Defending The Kingdom

James Fallows had an article in the Atlantic last year that did a good job of scaring the wits out of me, as any entertaining and informative security article should. Fallows described what happened when his wife’s Gmail account was hacked and she (briefly, before friends of theirs at Google saved the day) lost the entire contents of her Gmail account. The experience got Fallows thinking about how vulnerable we are when we store our information in the cloud.

My passwords are strong — and I’m hoping yours are too after reading the articles on DtheK — but what if your account gets broken into anyway, either through a server problem, hacker, or some other issue? Most of us would be willing to expend considerable effort to prevent the loss of all of our email data in such a worst case scenario, so I’ve compiled a few ways you can protect yourself. Each method is rated by difficulty, using the “Grandma Frustration-O-Meter” gold standard.

Options for backing up your email accounts

1. Use a desktop client like Microsoft Outlook, Zimbra, or Mozilla Firebird to download and store copies of your emails on your hard drive. Grandma-Frustration-O-Meter: What the dang is POP3? Aaack!
2. If you want to backup a Gmail account, start a new Hotmail account. Then ask Hotmail to store copies of your emails. Or vice versa if you use Hotmail and want Gmail to store your emails. I haven’t looked into Yahoo, but I’m guessing something similar might work for that. Grandma-Frustration-O-Meter: Goes down easier than a warm glass of milk.
3. Use Gmail Backup and hope that it is not stealing your password information like the program described here. User beware, but one reason to trust it is that it is featured on the Google Apps Marketplace; another reason is that Softpedia certifies it as a clean program, free of adware, spyware, and viruses. Grandma-Frustration-O-Meter: I have to remember to run the program monthly? Okey dokey. What? Where am I?
4. Use Backupify, an online service that claims to be able to store all of your Gmail account information and settings, then restore it to a Gmail account at any time. Sounds great, but of course you have to trust Backupify with your email content. Even if you trust Backupify to keep your information private, you now have to worry about two websites that could potentially get hacked instead of just one. Grandma-Frustration-O-Meter: Remember the warm glass of milk? It’s like that, but pricier.
5. Pray. Don’t worry about backups, use the password “Lucky123” for every account on the internet, and pray that trouble won’t befall you. Grandma-Frustration-O-Meter: Ignorance is bliss… while it lasts

While I am uneasy about giving my email password to anyone but Google, I have chosen options 1 and 2 (note that options 3 and 4 require trusting another program, company, or website with your password, too). Make your choice, and may the odds be ever in your favor.

Just a heads up for you Twitter users:

A phishing attack that began striking U.S. Twitter profiles this weekend is still going strong and isn’t showing any signs of letting up. As VentureBeat reports, the scam operates through a direct message reading, “Lol. this you?” Once users click on it, they’re sent to a fake Twitter login page, where they could be tricked into revealing their login and password.

It seems to me that threats like this one are becoming more common, probably because most folks have become pretty good at fending off standard viruses. The major browsers vendors are working hard to inure their software to phishing threats, but it’s hard to protect people from their own gullibility.

First, which browsers are the most common these days? Wikipedia has a useful summary of browser usage statistics collected from various sources. The summary statistics look a little off to me (even after considering the note at the bottom of the table), but you get the basic idea: Internet Explorer and Firefox are running away with it.

Security Update

Internet Explorer 6 remains a hopelessly dangerous browser, but I’ve been impressed by Internet Explorer versions 7 and 8. If you haven’t yet upgraded, do so now.

I wanted to update previous comparisons (see here, here, and here) between the two most prominent browsers, but Secunia, the security consultancy I had been getting figures from, now advises against using its statistics for comparison purposes because of the way it reports them.

Fair enough, and it wouldn’t hurt to go to a second source. I recently ran across a report by NSS Labs, which mentions that “53% of malware is now delivered via internet download versus just 12% via email, while IFrame exploits and other vulnerabilities comprise 7% and 5%, respectively…” (If you’re wondering, IFrame exploits are just another flavour of attack aimed at web browsers.)

