First, the stuff you already know. Swine Flu is spreading. The virus originated in Mexico and has since spread around the globe, with UPI reporting at least 148 cases worldwide and an increased alert level from the World Health Organization (up to a level 5, which is the highest it’s been since the 6-level system was put into place in 2005). Nearly 100 cases were reported in 11 U.S. states as of this morning, 51 of which are in New York. According to Bloomberg.com, the government has begun to warn of school closings and increased precautions (in Texas, several school districts are already closed, and high school sporting events have been canceled for more than 1 million students). Many deaths in Mexico are blamed on Swine Flu, though the exact number is something of a mystery. Drug companies are working on vaccines and stepping up production of antivirals, and everyone is bracing for the next announcement about how this disease is spreading. So if you weren’t taking it seriously before, it might be time to start. Like a virulent computer bug, this one spreads best via those who don’t take the right precautions to prevent it.

There are ways to protect yourself and your family from this virus. It is, after all, the flu, albeit a new and particularly brutal strain. Five to 20 percent of Americans catch the “regular” flu each year, and 36,000 Americans die from it, so while hospitalizations and deaths are expected from the Swine Flu, we can’t pretend that it’s causing the only flu-related deaths we’ve ever experienced. And since the Swine Flu spreads like the seasonal flu, hand washing, healthy living, good hygiene and a measure of caution are excellent precautions against catching it.

You know how we always remind you not to click on strange links, open files that are attached to strange emails, or give away your sensitive data to strangers? And how we encourage the use of anti-virus software to keep your files safe? That sort of common-sense behavior works the same for avoiding the flu: Don’t touch something if you don’t know where it came from or how clean it is, minimize contact with others, and keep your own hands as clean as possible.

Here are some flu-prevention tips from the Centers for Disease Control and Prevention (CDC) and others: Wash your hands with soap frequently, and encourage your family to do the same. Don’t shake hands with others or touch surfaces (such as desks, public phones and other communal surfaces) if you can help it. Avoid being in the proximity of anyone with a cough or sneeze, especially those who don’t bother to cover it. Cover your own coughs or sneezes with a tissue, and wash your hands after you cough or sneeze. Don’t touch your face, eyes, nose, mouth, etc. since viruses spread very easily through contact with the face. Take care of your overall health by eating right, staying active and getting enough sleep. And of course, stay home if you start feeling sick, and keep kids home from school if they start showing symptoms.  

What should you do if you DO have symptoms (which include a fever, cough, sore throat, headaches, body aches, chills, fatigue and occasionally diarrhea and vomiting)?  Stay home, get rest and drink plenty of fluids. Antivirals, available from your doctor, can help take the edge off the worst of it and help you get better faster. But if you or your kids start having difficulty breathing, or if you have confusion, dizziness or persistent vomiting, get to the hospital. This is not something to mess around with.

Be cautious, be safe, and keep washing those hands. And next time, we’ll be back to our usual tips on protecting your privacy and the environment, including signing up for the Privacy Council’s List Removal Service. You know, the one that takes you off the major marketing lists and cuts your junk mail to almost nothing… Feel free to sign up now while you’re thinking about it, and stay healthy!

First, the spammers: If you receive an email that promises to help you get your tax refund quickly, claims to offer a tax filing service that’s faster than anyone else’s, claims to be from the IRS, or guarantees you a tax payout, delete it. Do not click any links, do not open any attachments, and do not believe what you read. The IRS does not send emails asking for your personal info, and neither do reputable tax preparation companies. Just like the economic stimulus spams of a few months ago, these spam messages are designed to play on the average American’s desire for an easy and quick tax rebate. Most people view doing their taxes as a hassle, and anything that promises to make that process easier is a tempting offer for some. Too tempting for the spammers and identity thieves to ignore the potential there.

Second, take care of your own records the same way you do the rest of the year, with common-sense techniques. Use precautions when sending, filing and storing your tax documents. Don’t put sensitive documents into your own mailbox for mailing; take them to the post office if you can. Don’t leave documents lying around at work or in your car, where people might find or steal them. If you e-file, don’t leave sensitive information on your hard drive, especially if it’s a shared computer. Overall, be cautious and safe! Tax time is just like any other time: Don’t leave your personal information out there for anyone to find.

