I emailed her to provide her with some steps that I thought she should take to minimise the damage caused by the hackers and also to reduce the chances of this happening again so I thought I would share my advice here:

Immediately change the passwords of your compromised accounts

In some cases the hackers will not have changed your password so you should change this straight away. This should be done for any compromised account. Choose a secure password (non-dictionary, 8 characters or more and a mixture of uppercase, lowercase, numbers and special characters). Change your password frequently (every 90 days at least).

Change the passwords for any accounts linked to your email

Any account that links to your email address should also be changed e.g. Amazon, eBay, Play, Google+, Twitter etc. The hacker could have requested password resets for these accounts while in your web mail.

Ensure different passwords for your accounts

The passwords for each site that you use should be different to minimise the amount of sites an attacker can access when one password is compromised (all eggs, one basket scenario). Use a password manager to keep track of your passwords (e.g. https://lastpass.com/)

Check for “backdoors”

Hackers will sometimes make changes to your settings in order to get back in. Check that the hacker hasn’t changed your settings to forward your emails to their email address, check they haven’t changed your password reset questions or added an alternative email or mobile.

Enable additional security options

Some services (such as Facebook) can be set to require the use of a one-time code that is sent to your mobile. This must be used before you can log on. You can also receive email alerts when unknown devices try to access your account.

Ensure your system is patched

Ensure your operating system is patched frequently (e.g. http://windowsupdate.microsoft.com/)   as well as any software that you have installed such as office, Acrobat reader, Adobe Flash Player etc.

Check your social media account permissions

Visit http://mypermissions.org/ and remove any unwanted apps and permissions.

Up to date Anti Malware software

Make sure you have up to date anti-malware software installed. There are so many reputable free ones on offer that there’s no excuse anymore. For example: http://www.avast.com/free-antivirus-download and http://free.avg.com/gb-en/homepage or for the Mac http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx

Run Monthly malware scans with another product

Every month run a malware scan on your machine with a product different to your day-to-day one. An example could be the Trend Micro HouseCall online scanner – http://housecall.trendmicro.com/uk/

Use common sense

Don’t click links on Facebook, Twitter etc that supposedly offer free iPads, vouchers or something for nothing. At the very least you’ll have to fill out a survey which generates money for the scammers, worst case you could have your logon details stolen and post further links to your profile and your friends could also be compromised.

Follow SecBoyUK

Follow me on Twitter (@SecBoyUK) and Facebook (https://www.facebook.com/SecBoyUK) to stay up to date with the latest security news.

There are a few statuses on Facebook at the moment that claim to show you that by entering some mystery code into Facebook which includes the last 3 digits of your phone number, Facebook will magically present you with a name for your phone. One such example is:

Your mobile phone has its very own name !!Take the last 3 numbers of your mobile phone numbereg *******574 and write it down like this @*[574:0]but remove the star otherwise it wont work and leave no spaces.Type it in the comments box below and press enter then see what name you get....

Facebook is in no way linked with your phone so of course this isn’t true, however…

The code that people are typing in as follows @[123:0] where 123 is supposed to be the last 3 digits of your mobile number. Note: you can use 3 digits, 4, 5, 6 it doesn’t matter. The message usually contains a * symbol and the post says to remove this before posting.

As anyone that uses Facebook knows the @ sign is used in a message or status when you want to include a friend…clue number 1.

Facebook is basically a huge database of users. Each database needs a unique number to represent its records,in this case a record equals a user…clue 2.

So basically the code above takes the user’s unique number in the database and adds them to your messageThe chances are this person isn’t on your friends list so you just get their name in a blank message with no link. If the person is your friend they will be notified and their name will appear linking to their profile.

Example and Warning

Warning

OK so if you have already tried this I have 1 think to say…ARE YOU NUTS??? Read my blogs more!! Never copy and paste code from someone else’s statuses or web page and paste it into your Facebook messages or into your browser bar. This can be used to hack your computer!

Example

OK now if you are adamant you are going to copy and paste to experiment then at least use this safe example:

In a message type:

@[12345:0]

Now so that only you can see this (and your friends don’t think you’re posting random people’s names on your wall) click permissions button next to the post button and change to Only Me. This means that only you will see the post. Next click Post.

You will see that the name Eli Richlin appears. This is because Eli Richlin is number 12345 in Facebook’s database, now try it with any other random number, the name will change.

