, you won’t be at risk of infection.  This is the safest option next to just not banking online at all.

Over The Top Style. The iPad Chair is Here!


The first thought that came to my mind when I first laid hands on an iPad was that the thing had the potential to be the baddest remote control on the planet.  Looks like some other people agreed with me.  And, where do you put your centralized command and control device?  In a high quality power recliner of course!  This thing looks like something that James T. Kirk himself would be proud to park in the center of the Enterprise bridge.

Elite Home Theater Seating in Vancouver is the manufacturer.  It will set you back $2495 to $5995 depending on just how cushy you want to get.  Sure, you could buy a used car for that price, or a brand new car for the price of a few chairs for your home theater room, but would the seats in the car be this nice?

See it here on CrunchGear.

Lock Down! Security Basics for the Home PC User


Salvatore Vuono / FreeDigitalPhotos.net

If you’ve been keeping up to date with my posts, you’ve been noticing that I like to talk about keeping your data secure.  This post is a continuation of that.  Here, I’ll be outlining eight simple steps to keeping your data secure.  This is by no means a comprehensive list, nor does it venture into keeping your data safe online, which is an entirely different topic that  is expansive enough to warrant it’s own future post.  Instead, I am offering up a foundation on which to start.  So, let’s go.

  1. Don’t use an administrator account for your day to day operations.  I think every computer that has ever been brought to me has been setup this way.  It’s really kind of the fault of the operating system vendors.  Typically, the first account you setup is an administrator.  People normally setup the first account and start using it.  This is a problem because the administrator has the rights to do anything on the machine.  So, if you have a piece of malware that wants to install itself on your  computer and you are an administrator, there is nothing blocking it from installing.  If you are running an account that is not an administrator, you’ll have to supply the administrator’s password to install software or make global systems changes.  While this is less convenient, it makes it harder for ugly software to install itself onto your system without your knowledge.  It is also harder to inadvertently make unwanted changes to your computer.   So, what do I do?  If you are already running on an account with administrator privileges, you simply create a new account with administrative privileges, then modify your account to become a standard user.  Once done, installing software will require the administrator account password.  To install software under Windows XP when using a non-administrator account under Windows, simply right click on the application and select ‘Run as’.  A window will then popup allowing you to select your administrator account.  There are some cases where you will need to actually switch to your administrator account and log in to perform a task, but those are pretty rare and are mostly needed when you are setting up your computer.
  2. Use passwords.  Without a password, anyone can sit down at your computer and do whatever they would like.  When creating a password, make it a good one.  Don’t use ‘bob’.  Use something more secure like ‘BobL1nk40″.  Notice the use of a ‘1’ instead of an ‘i’.  This type of password is very difficult to crack.  The combination of capital, lowercase, symbols, and numbers should be standard procedure for you as well as keeping your passwords at least 8 characters long.  If you experiment a little bit, you can come up with combinations that are pretty easy to type.  As with using a non-administrator account, this will make your life less convenient, but how inconvenient is it to do something like having to fix your credit report after having your identity stolen?  These steps can play a part in preventing something like that from happening.  Once running as a non-administrator and using secure passwords become a habit, the really do not do much to impede your life.  This step should also carry over into your online life.  Use solid passwords for everything you do online.
  3. Make sure you have an antivirus / antimalware (spyware, adware, etc) package and make sure it is up to date.   While this is fairly self explanatory, it needs to be a high priority.   For more information, a read of my earlier post, A Temporary Solution can provide some additional information.  In addition to having real time protection, make sure that you setup a scheduled scan at least once per week to catch anything that may have slipped through.
  4. Use a firewall.  Firewalls are basically like a wall between your computer and the Internet.  It won’t allow data to flow back and forth except on specified open ports.  A port is similar to a gate in the firewall.  You allow traffic to flow through specific gates in order to manage traffic in an orderly fashion.  There are standard ports for web traffic, email, etc.  Windows has a built in firewall starting with XP.  There are other software firewalls available such as ZoneAlarm.  If you are using a laptop or netbook, you absolutely will want to be using a software firewall on your machine if you ever take it off of your home network.
  5. Use a router.   Routers serve as an additional layer of protection between your computer and the Internet and act as a hardware firewall.  Plugging a computer straight into a modem is bad practice.  Routers are cheap these days and easy to setup.  If you share an Internet connection with more than one device, you already have a router.  Even if you only have one device, invest in a router.  Unless of course you are in that tiny percentage of homes with dial up.
  6. Keep third party applications up to date.  I just covered this ground in my post Update All the Way, so I’m not going to beat that dead horse other than to say that third party applications such as Flash, Java, and Adobe Reader are subject to vulnerabilities just like Windows, OSX, and Linux.  A third party update tool like PSI can help you keep those up to date.
  7. Keep the operating system up to date.  Whether you run Windows, OSX, Linux, or something else, your operating system should be regularly updating as security vulnerabilities and bugs are found.  Most people should set updates to automatic.  While the updates will break things on rare occasions, the risks associated with not having them updated is much greater.
  8. Online backups.  As with the previous item, I’ve already covered this in Back it Up, I’ll Take it!.  Backing up your data automatically and offsite is the best way to protect your data in the event of hardware failure, theft, or home damage.  There are a lot of options out there for online backups, and some are even free.  Your data is critical.  Don’t risk it.

Remember, these are just the foundational elements for protecting your data.  If you don’t have these in place, your other efforts lose a lot of their luster.  By implementing these basic concepts, you can go a long way toward keeping your data yours.