If you want to help fight identity theft, you can forward suspected spam emails to spam@uce.gov. You can also spread the word to your friends and family about being safe with their own tax documents. And of course, you can sign up for the Privacy Council’s List Removal Service to reduce the junk mail, spam and telemarketing calls you receive. Sign up today to do yourself (and the environment) a favor!

In honor of April Fool’s Day, though, we wanted to highlight some of the better pranks we’ve heard of. We know YOU wouldn’t fall for any of these, but just in case, remember the Golden Rule of protecting yourself online: Don’t click it, download it, buy it, install it, open it or run it unless you are CERTAIN of the source. And never respond to emails from anyone claiming to be Nigerian royalty.

Dihydrogen Monoxide - This prank has been around for years, circulating online and in petition form. The warnings about dihydrogen monoxide speak of the damage it causes to property and the environment, and how it kills people every year. The message is dire and apocalyptic. The joke, of course, is that “dihydrogen monoxide” is actually water (H2O). Many people have fallen for this prank over the years, most notably a New Zealand politician who called for a ban on the “drug.” You can read more about the history of the dihydrogen monoxide prank at Snopes.

Arm the Homeless – Three college students started this prank in 1993 by sending a press release to the local newspaper about the “Arm the Homeless Coalition” and its efforts to collect firearms for homeless people. Several major news organizations, such as CNN and the AP, picked up the story and ran with it. When the prank was exposed, the students said that they did it to draw attention to “the issues of guns and violence, homelessness and media manipulation in our society.” 

Those Funny Folks Across the Pond – England is the source of two great pranks in history. The first: In 1965, a professor went on BBC and announced that he’d invented Smellovision, a technology that allowed  viewers to smell things through their TV. He used coffee and onions as examples on the air. While there’s no way the smell could ACTUALLY be transmitted through the television, viewers called the station to share that they had smelled the smells. The second: In 1980, the London Daily Express picked up a magazine story that reported that the fur hats worn by guards at Buckingham Palace continued to grow and needed regular trimming. The story was carried as fact until the joke was revealed. (Source: examiner.com)

Taco Bell Buys Liberty Bell – In 1996, Taco Bell bought ad space in several major newspapers to trumpet the news that the company had purchased the Liberty Bell and would be renaming it the “Taco Liberty Bell.” Many people who thought that national treasures like this actually could be sold were incensed, and the Park Service received calls about it. Even some politicians’ offices called to complain, which says something about how much those politicians (or at least their staff) knew about the buying and selling of landmarks.

Various office pranks – Classic office pranks include wrapping everything on someone’s desk in aluminum foil, linking all of the paper clips together, filling the cubicle with packing materials, and putting a Post-It note or sticker over the red light of someone’s optical mouse so that it doesn’t register movement. All of these, of course, assume that coworkers have a sense of humor. I admit that I’ve done the aluminum foil thing before, and the coworker in question retaliated by covering the surfaces in my cubicle with his own business cards.   

Many other sites have great lists of April Fool’s pranks that you can read if you’d like more amusement at the gullibility of people. The Huffington Post has a list of the top 5 April Fool’s Day pranks of all time, some of which made our list here. The Composed Gentleman has a few more pranks of the office variety to share.

The ongoing reminder is to question things that don’t sound quite right. With vigilance, you won’t be a victim yourself. And to help keep your privacy safe and your environmental impact low, sign up for the Privacy Council’s list removal service. Be removed from the major marketing lists and watch your junk mail disappear!

1. Your home – If a wedding announcement is in the newspaper, it essentially tells thieves that the houses belonging to the happy couple, their parents, and other people mentioned in the announcement will be empty during the ceremony and reception. After all, everyone will be celebrating the nuptials. Consider asking a friend or neighbor to watch or sit in the house while you’re gone, just to be safe. If you don’t know anyone who could do the job, local off-duty police officers are sometimes available for a fee.

2. Your email, phone number and postal mail – Wedding planning can mean filling out registries, signing up for offers, going to bridal shows, joining websites… As you navigate the maze of available resources and information, make sure you don’t fill out any requests for your address, phone number or email without knowing how the information will be used. Some contests, vendors and websites will take your information and resell it to third parties who will then use it to bombard you with unwanted communication. If there’s a “send me information” box, make sure it’s not checked. If the fine print says that the company or website can sell your info, don’t give it to them. The odds of winning that honeymoon in Hawaii are far less than the odds that your inbox will be slammed with spam.