Hover over your name next to your photo on your Facebook page. Unless you have a friendly name like SecBoyUK you will see a number such as www.facebook.com/12345. This number is your unique number, try using it as the number in the example and you will see your name gets posted.

So there you go, nothing magical, nothing to do with your mobile, no hack or scam just an interesting way to find out a bit more about how Facebook works.

Remember….don’t copy and paste code into your browser or Facebook messages!

/SecBoyUK

Be Careful Out There!

With that in mind I thought I would start as I mean to go on so here’s an article on how to stay safe and secure this Christmas…

Open your presents and not your network

Many of you lucky girls and boys will receive a new computer this Christmas. So with this in mind make sure you take the following steps:

1. Ensure you have a strong password on your user account (http://www.passwordmeter.com)
2. Change your password frequently ideally at least every 30 days
3. Don’t use an account that has admin rights for your daily tasks. Use a more restricted account to reduce the risk posed by malware and malicious web sites. Windows 7 helps with the use of User Account Control (UAC) which prompts you when admin type functions are initiated
4. Ensure you have good Firewall and anti-virus (AV) software loaded before going online
5. Once online ensure you are up to date with the latest patches for Microsoft (https://windowsupdate.microsoft.com) but don’t forget other apps such as Adobe Reader, Flash etc
6. Use encryption to keep your personal files safe. Laptop theft and loss is on the rise so make it harder for thieves to access your data

New Mobile or Smart Phone

A lot of people will be getting new mobile or smart devices (iPhones/iPads/Kindles etc). Make sure you keep them secure:

1. Ensure you have a complex password set on your device
2. Set your phone to lock after 5-10 mins
3. Where applicable download device tracking software such as Find my iPhone etc or configure iCloud (http://vimeo.com/31382632)
4. If you can set your phone to be a wireless access point ensure you have a secure/complex Wi-Fi password. Change this often.
5. Remember that using your phone as a wireless access point may tell people the name of your phone so don’t use person details such as your name eg Don’t set it as “Jane’s iPhone” as a hacker/thief can detect the name and then approach you pretending to know who you are.
6. Enable child restrictions if you have bought the device for younger family or friends
7. If you must use Bluetooth then only switch it on when required and ensure a pass code is required to connect to your device
8. Use encryption if you device or its apps support it
9. Avoid “jailbreaking” or “rooting” your device. Yes it may be fun and have some advantages but it also can reduce security
10. Don’t take photos or video that you wouldn’t be happy for a complete stranger to see. What if you lose it and someone gets passed your password? Would you really like those photos and vids appearing on Facebook? (http://nakedsecurity.sophos.com/2011/09/21/mila-kunis-email-hacked-photos/
11. Set a PIN code on your voicemail. This means that you can check your voice mails remotely and securely but also stops someone picking up your phone and checking your messages or setting your voicemail message to an embarrassing one (http://en.wikipedia.org/wiki/News_International_phone_hacking_scandal)

I’ll be bringing you more great articles in 2012 and if there’s anything that you would like me to blog about or you have questions please drop me an email to secboyuk (at) hotmail.co.uk, tweet me @SecboyUK or leave a comment below.

Merry Christmas and Happy New Year

Be careful out there!

/SecBoyUK

The statement claims that:

We got suspicious when tens of thousands of new members were accepted over a six-week period, many of whom were no oil painting

So the “virus” has supposedly allowed some aesthetically displeasing people to be able to access the pages of the Beautiful People web site, a treat usually reserved only for those whose appearance is verging on god/ess like.

For those unlikely members whose membership was incorrectly accepted Greg Hodge MD of the site had these supporting words:

It must be a bitter pill to swallow, but better to have had a slice of heaven then never to have tasted it at all

Although I would never condone the creation of hoaxes or be part of their dissemination I have to tip my hat to what can only be described as a very successful marketing ploy.

If only I had known earlier, I may have been able to get accepted if only for a few short hours whilst I bathed in the radiance of its members. Thank goodness Facebook isn’t so choosy

Be careful out there!

/SecBoyUK

Related articles

• BeautifulPeople dupes media with Shrek virus publicity stunt (nakedsecurity.sophos.com)

A recent study commissioned by ChildLine found that, of those surveyed, just over half (51%) of pupils in Year 5 reported that they had been bullied during the term.

