Backing up your Cloud Data?

I have been using gmail, picasa and many other cloud based services for a number of years. they have some excellent benefits such as being able to access your files anywhere and on any computer.

The problem I always have (like most of us I imagine) is that I have a worry that my cloud provider may accidentally lose all my files or emails.

So that’s why I have the following to help me to at least have a backup:

• I use Picasa so that I can keep a copy of my Photos and Videos both locally and in the cloud, it works great and synchronizes new or updated photos well.
• For Gmail, I use a free tool called GMail-Backup which can download to a directory all my emails, then only download the updated or changed emails (New ones).

The end result is that I have all my photos, videos and emails on a hard disk locally and in the cloud. Maybe its paranoid, but I moved to the cloud as I lost things when a hard disk died a few years ago, now I have the other worry. This may not be for everyone, but something to thing about as your cloud storage grows and your dependency on Google or some other 3rd party increases.

FSA Fines Zurich Insurance GBP2.28M For Data Security Failings

The U.K. Financial Services Authority said Tuesday it has fined Zurich Insurance GBP2,275,000 following the loss of 46,000 policy holders’ personal details.

-The FSA has fined the U.K. branch of Zurich Insurance PLC (Zurich U.K.) for failing to have adequate systems and controls in place to prevent the loss of customers’ confidential information.

-Zurich U.K. has seen no evidence to suggest that the personal data was compromised or misused.

-Zurich U.K. outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa Limited (Zurich SA).

-In August 2008, Zurich SA lost an unencrypted back-up tape during a routine transfer to a data storage centre.

-As there were no proper reporting lines in place Zurich U.K. did not learn of the incident until a year later.

-As Zurich U.K. agreed to settle at an early stage of the investigation the firm qualified for a 30% discount.

You can find the full article here: http://online.wsj.com/article/BT-CO-20100824-704391.html

Windows DLL load hijacking exploits go wild

Less than 24 hours after Microsoft said it couldn’t patch Windows to fix a systemic problem, attack code appeared Tuesday to exploit the company’s software.

Also on Tuesday, a security firm that’s been researching the issue for the last nine months said 41 of Microsoft’s own programs can be remotely exploited using DLL load hijacking, and named two of them.

On Monday, Microsoft confirmed reports of unpatched — or zero-day — vulnerabilities in a large number of Windows programs, then published a tool it said would block known attacks. At the same time, the company said it would not patch Windows because doing so would cripple existing applications.

Microsoft also declined to say whether any of its own applications contain bugs that attackers could exploit, saying only that it is investigating.

Many Windows applications don’t call code libraries — dubbed “dynamic-link library,” or “DLL” — using the full pathname, but instead use only the filename, giving hackers wiggle room that they can then exploit by tricking the application into loading a malicious file with the same name as a required DLL.

If attackers can dupe users into visiting malicious Web sites or remote shares, or get them to plug in a USB drive — and in some cases con them into opening a file — they can hijack the PC and plant malware on the machine.

By Tuesday, at least four exploits of what some call “binary planting” attacks, others dub “DLL load hijacking” attacks, had been published to a well-known hacker site. Two of the exploits targeted Microsoft-made software, including PowerPoint 2010, the presentation maker in Office 2010, and Windows Live Mail, a free e-mail client bundled with Vista but available as a free download for Windows 7 customers.

Other exploits aimed at leveraging DLL load hijacking bugs in uTorrent and Wireshark, a BitTorrent client and network protocol analyzer, respectively.

At the same time, a Slovenian security company claimed that it reported bugs in two Microsoft-made programs last March.

“We’re going to publish a list of the vulnerable apps we found sometime soon,” said Mitja Kolsek, the CEO of Acros Security. “However, since HD Moore’s toolkit is already being used for finding vulnerable apps and at this point hundreds of good and bad guys already know about it, I can say that the two we fully-disclosed to Microsoft were in Windows Address Book/Windows Contacts and Windows Program Manager Group Converter.

HD Moore is the American researcher who kicked off a small wave of DLL load hijacking reports last week when announced he had found 40 vulnerable Windows applications . On Monday, Moore published an auditing tool that others can use to detect vulnerable software. When combined with an exploit added that same day to Metasploit, the open-source hacking toolkit that Moore authored, the tool’s results produce what he called a “point-and-shoot” attack .