3. Your impact on the environment- Many brides are beginning to use electronic invitations, or e-vites, to invite friends and family members to the big event. Since e-vites don’t use paper, they’re far more environmentally-friendly than embossed, gilded paper invites. And they cost little to nothing, unlike paper invitations. If you want your wedding to be as green as possible, e-vites are the way to go. Use a search engine to find one of the many e-vite providers that will work best for you (note: you might want to follow up with phone calls for guests who don’t reply to the e-vite, in case their spam filters are set at high security levels).

4. Your identity- The e-vite idea is great for Mother Earth, but you should probably stop short of posting all of your wedding info on a public website or forum. Many brides create entire websites devoted to their own weddings, but this can backfire significantly. The more you put out there for anyone to see, the easier it is for thieves to steal your identity.

Think of it this way: If you post that Betty Smith is marrying Bob Brown on April 3 in Betty’s hometown of Redbud, IL, and you mention that the couple’s beloved dog, Skipper, will be in the ceremony, and you include the detail about how the bridesmaid’s dresses are Betty’s favorite shade of purple, and you gush about how the couple is so perfect for each other right down to their June birthdays being just a week apart, then you’ve just given thieves almost everything they need to hack a bank or email account. Most sites use security questions such as pet’s name, hometown, birthday, high school mascot and favorite color, all of which were just posted on the wedding website. If you must post information about a wedding to a public site, keep the info as vague and short as possible, and don’t include details that can be used by identity thieves.

5. Your gifts (and your guests’ identities) - When you get married, you get presents. LOTS of presents. And many of those come in the form of personal checks written out to the happy couple. If you’re having a wedding and you receive checks in advance, deposit them as quickly as possible so that they don’t sit around the house to get lost or accidentally thrown out. During the ceremony and reception, have someone appointed as a “gift monitor” to collect and keep watch over the checks and other gifts you receive. That will help minimize the chance that an uninvited guest could attend your party and find a way to slip checks or other small items into his or her pockets. A check stolen by a thief can sometimes be altered and rewritten for a larger amount and to a different recipient, which would create a big banking headache for the person who originally intended to give the check to the bride and groom.

If your ceremony or reception is held in a public place (restaurant, convention center, etc.), you might consider making an announcement telling your guests not to leave their purses or wallets unattended. In a venue where anyone can wander in and pretend to belong, the chance of theft can go up. No one wants to arrive to a wedding as a guest but leave as a victim.

Maybe celebrities do it right when they keep their weddings secret until AFTER the fact! But for the rest of us, a measure of caution and thought in planning for weddings can protect our privacy, our possessions, and our planet.

Don’t forget to sign up for the Privacy Council’s list removal service… Start your life together on a junk-mail-free note!

First, let me say that I had Norton 360 installed on my laptop. I downloaded and installed the latest version in August, but sometime in the last month or so, it abruptly stopped working. I didn’t notice the lack of protection, however, until my laptop started performing oddly. Start-ups took longer and longer (and frequently froze up), and websites took longer to load. But the final straw was last week, when I tried to run Google searches. Each time I got a page of results from a given search, my attempts to visit the resulting links were redirected to full-page ads for a variety of offers and services. It was maddening. I could type URLs into the browser and go directly to them, but my efforts to click on Google results ended up with ads for “free ipods” and “Victoria’s Secret gift cards.” I was frustrated.

Worse, I didn’t know where the offensive programs had come from. I never click on questionable links, in email or otherwise. I almost never download software; the last time I’d downloaded any was a year ago, and it was from a reputable source. Also, no one else uses my computer, so it was impossible that another user had downloaded something questionable without my knowledge. I wondered if a virus piggybacked onto an email I’d received from someone I trusted, and it bothered me that I couldn’t know for sure. But whatever the source, I was now stuck with a problem. And my attempts to run Norton 360 led to my discovery that, somehow, it had stopped running. What should I do now? Was it even safe for me to send email to anyone? Had the virus made its way onto my jump drive when I’d backed up my photo files? Was my identity safe, or had someone accessed my personal information from my comptuer? I needed to make things right with my laptop, and fast.

