14 DAY TRIAL // This was quite a mild week in security, I can't say that we had major issues, except for that outrageous Trojan that hit job sites and wreaked havoc on Monster. There were some spam news, but nothing out of the ordinary. Spam spikes have been plaguing us all year, so we had all sort of messages to rant about, some official looking, some that were easy to believe and some that were downright stupid, like the one I wrote about on Friday. Sure this is just like that song: "Spam is all around us / I can feel it in my toes" and nothing surprises me anymore. Hackers will use anything to fool users, they will use high-profile names, they will even go as low as to take advantage of people that have suffered from disasters so nothing's new.
Hmm, what else did we have? Some programs have been discovered with vulnerabilities out of which most were patched up by the vendors, except for Rogue Multiplayer which had a highly critical flaw that could allow a hacker to take control over your PC, if you played it on insecure networks. That seemed pretty serious to me, but not as serious as the latest reports regarding phishing. Damn it! I wish people stopped being so gullible, or perhaps it's not that, but they simply don't know enough about computer security. To be honest, I know a lot of people that have no idea that they can get scammed on the Internet. That's kind of sad but that's the way it is, fact which brings us to the week's most important subject: The Trojan Onslaught.
I wrote three articles on this, as I thought it to be pretty important - first, this Prg Trojan appeared out of nowhere and infected Monster (the job site). At first, it only phished the data of about 46.000 people. Then, it went and stole some more information, from 1.6 million people. How does that sound? Severe? Well, wait till you get a load of this - it can't be stopped, or at least not yet, because it has a self mutating code that makes anti-viruses dizzy. The phished data has been later used by hackers to scam people. On Friday, I wrote another piece of news about the evolution of this situation, and it seems it gets better, since the Monster people have "torpedoed" a rogue server that was siphoning data from them. This crisis might come to an end?or not? we shall soon see. Till then, don't click anything that looks fishy, or should I say phishy? You can read the full articles if you just click the links - Part I, Part II and Part III.
I guess that this week's greatest disappointment was the fact that I found out that not even CAPTCHA is secure anymore. For those of you who don't know what that acronym stands for, it's something too long to remember, but for short, it's that authentication process that involves you spelling a word that you will see in a distorted picture. Websites use it to tell people apart from machines. I read it on a guy's blog. This dude, he got annoyed with the fact that he couldn't input the characters correctly so he decided to crack this security measure - and guess what? He succeeded! Here's my story on that.
Another important thing this week were some statistics I found on different sites. And they were quite worrying if you ask me. A lot of firms don't take security measures seriously thus making data leakage something too easy. Also, some people think that if they are not connected to a network they're secure! Wrong! Viruses don't come just from the Internet, you know, plus that data can be leaked the old fashion way, by infiltrating spies in the system. As I've said in this article, cyber-security just doesn't cut it when trying to protect important information. Cameras should be installed as well as other security measures.
But what hit me really hard was a statistic I read on Friday - it said that a good part of IT managers blame security breaches on the company's employees. If proper security measures are installed and workers are properly instructed, as well as privileges cut off for common employees, it's pretty damn hard for me to imagine what could happen for data to leak or for PCs to get hacked. If those measures are not taken?and they usually aren't because the IT people don't properly instruct the others, then it definitely isn't the employees' fault!
The week's most pleasant piece of news came on Friday - it was about Garth Bruner's project. This guy is taking spam-fighting to a new level, instead of just creating a software solution that will enable you to dodge spam, he invented KnujOn, a special program he uses to take down sites that spam! He's getting to the root of things and I can only congratulate him on the whole thing.
After this brief, here are the week's pieces of advice:
1. Don't open dubious mails and don't click any fishy links! You might get your data stolen! 2. If you have a company or work as an IT manager, send all employees to "IT boot camp". Awareness is a great security measure!