All four of the exploits that went public Tuesday appear to be based on Moore’s Metasploit attack code.

Although the Windows Address Book — renamed Windows Contacts with the launch of Vista in 2007 — may be familiar to users, Program Manager Group Converter is probably not, Kolsek admitted. But both can be exploited.

“They’re part of every Windows installation and are associated with certain file extensions, allowing for ‘double-click-bang’ remote attacks,” Kolsek said. “To increase the likelihood of success, an attacker can create a shortcut with a PDF or Word document icon pointing to such files, which otherwise have different, less familiar icons.”

Contrary to Kolsek’s claim, Program Manager Group Converter, a holdover from pre-Windows 95 days, is included with Windows XP, but not with Vista or Windows 7.

Altogether, Acros uncovered 121 remote execution vulnerabilities in 41 different Microsoft applications, but reported details of only the pair in Address Book/Contacts and Program Manager Group Converter. The rest were left for Microsoft’s own researchers to find, said Kolsek.

Like a number of other companies, notably the French firm Vupen Security, Acros has decided that it will no longer report its vulnerability discoveries to vendors without compensation. “We’ve been giving them away for 10 years now,” said Kolsek, “and it wasn’t doing anything for us.”

In a long post to a new Acros blog , Kolsek added that there was no bad blood between his company and Microsoft over the former’s refusal to identify 119 bugs in the latter’s products. “It was a mere incompatibility of business interests,” he said.

Wireshark’s lead developer, Gerald Combs, said today that a fix for the DLL load hijacking bug would be released in the next few days. Microsoft and BitTorrent, the firm responsible for uTorrent, did not reply to requests for comment about their patching plans.

Original story can be found here: http://www.computerworld.com/s/article/9181699/Windows_DLL_load_hijacking_exploits_go_wild

Four tips to secure your smart phones

Advice on how to defeat mobile malware aimed at your hip pocket.

A friend gathered us together for drinks at a local bar a few months ago.

One had just bought an iPhone so we grabbed our devices to clink them in the geekiest of geeky toasts.

Once I overcame my mortification I wondered if smart phones had achieved sufficient market penetration that malware authors would take them seriously?

Later, when I was at this year’s Defcon, the most popular seminar tracks exploited mobile phone vulnerabilities.

It’s difficult to say that anything “pwned” (pronounced “poaned”, meaning to defeat) at IT security conferences such as Defcon or Blackhat is ready for malware prime time because there is such cachet in hacking the coolest toy.

But the week after the conference it began to look ugly for these popular phones.

Apple released a security update for its iOS iPhone operating system to patch a vulnerability brought to light by JailBreakMe, a way to short-circuit Apple’s AppStore, and the first SMS trojan in the wild caused Android users to send messages to premium text services.

That last shows an interest in malware for profit.

It’s speculated that the next iPhone will contain near-field communication technology to enable its use as a mobile wallet.

Outside the US it has been used for some time with few problems. Will the iPhone bring it to a wide-enough audience that it will be of interest for financial malware?  Will it cause enough demand that new phones will include it?

We still have not had a “Melissa-level” mobile malware event, a widespread infection that brought such threats to the fore of public debate, and it’s conceivable that mobile malware will remain a fringe trend even with all these enticing qualities.

I doubt that the average home user will clamour for security software on their phones for quite a while.  And there won’t be the feeling as there is with Windows that a user is reckless without security software.

I’m already hearing grumblings that security-conscious companies need to prepare for such attacks.

For those with such phones, the advice is:

• Don’t enable Bluetooth until you need it
• Install security patches
• Don’t download unapproved apps
• And if you’re a network administrator, write policy for these devices in your environment

The full article can be found at http://www.securecomputing.net.au/News/229794,four-tips-to-secure-your-smart-phones.aspx

iTunes account takeovers – its Paypal now…

There are more reports that Apple iTunes account have been compromised. That there is another major security hole in iTunes.well it turns out that the iTunes accounts themselves have not been taken over, but those who use Paypal instead of a credit card have been hit. That their paypal accounts have been drained.