I went to the Norton websiteand purchased Norton AntiVirus 2009 for immediate download. I figured, this should take care of my problem! But the problem didn’t want me to take care of it. My attempts to download the software failed because of a “communications error.” I followed all of the troubleshooting advice on the site to no avail. Finally, I found a phone number to call, and after a few minutes, I was on the line with a customer service rep. I felt vaguely bad for the guy… I reported both the problems with Norton 360 and the problem with downloading Norton AntiVirus 2009, and he wasn’t sure which problem to deal with. Finally, we decided to go for the Antivirus, which he told me can’t coexist on the same computer as 360 anyway. Figures.

He walked me through wiping my laptop of all Norton products and attempting another download. Again, it failed. He set up a connection between us and tried to help me download it from his end. Still no dice. Finally, he had to download the program to HIS computer and send it to mine via the connection. I was on hold the entire time the program creeped across the miles, all 56 Mb of it. On the upside, the rep was very nice and clearly stymied by my computer’s efforts to thwart him; I felt like apologizing for the laptop’s bad behavior. Every time he asked me to restart the machine, it took me several tries to get past the freeze-ups and delays.

Eventually, the program was on my desktop, and the rep installed it remotely. He started the scan running, and now that I’d spent an hour on the phone with the guy, we disconnected with some satisfaction. He DID say that he would try to get me a refund for the Norton 360 that had failed me, since I didn’t want to pay for something that hadn’t worked. I have yet to see the refund, but since he gave me a confirmation number for the transaction, I have high hopes that I can track it down, if necessary.

The Norton AntiVirus 2009 scan turned up the culprit: a Trojan virus was crawling through my computer. Norton zapped that bug with no trouble, and I settled back to enjoy a blissful, virus-free computer experience. But then, suddenly, Internet Explorer windows started to randomly pop open, each one a full-screen ad for everything from Proactiv to, surprisingly, Norton itself. Internet Explorer didn’t even have to be open for the ads to appear, blocking everything on the screen. They were easily closed, but they kept coming back. But Norton didn’t see a problem. I did another update, restarted the computer, and did another scan, but nothing turned up. The windows kept popping open.

I searched for answers on Google (now that my Google search was working again), and I saw that other people had had this problem, and that Norton hadn’t recognized it. The fix, many said, was long and arduous, including downloading more security software, starting up in safe mode, and jumping through a variety of flaming hoops. I was beaten down at the thought. I considered the ads to be more annoying than threatening, and I gave some thought to just letting them continue to appear. But then, I talked to my boyfriend, who suggested another solution: Lavasoft’s Ad-Aware product. He said that the free download found far more hidden problems on his own computer than Norton had, so I decided to give it a try.

The Ad-Aware site was deliberately confusing, unfortunately. The company wants to sell the upgraded service, so while the basic Ad-Aware product is free, the means of getting to the free download are distracting and aimed at driving the sale. I accidentally clicked on the wrong button not once but twice, on two separate pages, in my efforts to reach the free download. I got frustrated, as you might imagine. My boyfriend had the misfortune of being on the phone with me at the time, so he got to hear my annoyance firsthand. But in the end, I got the download right, and I started an Ad-Aware scan.

The scan turned up another bug, one that Norton had missed. It completed the fix for me at my request, and since then, the computer has run more smoothly, more quickly, and completely without pop-up ads and unwanted Internet Explorer windows. For the moment, I feel like my laptop is back to normal, and I’m breathing a little easier. At last.

So what have we learned from this little adventure? First (and always), make sure you have good antivirus software installed. Norton is just fine, and obviously their customer service is available if you need it (don’t hesitate to call them if you do). Second, never click on questionable links or open or run files from unknown senders, EVER (and make sure that any other users on your computer don’t download anything without your knowledge). Third, if your computer starts acting strangely, look into it. Don’t assume that it will “correct itself,” because it will only get worse. And fourth, don’t give up if you get frustrated or have a hard time fixing the problem on your own. That’s what the experts are for. If you do everything right and it still doesn’t work, find a phone number for the company and make the call to get some help. In the meantime, do your own research into your problem so you can be informed, even if it just means Googling something like “unwanted Internet Explorer pop-up virus.” You don’t have to be a computer genius to educate yourself about spyware, adware, malware, viruses, worms and other nasties that trouble us.