Like most aspects of modern life the Internet has changed the face of bullying and taken it to a new level. No longer is bullying restricted to normal school hours, “cyber bulling” means that the bullies can harass their victims 24 hours a day using a variety of methods. It also means that the cyber bully can invade personal space that the victim would at one time think was safe such as their home.

Wikipedia defines cyber bullying as:

“the use of information and communication technologies to support deliberate, repeated, and hostile behaviour by an individual or group, that is intended to harm others”

One of the main “advantages” that cyber bullying provides for the bully is one of anonymity. Unlike traditional bullying where the victims knows who their bullies are, online/cyber bullying means that bullies can remain anonymous by setting up fake online profiles, fake emails addresses and using pay as you go mobile phones. In some cases not knowing their bully makes the experience even worse for a victim as they can’t take any steps to avoid them.

Cyber bullying is often carried out using a variety of technology related methods these include sending threatening emails, posting to the victim’s social profile (such as MySpace and Facebook), creating groups about the victim, making nasty comments or remarks about them in forums or on Twitter, distributing personal or embarrassing videos and pictures of the victim on YouTube or Flickr, the list goes on.

One of the main advantages that cyber bullying has for the victim is that it generally leaves behind evidence unlike more traditional forms of bullying. For example, emails can be used to pin point where the message was sent from, text messages can be traced to specific phones, forums can be traced to the machine they were posted from and the threats are tangible unlike verbal name calling or playground taunts so they can be saved for later investigation.

Another by-product of technology on cyber bullying is that the bullies will often circulate explicit photos or video of their victim and in the majority of cases the victim will be classed as a minor. This then puts the bully (and anyone else who forwards the material) at risk from being prosecuted under child pornography laws for reproduction of illegal material.

The use of technology also makes it harder for non-technical savvy parents and carers to understand the situation that their children are in and even more difficult for them to offer advice and guidance.

To try to bridge this gap many online web sites have been setup to help parents, teachers, carers and victims get access to the information that they need. I have included links to some of these web sites at the bottom of the article.

For now, the best advice for cyber bully victims remains the same as to traditional victims: don’t suffer in silence, inform a trusted adult as to what’s going on.

Be careful out there!

/SecBoyUK

Useful Links

Child Line’s Advice page

http://www.childline.org.uk/explore/onlinesafety/pages/cyberbullying.aspx

NSPCC’s Training Course for anyone who comes into contact with children and young people

http://www.nspcc.org.uk/inform/trainingandconsultancy/educare/preventingbullying_wda61169.html

Kidscape

http://www.kidscape.org.uk/cyberbullying/

Digizen

http://old.digizen.org/cyberbullying/default.aspx

Cybermentors

http://www.cybermentors.org.uk/

Cyber bullying Charity UK

http://www.cyberbullying.co.uk/

AntiBullying.net Web Site

http://www.antibullying.net/cyberbullying5.htm

BBC Learning Zone Advice on Beating Cyber Bullying

http://www.bbc.co.uk/learningzone/clips/preventing-cyberbullying/6131.html

Self-Taken Images – Sexting – Think you Know Web Site

http://www.thinkuknow.co.uk/11_16/control/sexting/

The strategy focuses on three core principles which:

• Aim to promote freedom of speech without tolerating acts such as child pornography, violence or terrorism
• Provide privacy to its citizens whilst still giving appropriate powers to law enforcement to investigate cyber crime
• Maintaining the free flow of information whilst still securing the Internet

In regards to the free flow of information the strategy criticises approaches such as national-level filters and firewalls. I can only assume this is a reference to current protective measures such as the great firewall of China in which China censors what web sites its citizens can access and even gives China the ability to disconnect itself from the Internet should the need arise.

A need for increased cooperation

The strategy stresses that in order to create an “open, interoperable, secure, and reliable information and communications infrastructure” multinational collaboration is required as is the development of closer working relationships with public and private companies. This is especially true of those companies that are responsible for providing and protecting critical national infrastructure such as water, gas, oil, electricity and telecoms.

The US state that they will work with “like-minded states” in order to establish what is deemed as acceptable on the Internet which will then go on to prevent misunderstandings that could lead to conflict. (I certainly hope that this is the case, we don’t want another world war over something as trivial as Obama’s twitter page being hacked!)

Defend and attack, but attack who?

