Saturday, June 5, 2010 at 3:38PM The following video describes how hackers can exploit ActiveX to ruin your day. This is for informational purposes ONLY and was created to help keep you a little safer on the internet.
Enjoy!
Tuesday, May 25, 2010 at 2:06PM So I was poking around the web a little bit, and I came across a cache of about 4,000 credit card numbers along with the corresponding names, phone numbers, addresses, CVV codes, and expiration dates. In addition to handing over this information to the authorities and the credit card companies, I decided to post an article here with some information about how to keep your personal information safe and secure, while on the internet.
There are a dozen different ways that someone could obtain your credit card information. We'll cover a few here in general, and take a deeper look at the most common tactics:
Dumpster Diving - Using this tactic, one would scrounge through your trash, for financial documents, credit card offers, and other personally identifying information. This underscores the need to shred sensitive documents before throwing them out. Even something as innocuous as a credit card bill could lead to identity theft, if left in tact.
Social Engineering (Phone Phishing) - This tactic was probably the most common before e-mail took off, and is likely still one of the biggest. Using this method, thieves will simply call you up and ask you for your personal information.
There are a million different ways that they could lull you into a false sense of security in order to get your details. For example, someone might call you up and ask for you by your full name, claim to be from your real local radio station and say that you've won a prize. They slip little tricks into the conversation to make you feel like you're talking to a legitimate representative of a legitimate company; for example, saying "Can you confirm your address for me, as 123 fake street?" (your real address).
In this way, they trick you into thinking THEY are verifying YOUR identity, so there's no need to verify theirs. Also, they already have your address so they must have obtained it through legitimate means, right?
In reality, they can open a phone book, throw a dart and land on someone's full name, and address. Someone in Nigeria could do this just as easily with access to the internet. Just look up the most popular radio station in the area (even if you don't listen to it, you'll surely recognize it). Finally, when they tell you what you've won, they don't even have to ask you for your credit card number. So how do they steal your identity?
Simple... "Great! Now that we've verified your address, and know who to send it to, we can give you this check for $100! (not so large as to arouse a feeling of "this can't be true" but not so small as to be easily abandoned.) - now, all we need to do as we mail this check out, is to get your social security number for tax purposes." Unfortunately, we do have to pay taxes on prizes and other winnings. Once they have that, they hang up with you, call your bank, and say "hi, I'm . I recently moved, and I think I lost my card in the move. Can you have my new card sent to my new address, at ?" - and when the bank asks them to verify that they're you... they ask for your social security number.
Social Network-Engineering - This one is very similar to Social Engineering (above) but is a lot easier for the attacker. Let's say someone calls you up on your work phone, from the extension for human resources one day, and the conversation goes something like this:
Co-Worker: Heya Jim, this is John, in HR. I'm calling about the promotion you got 2 and a half months ago.
You: Oh yeah, what about it? I hope everything is ok.
Co-Worker: Well mostly so, yeah. See, I recently started in this department myself, and I got a little bit overwhelmed starting out, and well... I may have forgotten to update your paper work. Don't worry, your pay raise went through just fine and all, and congratulations on the promotion by the way... it's just that we never really had you fill out the new W-2s or direct deposit forms.
You: Oh! Well, I can do that right now; what do you need?
Co-Worker: That'd be great, Jim! My butt was really on the line for this one, I appreciate it. I'm working from home right now, but I can fax you the forms to fill out right now, and then you can fax them back to me and I'll get 'em filed first thing Monday morning!
You: Hey sure John, no problem. Is there anything else you need?
Co-Worker: Nope! I sure do appreciate all your help. Thanks again, Jim!
You: No problem. I'll get that fax over to you right away!
So you hang up with John, he faxes you the W-2 forms you need to fill out, along with a form to set up direct deposit. You happily fill out your name, address, phone number, social security number (for tax purposes) and your bank account information and routing number for direct deposit. You feel like you've done a solid for a co-worker in HR, and you don't think anything of it.
But John was not your co-worker. In fact, his name wasn't John. He wasn't even in the same country. How did this attack happen?
Here is how the call went, from the attacker's perspective...
The attacker creates a facebook account with the photo of an attractive young lady (or gentleman) and adds you with a flirtatious introduction in order to gain access to your account. Like most people who add you on Facebook, they never talk to you.
The attacker looks through your profile, learns where you work, what your job is, how it's going, and any recent relevant news (by looking through your status update history). He notices your recent promotion, and writes it down.
