June 24, 2011

Let's Talk Email

The other day I was blogging about LulzSec and I mentioned a few things you need to look for before you click that link. But I need to add to what I was saying in that post. 


Do you pay your bills online?  Shop online?  Bank online?  If so, you have an entire category of emails hitting your inbox that you should never click on. 

Basically - all of them. 

Ha - bet you didn't think I was going to say that did you. 

All of the sites you visit regularly, especially those involving money, should be bookmarked.  

Every. Single. One. 

When you get an email telling you your credit card bill is due... DO NOT click the link in the email. Is there a sale?  DO NOT click the link. Special offer from your bank? DO NOT click the link.   Got it?

Sure it's easy, it's right there, what could possibly be wrong? Why go to the extra trouble of finding a bookmark and using that instead of the convenience of saving 10 seconds and clicking the email link?

Database breaches. That's why. 

It wasn't too long ago that Epsilon, an email marketing company, had their databases compromised.  Data stolen.  The bad guys got enough information to create very credible emails.  Emails that would look exactly like an email you would normally receive from the companies involved.  They would be able to call you by name and it would appear to be legitimate.  

So if your email was clockwatcher @ mymail.com and your name was Susan Johnson.  You would receive an email addressed to you - Susan.  Not to "Dear Customer" or "Dear Clockwatcher". 

One scenario is this: You click the link, it takes you to a fake login page that looks exactly like the page you are expecting. You've been here before and you know what it looks like. You try to log in. You hit enter, the page goes away, but comes right back to the login page.  You think "oh great what's wrong now?"  You try to log in again, this time it works.  You think it's a glitch in the system. These things happen.  

In fact what has happened is the first page was harvesting your username/password.  Then it redirects you to the real page so you don't even realize you've been had.  They now have time to use the information as they want.  This is but one method of grabbing your data - there are others. 

It's called Spear Phishing.  They are going after particular people with targeted emails rather than anyone they can get. 

You may think, well, none of the Epsilon companies are those I shop at.  Okay, but what about the data breaches that have not been discovered yet? Oh you can be sure they are out there. What about the data breaches that may not be discovered?  How much extra time do you have to get extra charges off your bill, get your money back in the bank, get your identity back?  

It's worth a little extra hassle to either type the url in by hand (most browsers will even auto complete it before you get too far) or click a bookmark.  If it's a sale, you can then find the sale page and/or enter the promo code from the email.  If it's a bill, you can then pay it. And you will know you're in the right place. 

If the company has made it impossible for you to get to the right page on their site without clicking through their email, you need to loudly complain that they are putting you at risk and you want them to stop or you'll take your business elsewhere. 

It's a simple thing to do. Very simple. It may save you major pain.  Consider this some friendly strong arming... don't click that link! 

Posted by: Teresa in WebTech at 10:56 PM | Comments (8) | Add Comment
Post contains 643 words, total size 5 kb.

June 16, 2011

Lulzsec - Careful there

You may or may not have heard of Lulzsec. In the online world they have been grabbing attention by grabbing info.

Massive Gmail phishing attack hits top U.S. officials

They've gotten gmail users, Sony, Citigroup, the IMF, the US Senate, the CIA, and oddly enough writerspace.com (an online website service for writers), probably a few more I'm not aware of or forgot after reading all this.   But I think this conveys the idea... they are prolific, proficient, and they have an agenda.

Today I received an email purporting to be from someone concerned because my email address was in the list of those that had been compromised.  I was sent several links where I supposedly could check for myself...

Ooookey dokey... I'll get right on that. 

While anything is possible. It's highly unlikely that the email was real.  First of all, I have to go through major contortions to get at my gmail password... I don't know it so I can't just type it out. I use 1Password and I never have to type my passwords once they are stored, the passwords are long and random.   I don't have them memorized and I have not gone to the trouble to find any password and pass it on.  Along with other safety features and 1Password, I am pretty sure I'm covered so far.

So, unless I missed something, I have not been "phished". 

It's always possible that someone broke into the gmail servers and managed to steal data.  Google claims this did not happen, but in the world of 1's and 0's anything is possible. 

What I did NOT do is respond in any way to the email I received.  I did not click any links, I did not write them back.  I trashed it.  I also changed my password as a precaution and I'm keeping an eye on my sent email box to make sure nothing is going out that I did not send.

If you happen to receive anything similar, I highly recommend you do the same. Unless you have a computer you feel like trashing along with an email address you'd like to abandon, it's not worth the problems to pursue trying to find out what's at the other end of the links. 

Consider this your email safety tip of the day.  Watch what you click!  Before you hit that link, think about what might be at the other end. 

Yes, you can receive emails from the email box (or return email address) of a person you know. This does NOT mean it comes from that person. Their email account may have been hijacked OR someone may be "spoofing" the return address so what you see looks like someone you know. 

Here are some things to look at when deciding whether or not to click a link or respond:

Does it look suspicious? 
So one of your friends sends you a link that ends in .ru - all it says is "Watch this".   Really? Are you going to click it? 

Does it even begin to sound like someone you know? 
You get an email from a friend but it's spelled strangely, it's not at all how they usually write, and the link looks strange (or is one of those compressed urls).  Are you going to click it?

Do you know the person?
A "good Samaritan" sends you an email telling you to "check here" to see if there is a problem. Are you going to click the link?

If you answered yes to any of the above - you are already or soon will be in trouble.  At the very least, if it's a friend, email them back and ask if they sent the link.  Better yet, just give it a miss. Trash the email.  There is very little out there that you will miss by doing this.  And you will keep yourself a little bit safer.  (No you won't see the latest naked celeb... what a shame)

There are more I could add here, but I hope this is a nice little sample to get you thinking. Even if I mentioned every type of phishing email I've seen, I'd still miss one. The real point is think before you click.

Oh yeah - never ever ever give your password out to anyone.  If you ever find that you have given out a password - even for what seems to be a good reason... change it as soon as possible.

If you use gmail - you may want to enable their new 2 factor authentication.  They explain it here.

That's just a few little things.  I didn't want to write a book so do not consider this to be complete.  Just something to jog your elbow and make you pay attention.

Stay safe!
 

Posted by: Teresa in WebTech at 11:20 PM | Comments (3) | Add Comment
Post contains 799 words, total size 5 kb.

June 07, 2011

IPv6 Day

Tomorrow many of the big internet players (including Facebook) will test the new IPv6 protocol.  You may or may not experience difficulties.  If you can't get a connection to a site you regularly visit this may be why. 

There is more at Ars Technica for the geekily inclined.  Otherwise it's a good idea to just wait things out rather than tinkering with network stuff and breaking something. 

I have no idea what will happen.  Might be nothing, might be a melt down or anything in between.  IP address space is about gone, so things will have to change, we may as well see what breaks and try to fix it. 

If I don't see you tomorrow - you know my internet died an unhappy death. 

Posted by: Teresa in WebTech at 07:45 PM | Comments (4) | Add Comment
Post contains 127 words, total size 1 kb.

<< Page 1 of 1 >>
37kb generated in CPU 0.04, elapsed 0.0324 seconds.
69 queries taking 0.0147 seconds, 235 records returned.
Powered by Minx 1.1.6c-pink.