Check out the report summary, which has two very interesting graphs. It looks like Internet Explorer 8 is beating Firefox (and other browsers) by a wide margin when it comes to protecting against “socially engineered malware” (links that lead to infected downloads), while the two leading browsers provide about the same amount of protection against phishing attempts.

Curious about the web’s most dangerous search terms?

The categories with the worst maximum risk profile were lyrics keywords (26.3%) and phrases that include the word “free” (21.3%). If a consumer landed at the riskiest search page for a typical lyrics search, one of four results would be risky.

What makes a webpage dangerous?

• Risky downloads—Downloadable files that contain viruses, spyware, or adware or make unrelated
  changes to the downloading computer
• Browser exploits—Also known as a driveby download, this type of malicious code enables viruses,
  keystroke loggers, or spyware to install on a consumer’s computer without consent and/or knowledge
• Email practices—Registration forms and other sign-ups that result in high volume email, highly
  commercial email or both. We also test for difficultly unsubscribing.
• Phishing—Scam sites that try to trick visitors into believing the site is legitimate
• Excessive popups—Sites that engage in aggressive popup behavior or display large numbers
  of popups
• Linking practices—Sites that aggressively link to other red- or yellow-rated sites

The report, by McAfee, mentions that hacking for profit has overtaken hacking for fame. I suspect that is why we no longer worry about viruses that will wipe our hard drives clean — the tactic is attention-getting, but is unlikely to be profitable to anybody. Today, viruses that collect information about our computing habits and personal lives are the primary threats.

The Nigerian scam (also called “419” or “advance fee fraud”) is, I was surprised to discover via Snopes, a very old one:

The Nigerian Scam has been emptying the pockets of victims for decades, first through letters, then with faxes, and now via e-mail. In its earliest incarnation, which dates to the 1920s, it was known as ‘The Spanish Prisoner’ con. In that long-ago version, businessmen were contacted by someone trying to smuggle the scion of a wealthy family out of a prison in Spain. But of course the wealthy family would shower with riches those who helped secure the release of the boy. Those who were suckered into this paid for one failed rescue attempt after another, with the fictitious prisoner continuing to languish in his non-existent dungeon, always just one more bribe, one more scheme, one more try, away from being released.

The typso are intentional

Who is falling for these scams? The website for London’s Metropolitan Police says it’s not who you might expect:

The letters are often littered with spelling mistakes and bad grammar. This is a deliberate ploy by the fraudsters to induce the potential victim to believe that he is dealing with uneducated people who would not have the ability to defraud him/her. Nothing could be further from the truth! The majority of victims prove to be professional business people, doctors and lawyers.

Low success, high yield

The 2006 Internet Crime Report, prepared by the National White Collar Crime Center and the FBI, shows that the Nigerian scam accounts for a small percentage – just 1.7% – of reported total dollar losses due to cybercrime, but that seems to be a function of a few people losing a lot of money. The median loss for someone tricked by a Nigerian scam is $5,100, seven times greater than the median dollar loss for other referred cases of fraud, including auction fraud, failure to deliver merchandise or payment, and check fraud.

Spin-offs

The Nigerian scam is so popular it has engendered a new cyber-sport called scambaiting. The goal is to “enter into a dialogue with scammers, simply to waste their time and resources”, as well as to entertain fellow scambaiters with the resulting correspondence, photos, and recorded phone conversations.

A Recent Parody

I AM MINISTRY OF THE TREASURY OF THE REPUBLIC OF AMERICA. MY COUNTRY HAS HAD CRISIS THAT HAS CAUSED THE NEED FOR LARGE TRANSFER OF FUNDS OF 800 BILLION DOLLARS US. IF YOU WOULD ASSIST ME IN THIS TRANSFER, IT WOULD BE MOST PROFITABLE TO YOU.

Read the rest of the spoof here.