He notices your phone number, and uses whitepages.com to do a reverse look-up.... now he has your name, address, and phone number along with any personal information in your profile. He's almost ready to give you a call.
He looks up the local office where you work. Finds the phone number.
He looks up the Google Finance page for your company... finds the number to confirm employment (HR).
The attacker calls the local office during work hours... asks to be transferred to HR.
HR answers "John with human resources, how can I help you?"
The attacker acts surprized... "Did you say your name was John? Sorry, they must have transferred me to the wrong department. I was looking for extension 1234" (your extension... from the company directory).
John from HR apologizes and transfers you to Jim. Jim gets an incoming call from the extension of HR. The conversation takes place as above, and John faxes the attacker his bank account info, SS# and all other personally identifiable information.
This is just one example of how the personal information you post publicly on the internet can be used against you. Even if your social networking profiles are set to private, if you accept friend requests from people you don't know, you may as well post your social security number on 4chan.
Phishing - This is usually used as more of a "shotgun tactic" but can sometimes be targeted as well. It is usually done through e-mail. This one is a bit tricky to spot unless you know what you're looking for. It usually looks like an e-mail from your bank, or from another company with whom you have an account (the most common is a worldofwarcraft account). They will ask you to click on a link or respond with some information.
To avoid this scam, there are 2 primary tricks to learn about, and to learn how to avoid.
URL obfuscating
One way phishers trick you into going to a fake website is by putting the legitimate URL inside their fake URL. To understand how this works, it's important to understand how URLs work.
google.com will obviously go to Google.
Also, webpage.google.com will go to a page on google (though I doubt that's a real page).
However, google.webpage.com will NOT go to Google. It will go to a page on "webpage.com". The domain is ONLY the string immediately before the ".com" (or .net or .org). Some attackers may trick you into clicking a link which you think will take you to "wellsfargo.com" by using the URL: "wellsfargo.secureauth123.com". - it looks legit.... but it isn't. If you click a malicious link like that, it may take you to a site that looks exactly like your banking institution... but it isn't.
HREF Link-Jacking
Another tactic phishers use to hijack your clicks is called "link-jacking". There's 2 ways to do this which are basically the same. I will demonstrate using my own examples:
This one's pretty straight-forward. You click the text which says "click here to visit google" but instead, it takes you to www.bing.com.
A more effective form of this trick is:
In this case, the address "www.google.com" is just TEXT, which we have linked (just like the text in the previous example" to the ADDRESS: bing.com. Just because it looks like an address doesn't mean it isn't just link-jacked text.
The Bottom Line is this... Don't click links in e-mails unless you know who sent it, and you were expecting it. Don't believe people on the phone just because they have a few publicly available details. Don't leave sensitive documents laying around, even in your trash, and follow the other safe browsing habits indicated in other articles on this site.
There will be more similar articles in the near future, for those who are interested.
Did we miss something? Click "Contact Tim" at the top of this page, and let us know!
Friday, May 14, 2010 at 2:34PM Tim's Tech Tips is now adding the functionality to pay whatever you think is fair, for technical support. The line is open, e-mail queue is open, and IM is available. You decide what you think is fair for the level of support that you've received, and then use the PayPal button on the right to pay that amount. You are not obligated to pay anything, and we encourage you never to pay more than you could comfortably afford, even if that is just a few bucks.
Enjoy the new and improved Tim's Tech Tips!
Saturday, May 1, 2010 at 3:23PM Question:
Tim,
This is a problem that has been bugging me every week since I can remember. Every time Windows runs an update in the background, it annoys the crap out of me by either nagging me with a pop-up message every few minutes, telling me I need to reboot, or it simply reboots without asking me!
Is there any way to stop this from happening every time Bill Gates decides that my computer should turn off and on again. Can't I be the one to decide when my computer restarts?
Answer:
Hello!
Not to worry; this is a simple thing to fix. All that we have to do to stop the nag window is to stop the Windows Update service. Fortunately, stopping the service only prevents future automatic updates and stops the nag; it does not prevent the computer from updating when you next restart. This means that you can stop the service safely, and the next time YOU decide to reboot, the update will happen as normal.
We can kill the update service in one of two ways.
;)
(Click for full size) That should do it!
Remember: Since we're not disabling the service or changing the way it starts up, it will still start up the next time you start your computer. However, it won't nag you because it will have already run the updates.
Friday, April 30, 2010 at 5:14AM