There’s no security hole in iTunes, and if you’ve been unfortunate enough to have hundreds of dollars in unauthorized purchases charged to your iTunes account, it’s likely because you’ve fallen victim to a phishing scam–a variation onthe one that’s been around for years now.

Sources close to Apple state that  iTunes has not been compromised and the company isn’t aware of any sudden increase in fraudulent transactions.

As for an official comment, Apple offers this bit of common sense advice:

PayPal declined to comment on the issue, but told me that any unauthorized charges sent through its service will be reimbursed.

Everyone should check their accounts on a timely basis just to make sure they do not have transactions or activities which they did not carry out.

Two or more factors for authentication (Two Factor & Multi-Factor)

What is Two Factor Authentication (2FA)?

• Something you have (a token or device) and something you know (a PIN or Password). That’s two completely separate things.

What is Multifactor Authentication (MFA)?

• Something you are (Biometrics), something you have (a token or device) and something you know (a PIN or Password). That’s three completely separate things.

(adding in an additional factor about you)

This ensures that just have a username, password or PIN will not allow someone to take over your identity or steal your money.

To add to the mix there are other more important topics, such as Out of Band (OOB), what this means is that the device (e.g. Physical Token, Chip and Pin card reader or One Time Password code sent via an SMS Message) should never be running on the device which is being used to access the service.  This literally translates to, if we don’t trust the computer (due to trojans or other malware) then obviously if the device is generating or receiving the One Time Password), then that means it can be compromised before its provided to the online service.

So where does this leave us, in order to be secure, we need to use the strongest level of security for the service that needs it, there is no point though if the usage of the service becomes painful. This is where a balanced approach is required.

In the UK, some banks are handing out chip and pin devices to read your Debit card and therefore provide strong two factor authentication, but at a price, they are causing customers pain by requiring them to carry around a calculator sized device.

But wait, they have been clever, balancing the risk against the pain, only requiring its use when you perform some odd or dangerous activity, such as setup a new payee or change your address. This is a very good approach as only when your account may be being taken over by a fraudster (e.g. address change) or your money can be transferred away from you (untrusted destination account) do you have to prove your identity via strong authentication.

This means that though its painful when setting up new payee’s or moving home it’s really simple the rest of the time, which it turns out will be 99% of the time.

This balance based on the Risk of the action is the direction that everyone is going, making it easy to use services and only hitting roadblocks when the risk is high. I think we all need to focus on how important it is to protect our identity and money. Put simply, this approach is the best for everyone.

At the end of the day we all have choices, we can change banks, change email providers and even stop using internet services, but that’s not exactly clever, as the Internet if used correctly saves us time, money and ultimately hassle. A bit of security is still better than queuing in a bank to transfer money.

Top Tips for Staying Secure Online

Keep Security software up to date

• Install and use both Antivirus and Antispyware software
• Update the software with definitions (so they can detect the latest threats)
• Enable detection of Viruses, Spyware, Trojans and any malicious content
• Run a full (detailed/in-depth) scan of your computers disks (from time to time – this can sometimes pick up older files on your disk that were missed by a previous scan)

Use a Firewall

• Install a Personal Firewall
• Use a hardware broadband router, these provide firewall type protection by isolating your computer from the Internet
• Read the Alerts, Don’t just click OK. Think about if the action you performed relates to the message, could something else (Unwanted) be trying to send information to the internet?

Keep your computer up to date with the latest operating system and application patches

• Download updates from your Operating System Vendor (Microsoft, Apple, etc) to ensure that any vulnerabilities are closed (This will reduce the chances that the bad guys find a way into your computer)

Check your online “Identity”, “Email” and “Purchasing History”

• When did you last login (Some sites tell you the last time you logged in)? Was that you?
• Have any of your details been changed (Email Addresses, etc) – Someone may be taking over your account – redirecting responses to them (So you are not alerted to purchases or requests from your account)
• Have you saved your credit card or bank details in your “Profile” – to allow quick purchases? Remember that if someone gains access, they will be able to see the details
• Check your statements, match up any payments (Anything odd, contact your bank/card provider)
• online identity (Social Networking, MSN, etc) – Any changes or accesses? Make sure they are valid
• email (inbox, sent items), did you sent them, is there anything extra in there?