I was lucky in that the software that got onto my laptop didn’t seem to be after my private information or out to destroy my machine. It was annoying for me in that I had always tried to follow my own advice with online security, and I still ended up having to deal with it. But in the end, I learned a lot, and now, there’s not a pop-up ad in sight.

Recent reports indicate a rise in text message phishing. Phishing, for those not in the know, means sending messages that claim to be from banks or other financial institutions and which use fear and urgency (”Your account will be closed immediately unless you respond”) to try to trick victims into giving up their sensitive information. Cell phone text messaging had already become an avenue for spam messages, which are annoying but not particularly dangerous from an identity theft perspective. Now, the combination of spam texts and illegal intent has led to a rise in text messages that try to provoke a response. The response that the phishers want contains your Social Security number, bank account number or other private information. It’s the same old thieves wearing a newer, cooler costume.

The most recent major text-message phishing scam was reported nationwide just a few weeks ago. In this particular effort, phishers sent untold numbers of bogus text messages, claiming to represent U.S. Bank. The messages said, “Dear US Bank member, your account with us is closed due to unusual activity, call us at [number withheld].” The recipients represented customers of various cell phone providers and were not necessarily U.S. Bank customers. Like many email phishing schemes, this one had a broad scope in the hopes of getting a few victims to nibble at the bait. It’s difficult to know how many people fell for the scam, but the three return phone numbers that were known to be used in the phishing texts have been shut down by the state.

Banks, meanwhile, must now work to make sure that customers who benefit from their mobile banking services aren’t burned by the same technology. U.S. Bank issued a statement shortly after the phishing attempts were reported, reminding account holders that U.S. Bank does not request sensitive information via email, phone call or text message. CIBC, the Canadian Imperial Bank of Commerce, is one of many financial institutions providing additional information online about phishing, including ways to check for an email’s legitimacy and ways to report fraudulent communications. Most banking websites include safety and security information for consumers, even if consumers don’t always read or heed the warnings.

The advice, of course, has been heard before: treat suspicious texts the same way you treat suspicious emails. Don’t reply, don’t call any phone numbers listed, and don’t go to any websites suggested in the message. If you do receive a message claiming to be from your bank, call your local bank office or a trusted customer service representative (using a number you already know to be valid) to investigate the issue. Remember, no bank is immune to being used as text-phishing bait (Oregon-based Bank of the Cascades was used as a phishing front several months ago, for example, so scammers aren’t limiting their phishing efforts to national banks), and no cell-phone-toting consumer is immune from the potential attack.

If you still have doubts about mobile banking, you can elect to discontinue it entirely. As IdentityTheft.com noted, mobile banking has many pros (including ease of use, free updates and no account numbers sent in text messages), but it also has many cons (including potential lack of encryption, lack of security and lack of anti-virus software in some phones). The site notes that the technology is still fairly new and untested and suggests asking both the bank and the cell phone provider about the security of the systems used before signing on for mobile banking, just in case. When in doubt, consumers can just skip the mobile updates and do their banking the old-fashioned way (well, as old-fashioned as “online” can be). That way, ANY text messages that claim to represent the bank can be known as fraudulent the minute they arrive on one’s phone.

Sources for this article: Minneapolis Star Tribune, CIBC, IdentityTheft.com, ConsumerAffairs.com

It seems amazing that a single firm can be responsible for so much spam traffic. Security researchers have been watching McColo and collecting evidence of wrongdoing for over a year, and they were the ones who eventually brought the evidence to McColo’s ISPs and asked for the shutdown. U.S. law enforcement officials aren’t giving statements about the case or about the potential repercussions for McColo’s spamming actions. After all, firms like McColo provide a service, and they frequently claim ignorance when a client misuses that service, making them tough to blame for annoyances like spam traffic. Shutting them down is frequently difficult, because as frustrating as spam is, it isn’t illegal. In this case, McColo might have broken no laws, and they haven’t been charged with any crime. The spam decrease, however, is a welcome change for the companies and consumers who monitor its traffic. 

Of course, the respite won’t last; experts caution that the slowdown in spam is only temporary because other servers will start taking up the slack. In fact, you might have noticed your spam inbox filling up once again with the usual assortment of ads and scams. But we can take some hope from this case, at least. Everyone from the security professional to the average consumer is fed up with spam, and finally, some steps are being taken to help curtail it. Perhaps more pressure from a frustrated community could help to shut down additional spam servers worldwide, or perhaps a “Do Not Spam” list will eventually be created to spare our accounts from the onslaught. With annoying sales pitches, false advertising and identity-stealing scams peppering our email accounts daily, a change can’t come too soon.  

