Here’s a short video that shows you how an attacker could use simple hacking tools and a rogue wireless access point to steal login credentials.
For the full article see the blog at Sophos here
Category Archives: Online Security
Considering GoDaddy Protected Registration? DON’T!
I registered my first website back in 2005 and today, after years of trying, I finally prevailed in a multi-year battle with GoDaddy to shut that URL down.
In an effort to spare you my pain, and warn you of what I consider to be some shoddy business practices, I’ll give a brief explanation.
I registered my first domain for a small web business that I went into with a good friend. Being my first URL I believed their hype and paid for the optional Protected Registration.
Two years later, after much fun, it was obvious that we couldn’t run the project on a part time basis and we closed the company down. The URL, however, lived on and GoDaddy dutifully renewed it the following year, charging the renewal and the Protected Registration feeds to my personal credit card. Here’s where things get a little strange.
I tried to cancel future renewals through their web interface but was blocked because the Protected Registration. No problem, I thought, I’ll just cancel the Protected Registration.
When I tried to cancel the Protected Registration I was unable to do so because they required documentation from the company that was no longer available because the company was closed. Apparently I needed this to “prove that I had the right to cancel”, despite the fact that:
- I had login access to the administration page on the Protected Registration account
- It was MY credit card being charged
I suggested (reasonably I thought) that since I was the one paying I should also have the right to cancel. Not so, according to them.
I asked if there was any other way to cancel, since the company the Protected Registration was for no longer existed.
- They asked me to fill in a cancellation form, sign it and send it to them, which I did
- They then asked me to send them copies of my drivers licence and passport, which I (stupidly) did
- They then asked me to sign a legal contract so open ended and one-sided that I refused to do it
Each time I pointed out that, as the person paying, surely that gave me the right to cancel.
When I refused to sign over my first born child they told me there was nothing more they could do.
Time for plan B.
Clearly I was not getting anywhere with logic or common sense, so a new strategy was in order.
I opened my GoDaddy account and simply removed all of the credit cards on file.
By now I also had at least a dozen other domain names registered with them. All of those were transferred to a registrar that actually treats customers as though they want to keep them.
Then the waiting game started.
Periodically I would get calls from them warning me that I was about to lose my URL. “Good! Please do it right now!” They would invariably ask why I didn’t just cancel it, leading to an ear bleeding tirade that would make a sailor blush.
Finally, after two years of warnings, I received an email today telling me that the URL and the Protected Registration have been deleted from my account. Hooray!!!
Learn from my mistakes people. If you are offered Protected Registration, don’t do it. It sounds great, but most decent companies offer automatic renewal with email reminders anyway, so the benefits are practically zero.
Filed under Online Security, Web Design
What do marketing companies know about you?
Ever wonder what kind of information determines the ads you see or the offers you receive?
About The Data is a website launched by a leading marketing technology firm called the Acxiom Corporation that “…brings you answers to questions about the data that fuels marketing and helps ensure you see offers on things that mean the most to you and your family.”
In a nutshell this website allows you to see and correct the data they hold about you. More importantly they offer an option to ‘opt out’.
Whoever thought of the concept for this website was a genius, and here’s why.
Acxoim sell your data and the more accurate that data is the more value it has. What better way to improve the data than to give the product (that is you) the ability to improve the data directly in the name of “transparency”. They improve their product for free while appearing to be the good guys. Genius!
For now I have decided to let them have wrong information – although it would be interesting to see what they say about my sex life based on some of the spam I receive.
Ultimately the only reason I would sign up (you have to give a lot of personal information to get in) would be to opt out.
Filed under Online Security
Don’t fall for the Microsoft ‘tech support’ scam!
My wife received an interesting call today from someone claiming to be from Microsoft technical support. According to them our computers had contacted because we needed technical support.
Of course it’s a scam, but one that people (particularly older people) get taken in with all the time.
For the uninitiated, the scam involves someone (usually from India) calling and saying that they are representatives from Microsoft technical support. They then tell the victim that their computer is running slowly because of viruses or because they need an additional piece of software — at a cost, of course. It’s been floating around for almost as many years as the Nigerian money transfer scam and is still going strong.
Once a person buys into the scam they take them through a number of steps showing them files and error messages on their computer (every computer has error messages if you know where to look) and then they sell the victim “technical support” or an “extended warranty”. This will involve several steps:
- Taking control of your PC
- Watching as you enter your bank account and credit card details into an online payment (the online payment – usually around $299 – is real)
- Trashing your PC or, in some cases, installing malicious software on your PC so that they can continue to exploit you after the call is over
If you want to see what happens you can watch the video on the Malwarebytes website – via What happens if you play along with a Microsoft ‘tech support’ scam? Spoiler alert – they end by calling him names and trashing his PC.
Unfortunately it is often the elderly that fall for this the most, so do yourselves a favor and tell your older relatives to contact you before they make online payments or install software from cold callers. A little time spent on the phone with them could save everyone from an enormous amount of hassle in the future.