The paper also goes on to say that the United States has a right to defend itself when triggered to do so by certain aggressive acts in cyberspace although it doesn’t detail how it will do so or what “acts” will be deemed as aggressive. The only addition given to this statement is that

“When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country”

This could mean a kinetic (physical) response to cyber incidents where deemed necessary. This is further backed up in the statement that reads

“We reserve the right to use all necessary means-diplomatic, informational, military, and economic…in order to defend our Nations, our allies, our partners and our interests”

With this in mind it is important that we look at the subject of attribution and the issues that this poses. The Internet allows an attacker to easily hop from one machine to another anywhere in the World in order to hide his tracks or to make his location appear from somewhere he is not. This could result in the US putting innocent nations quite literally in the firing line.

 There’s a storm a comin’

The paper describes the importance of international cyber exercises in order to refine and strengthen operating procedures with its partners. Cyber exercises such as these have already taken place. The last one happened in September 2010 and was called Cyber Storm III.

Cyber Storm III saw the US’ National Cyber Incident Response Plan (NCIRP) put to the test. This was done by simulating large-scale cyber attacks on the government and critical national infrastructure in order to test the US’ preparedness and response capabilities.

The scenarios see the use of real word vulnerabilities and exploits with potential consequences ranging from loss of life to crippling of key functions. The goal of the defence team is to identify the ongoing attack and mitigate the issues that it finds.

Hacking the Hackers

The strategy also states that the US will actively seek to deny terrorists and other criminals the ability to exploit the Internet as well as disrupt their activities. One key thing that is missing here is how and to what extend and with whose authorisation this denial or distruption will take place. Could we see the US harness botnets in order to initiate a large-scale DDoS against a threat actor? What is acceptable and who decides?

Another thing missing from the strategy is the subject of the preparation of the battlefield. One can only assume that in order to defend itself the US may have to respond with an attack. Just how would this be done and again what is classed as acceptable? In order to attack its enemy it is logical that the US may first have to “prepare the battlefield”. This could be done by installing back doors or Trojans into the networks and systems of potential enemies during peace time but this, to some nations, could be seen as an act of war in itself. What if one of these trojans was to accidentally trigger? The answer could be a kinetic response to which the US would ultimately have to answer.

Conclusion

Despite being anything but perfect the US’ International Strategy for Cyberspace is a great step in the right direction. Its purpose of securing the Internet whilst maintaining flow of information, freedom of speech and privacy are to be commended. As to is the realisation that in order for such a strategy to succeed national cooperation is required.

The strategy is purposely lacking in detail in order to show the World that the US takes cybersecurity seriously but without giving too much away and without committing to any specifics to which it could later be held accountable.

I feel that as well as driving home the point that the US will not tolerate malevolent use of the Internet it should also be making a statement similar to the no first use policy which is seen in nuclear war scenarios. Because cyber weapons are so easily used and can result in large-scale chaos and even loss of life their use should be seen as a last resort.

Be careful out there!

/SecBoyUK

Follow me on twitter using the hashtag of #SecBoyUK and on my Facebook page (just visit the page and click LIKE to be kept up to date

The PSN has been down since April 19th when Sony discovered that intruders had compromised their system and had access to the personal information and potentially the credit card information of over 25 million of its users. Sony later announced that the credit card information was encrypted so that nobody was able to read any card details.

Sony called in forensic specialists Guidance Software (makers of the industry standard forensics application called Encase), to try to establish how the hackers broke into the system and also to try to identify them.

In order to gain access to the PSN users first need to install a mandatory download which will force them to change their password. This needs to be done from the console that originally activated the account. At the time of writing the service is very slow due to the high amount of traffic and increased number of password resets from its users.

Some console addicts went as far as trading in their PS3s for Xboxes so they could continue to play their favourite games online again!

A FAQ (frequently asked questions) page has been published by Sony and can be found here: http://blog.us.playstation.com/2011/05/16/psn-faq-restoration-questions-answered/?utm_source=twitter&utm_medium=social&utm_campaign=psn_faq_051611

Be careful out there!

/SecBoyUK

Follow me on twitter using the hashtag of #SecBoyUK and on my Facebook page (just visit the page and click LIKE to be kept up to date

None of the article particularly caught my attention until I got to this line:

“Secret messages have been found on porn discovered during terrorist raids across Europe.”

This was followed with:

“Secret coded messages are being embedded into child porn images and paedophile websites are being used as a secure way of passing “information between terrorists.”