Strange behavior of the computer – Might indicate a Virus, Spyware or a Trojan

• Does the computer power on by itself, in the middle of the night?
• Are there programs installed that you don’t remember seeing before or installing yourself?
• Does the computer slow down sometimes? Like its busy doing something when it shouldn’t?
• Pop-up’s or websites appear that are not what you selected? Could Spyware be targeting you to their choice of website.

Remember that you can only be as safe as the computer you are using. Using an Internet Café or a friends PC could mean you are not running Antivirus, Antispyware and a firewall (or maybe they are not up to date). Think before using the PC for critical tasks (Online Banking, Online Shopping, etc)

Public WiFi not always secure

MIAMI, Aug. 21 (UPI) — U.S. experts say computer users should be more security-aware and cautious when using WiFi networks in public places like libraries and coffee shops.

Simple precautions available in most WiFi hardware, like encryption protocols, can protect users and their computers at home but not necessarily in public places, the South Florida Sun Sentinel reported Friday.

WiFi use in public places such as coffee shops is becoming increasingly popular, but these networks are typically wide open, Eric Johnson, a computer security expert at Florida International University, said.

“You should always treat any Internet activity you do at these locations as if it’s being monitored,” he said.

At home, he said, it’s easier to use a network router’s security features to protect private data.

“It’s like putting a lock on your door of your house,” Johnson said. “That’s not going to stop a determined bad guy, but it’s going to keep the wandering neighbor from making use of your Internet connection without your knowledge.”

Encryption is built into any hardware that is branded “WiFi Certified,” given to products authorized by the WiFi Alliance, a non-profit consortium of technology companies.

This protects home networks by securing data between the access point and the computer with government-grade encryption, the alliance Web site says.

Still, experts warn, users should always be aware of risks.

“The (WiFi) user should be in the mindset that nothing is 100 percent secure,” Elias Montoya, technology director for a Miami-based law firm, said. “If someone is intent on hacking you, they will.”

Trojan-ridden warning system implicated in Spanair crash

Malware may have been a contributory cause of a fatal Spanair crash that killed 154 people two years ago.

Spanair flight number JK 5022 crashed with 172 on board moments after taking off from Madrid’s Barajas Airport on a scheduled flight to Las Palmas on 20 August 2008. Just 18 survived the crash and subsequent fire aboard the McDonnell Douglas MD-82 aircraft.

The airline’s central computer which registered technical problems on planes was infected by Trojans at the time of the fatal crash and this resulted in a failure to raise an alarm over multiple problems with the plane, according to Spanish daily El Pais (report here). The plane took off with flaps and slats retracted, something that should in any case have been picked up by the pilots during pre-flight checks or triggered an internal warning on the plane. Neither happened, with tragic consequences, according to a report by independent crash investigators.

The accident on take-off happened after pilots had abandoned an earlier take-off attempt and a day after two other reported problems on board. If the airlines’ central computer was working properly a take-off after three warnings would not have been allowed, thereby averting the tragedy.

A mechanic who checked the plane before take-off and an airport maintenance chief are under investigation and face possible manslaughter charges. Investigating judge Juan David Perez has ordered Spanair to supply data on the state of its systems at the time of the crash. An investigation commission is due to report on the case by December.

Full article can be found here: http://www.theregister.co.uk/2010/08/20/spanair_malware/

Enabling Automatic updates in Windows 7

To help ensure your windows computer is getting the latest Microsoft updates, its always best to turn on Automatic Updates.

• Go to the Control Panel and Click on Windows Update.

• Select Change Settings

• Make sure that “Install Updates automatically (recommended)” is set, if not select it from the drop down list. There are a few options as follows which are self explanator

• • “Never check for updates (not recommended)”
  • “Check for updates but let me choose whether to download or install them”
  • “Download updates but let me choose whether to install them”

“Install Updates automatically (recommended)” is the one which automates the whole process, helping your computer stay protected with very little bother.

Hope this helped take some of the worry away, some of you will obviously already know the information above and some of you may not. So its worth passing on this information to anyone who is a little unsure.