Any legitimate company will happily give a call back number and wait while you check with people. And if you’re really not sure then post a comment below letting me know what is going on and I’ll get back to you.
Filed under Online Security
Domain Registry Services of America – SCAM!
Today I received a very official looking letter from a company called Domain Registry Services informing me that the domain of one of my customers is due to expire “in the next few months”. If you have received one of these don’t be fooled – it’s a scam!
Here’s how it works: Domain Registry Services sends website owners an official-looking “expiration notice” (see below), urging them to “act today” to prevent “loss of your online identity making it difficult for your customers and friends to locate you.”
They are hoping that you won’t look too closely at it, fill in the form and send it back. If you do you will have inadvertently transferred the domain registration from the company you originally registered with (GoDaddy, BlueHost, etc.) and signed that over to DRS.
I have no idea what their registration services are like but I can say that they are at least twice as expensive as any reputable domain registrar ($35 for one year when most charge between $10 and $15). I can only assume a company that stoops to such underhanded tactics to win clients would be an absolute nightmare to deal with and any chance of getting a refund has to be slim at best.
If you receive one of these notices do yourself a huge favor and file it in the round filing cabinet.
Filed under Computers, Online Security
Who’s attacking your website?
With the explosion in web creation tools owning a website is no longer the domain of a select few. Whether you have an online store, a “business card” site or a fan site for your passion setting up a website can be done by almost anyone with a need and a little patience.
What many people fail to realize is that, just like your home PC, a little care is needed if you are to avoid having your website taken over and either vandalized or used as a springboard for spreading viruses. After all which of your friends wouldn’t download something from a website they knew you created?
Think people aren’t attacking your site? A quick look at the sites I have set up showed, without exception, every one of them had logged attempts to log in using brute force password cracking. I know this because I have software installed on these sites that tracks failed attempts to log in and, if they occur often enough (10 tries in my case) then my site will automatically block access from those IP addresses with increasingly long lockouts and sends me a note to let me know about it. Here’s a sample from one of the sites I take care of:
| IP | Tried to log in as |
|---|---|
| 192.0.81.13 | username (2 lockouts) |
| 84.242.83.53 | admin (1 lockout) |
| 211.110.140.70 | admin (3 lockouts) |
| 81.169.177.109 | admin (2 lockouts) |
| 91.200.13.45 | admin (1 lockout) |
| 117.18.73.66 | ****** (1 lockout), ***** (1 lockout), admin (1 lockout) |
| 5.100.115.68 | admin (1 lockout) |
| 178.91.54.227 | admin (1 lockout) |
| 213.111.218.6 | admin (1 lockout) |
| 213.231.23.142 | admin (1 lockout) |
| 113.161.65.149 | admin (1 lockout) |
| 193.188.47.53 | admin (1 lockout), administrator (1 lockout), root (1 lockout) |
| 198.57.218.204 | admin (2 lockouts), administrator (1 lockout), root (1 lockout), user (2 lockouts), ******* (2 lockouts) |
| 190.151.173.71 | admin (1 lockout), administrator (1 lockout), ****** (1 lockout), ******* (1 lockout) |
| 64.229.107.9 | administrator (1 lockout) |
| 103.229.47.194 | administrator (1 lockout) |
| 41.182.216.185 | administrator (1 lockout) |
| 67.86.152.39 | administrator (1 lockout) |
| 203.106.151.223 | administrator (1 lockout), test (1 lockout) |
| 86.99.128.65 | administrator (1 lockout) |
| 203.87.147.113 | administrator (1 lockout) |
| 210.186.219.24 | administrator (1 lockout) |
| 123.2.131.227 | root (1 lockout), user (1 lockout) |
| 177.0.90.192 | root (1 lockout) |
| 197.35.107.223 | root (1 lockout) |
| 201.205.36.81 | root (1 lockout) |
As you can usernames like admin, administrator, root, and variants of the URL (starred out for privacy reasons) have all been tried. It’s one of the reasons I NEVER use those as either a user id or a password.
Attacks mostly seem to come from the Czech Republic, the Republic of Korea, Ukraine and so on.
Why those places and what are they doing? Who cares? The important thing to realize is that even the website you put together as a memorial to your beloved dog can, and will, be attacked.
The site i pulled the lockout information from is only special to the people that use it. It doesn’t get millions of views, isn’t a political or controversial group, and doesn’t contain any secret information. In fact everything on the site is public. So if they are being attacked then it’s a very good bet that your website is too.
So what can you do about it?
Well you can’t stop people attacking you, but you can make life difficult for them by taking some simple steps.
- The most obvious, and easiest, thing to do is to make sure that you don’t use any common user names or passwords. If your website providers sets up a default user such as Admin when your site is built, change it! Passwords don’t have to be long and hard to remember – two random words like BlueDriver or NotedMarketer will keep people guessing long enough to make them bored. If you use Admin and password because they are easy to remember then you deserve what you get.
- Install software that can lock out repeated login attempts. There are many of these around and they are often free. Install them for some peace of mind and sleep easily knowing that someone isn’t bombarding your website with thousands of login attempts.