OK, now this peaked my attention. The above method of concealing messages in images and other files is called steganography. Steganography can be used to hide messages in the unused parts of files, say for example a photograph of someone. This allows the sender to store the message in plain view without his/her message being read. For example the sender can store the image on a web site for the recipient to then download and decode. Anyone else that views the file will just see a normal photo.

Now if terrorists have a message that they would like to keep secret, one that is SO secret they need to use techniques such as steganography to conceal them then they aren’t going to store this message in an illegal file that will automatically attract the attention of authorities regardless of the hidden message. Storing the messages in this type of image goes against one of the reasons for using steganography…to store the image in plain sight to avoid suspicion.

So my conclusion is that either these terrorists are very very stupid (although the media and government describe them as capable, organised cells) or the government and media are publishing rubbish in the hope that news readers don’t have enough information to realise that stories like this just don’t make any sense!

Be careful out there!

/SecBoyUK

Follow me on twitter using the hashtag of #SecBoyUK and on my Facebook page (just visit the page and click LIKE to be kept up to date

Don’t click any links that appear to show you “hidden” videos, “celebs uncovered”, “Osama Bin Laden” videos etc. More often than not they are links which will repost themselves on your wall and sometimes force you to install applications that can carry out actions without you knowing such as tagging your friends, posting to your wall or making your information available to third parties.

Also only download software from trusted sites in this case Adobe Flash player should be downloaded from http://www.adobe.com

The story:

Unsuspecting Facebook users are spreading a new viral link which pretends to show users the moment when a Father catches his two scantily clad daughters on a web cam.

Users who follow the link will be taken to a page that appears to still be part of Facebook which shows the user a screen shot of the two teenagers and the user is asked to “click play”.

Clicking play will then lead to another screen that informs the user that they need a new “codec” for flash player in order to watch the dodgy movie.

Clicking to download the codec will install a piece of software called freecodec.exe which actually installs a browser extension called Profile Stylez. You will also unknowingly post the same link that lead you to the scam in the first place.

Be careful out there!

/SecBoyUK

Follow me on twitter using the hashtag of #SecBoyUK and on my Facebook page (just visit the page and click LIKE to be kept up to date

(The film’s worth a watch if not just for the pre “on the run” scenes which show just how much information companies like Amazon and your ISP hold on you.)

It was then, a week after watching this film, that someone I know found out first hand just what happens when someone misuses your personal information whether accidentally or maliciously.

To protect the person’s identity I shall call him Peter Smith and I will say he lives in a place called St Helens.

Peter had to recently go through a background check via a local government authority. After filling in the required paperwork giving consent for the search to be carried out (on which the form clearly stated his first name, middle name, surname and date of birth) it was then submitted by the local government authority to go through background checks.

In parallel to this Peter was also applying for various jobs for which CRB (Criminal Record Bureaux) checks had to be done.

A few weeks later Peter received his report. He opened it confidently, knowing that he had never been involved with the police. In fact he had never even had to report anything to the police much less had a reason to be detained by them.

Much to his amazement the report stated that in 2008 he had been cautioned for theft! Obviously concerned Peter immediately contacted the local government authority that had carried out the check.

David was asked to confirm his middle name and an incorrect date of birth was then read back to him. He stated that he didn’t have a middle name and that the date of birth read back to him was incorrect.

The local government authority had found another Peter Smith with a middle name born 4 years after the “real” Peter. It was at this point that the local government authority representative realised he had put the wrong person down on Peter’s report and in doing so had also disclosed the previous misdemeanours of another person to an unauthorised party in the process. We now know that there is a person who lives in St Helens called Peter Smith born in 1985 who has a caution for theft!

After apologising profusely the representative drafted a letter to the parties concerned detailing the error and setting the matter straight.

Had this not been uncovered so quickly this could have prevented Peter from obtaining certain jobs, would have irreparably damaged his character and caused a lot of stress.

We trust the government and private companies with all manner of personal information from health care details, banking information, recent purchases and what web sites we visit. If these organisations do not properly secure our information and put in place robust processes to handle it then they leave us open to identity theft, fraud and other malicious activities.

So next time you buy something online, browse a web site or submit your personal information, take a moment to ask yourself “What happens if someone else gets hold of this information?”. Otherwise next time I could be reading a report containing YOUR personal information.

Be careful out there!

/SecBoyUK