- Make sure that you keep your website software up to date. As the HeartBleed bug showed us, no website is foolproof, so make sure that vulnerability are patched regularly.
Those three simple steps alone should keep the vast majority of people at bay. Sure there are are few highly skilled people out there that could get in if they wanted to, but with so many juicy targets for their talents why would they waste their time on your cooking blog? Nope…it’s the equivalent of the thug with a brick that we want to stop and the steps above are the equivalent of a spray can full of mace to those guys.
Filed under Computers, Online Security, Web Design
Heartbleed: What you need to know
Several people have contacted me because they were worried about “Heartbleed” – a software flaw that lets attackers steal the cryptographic keys used to secure online commerce and web connections.
First let me clear up something – this is NOT a virus. Heartbleed is a bug that affects online servers, not your PC.
The bug, called “Heartbleed”, affects web servers running a package called OpenSSL which is the most common technology used to secure websites. Web servers use it to securely send an encryption key to the visitor; that is then used to protect information coming to and from the server from the so-called man in the middle attack, where a third-party intercepts both streams of traffic and uses them to discover confidential information.
Don’t Panic
This bug has been around for about 2 years. While that means that hackers ‘could’ have been stealing information and passwords during that time the chances are relatively low. If it were a well-known bug then it would have come to light sooner and been fixed. So while the good guys didn’t know about it, neither did most of the bad guys.
What can I do?
There is nothing you can to do fix a website, but you can check to see if a website is vulnerable by visiting this site. If the sites tests OK then I would recommend changing your password as it is possible that your password was detected before the bug was patched. But do not change your password until after the site is fixed – now that this is known there’s more chance that someone will exploit it and you could actually be making the situation worse.
Should I stay offline?
If you can stay offline then that would be a good start – at least for a few days. But most people can’t so I would suggest just being careful and, if you must visit a high security site such as a bank or email system then check it first using the website tester. It’s the weekend…go outside and play!
Should I change my password?
Better safe than sorry. But, as noted above, don’t change it until after the server has been patched. Many well used sites such as Facebook, Instagram and Pinterest were affected and you should change passwords, particularly if you use the same password on multiple sites (as many people do). For a hit list of passwords you should change right now check this list.
More information can be found via Heartbleed: Hundreds of thousands of servers at risk from catastrophic bug | Technology | theguardian.com.
Filed under Online Security
Using autocomplete to make life easier? Be careful!
Various browsers provide an auto complete feature to save time filling in forms online. This seems like a great idea but…be careful. It’s not just the fields on the screen that you are sharing and, since some of these actually capture credit card numbers and the like, you may be providing a LOT more information than you planned.
This test URL from Yoast gives a nice quick demonstration that you might have just provided that website with your full address and/or (even worse) your credit card details too.
Personally I’ve been a big fan of Lastpass for a long time now. Their latest browser plugin has a nice form fill feature that lets you set up different profiles and the cool part is that only that information is shared if you use it. In fact the only way I found out that this is hiding things from autocomplete is when I tried out the above test and nothing showed up, I actually had to turn it off to get it to work. So if you have too many passwords to remember and need some added security this is a great way to go.
Have questions about online security? Add them as comments and I’ll get an answer for you ASAP!
Filed under Computers, Online Security
‘USB condom’ prevents device hijackings at rogue ports – NBC News.com
I know that sounds like a gag headline. But if you need to plug your phone (or other device) into an unfamiliar computer just to get some juice then you need to know the risks.
Standard USB ports and cables have several electrical channels, some of which are used to transfer power, the others data. When you plug in you risk:
- Moving viruses between the computer and your device (in either direction)
- Your contacts and photos being copied to the computer. This can happen nefariously or, more commonly, because the computer helpfully performs a backup
A USB condom simply blocks the current on the data channels, meaning only the power channels make the connection between the device charging and the one being charged.
Simpler options are available, such as buying USB cables that only have the power parts installed, but they don’t offer anywhere near as good a headline 🙂
via ‘USB condom’ prevents device hijackings at rogue ports – NBC News.com.
Related articles
- ‘USB condom’ prevents juicejacking attacks (wired.co.uk)
October 6, 2013 · 8:15 am
How to Steal Passwords Saved in Google Chrome in 5 Simple Steps
If you use Chrome as your browser you should know that it’s surprisingly simple to access all of a person’s passwords saved in Google Chrome. Another surprise: Google’s well aware of this fact, and the company is not planning to do anything about it.
For the full story read : How to Steal Passwords Saved in Google Chrome in 5 Simple Steps | CIO Blogs.
This should be especially worrying considering how many people use the same password for almost all accounts, so even if you don’t use Chrome to store your bank account password you might still be showing more than you bargained for.
After reading the full article you might find yourself wanting to delete the passwords stored in Chrome or make sure that your PC is always locked when you leave it (Windows key – L is a nice shortcut for that). If you decided on the former then may I suggest using Lastpass as a more secure alternative to writing your passwords on post it notes.
Related articles
Filed under Computers, Free Software, Online Security, Technology
The Computer Whisperer 