Sources for this article: The Washington Post. Photo courtesy of freedigitalphotos.net.

Mitnick described how easily a hacker might call a company, ask for some seemingly-harmless information, and use it to get more sensitive information out of the company’s computers. He spoke about how smooth-talking tactics from someone who claims to be part of the company are sometimes all that’s needed to get to the important data, and that the criminals play on the fact that we as humans have an inherent desire to help others, even when we don’t know them personally. Mitnick painted a picture of a hacker (he used to be one of the best) who could simply use the staff directory information posted on a company’s website to call the right people, say the right things, and hang up with the keys to the kingdom. He made it sound both simple and widespread. The presentation left me and my fellow listeners a little stunned, and more than a little paranoid.

The main issue at the heart of social engineering tactics, Mitnick said, is that we as humans are trusting, helpful people. We don’t really believe someone could steal our identities until it actually happens to us. We don’t think to question it when “Bob from Accounting” calls for some simple information, even if we’ve never met Bob personally. And the helpfulness and trust don’t stop at work; Mitnick mentioned how nine out of ten people in London were willing to tell a stranger their password in exchange for a cheap pen, and how others will happily disclose their pet’s name or the school they attended, forgetting that those questions are the same ones used to verify accounts online (Privacy Council posted an article about protecting those security questions in September).  Psychological manipulation, he noted, is easier than breaking into a computer system.

Phishing is one form of social engineering attack, since it tries to trick the victim into clicking a link in an email and giving away sensitive information. Phishing works because it often attempts to use fear and urgency as motivators, sometimes by saying “your account will be closed if you don’t click immediately.” More recent phishing attacks contain a phone number for victims to call to “verify” their information, but instead of calling the bank or other organization, the victim is calling the hacker. This combination of deception and manipulation can lead to disaster for those who trust it.

Mitnick did touch on some newer technology threats in his talk; for example, USB drives left lying around can contain malware that lets a hacker see and manipulate the computer desktop of whoever plugs the drive in. He also rehashed old-school hacking techniques, such as Dumpster diving (it’s amazing in this day and age that many companies still don’t shred sensitive documents before putting them in the trash). He handed out business cards that double as lockpick sets, and he played with Caller ID spoofing technology that allows a caller to fabricate the number on a victim’s Caller ID. He told tales of past hacks, both his own and those of other notorious hackers, and he engaged and entertained the crowd for nearly two hours. But everything he said and did served to bring home an important lesson: To have an adequate security system, companies and individuals have to have not just technology, but also people and processes that are prepared to handle all kinds of high- and low-tech attacks.

So how can you protect yourself and your company against social engineering? Don’t share your information unless you REALLY know who’s asking for it, and train your staff to do the same. Test your staff by calling and pretending to be someone else who needs data, and see how they respond. Also, don’t ever write down passwords and put them on Post-It notes on your computer screen or under the keyboard. Shred everything that contains information about you or your company, from credit card offers to company directories. Adopt a “less is more” approach to information-sharing. Don’t use your mother’s maiden name, Social Security number, or birthdate as the security answers on any sensitive accounts (SS numbers, birthdates, addresses and even mother’s maiden names are part of the public record in many states and can be accessed for a fee). Play your cards close to your chest, and you have a chance of protecting what’s yours.

There’s no way to avoid EVERY attack, and a talented hacker might still use a combination of technology and manipulation to gain information. But you can still try to be ready for the worst; if anything, think like a hacker, and don’t share your information unless you’re sure!

For more information about Kevin Mitnick’s services and books, visit Mitnick Security.

By now, you’ve probably figured out where this is going: that pop-up is a scam, something known as “scareware.”

Those who DO click “OK” on the serious-looking window out of fear that their PC is actually in danger usually start a download of malware onto their hard drives. The program pretends to run a scan, telling the user that there are lots of “critical problems” with their computer that must be fixed. Of course, those mysterious problems do get fixed if the customer agrees to buy the full version of the repair software for roughly $40. The entire thing is an elaborate scam, one that is both illegal and incessant; one IP address appears to have received the pop-up at least 200 times in a single day.

It’s a “blatant rip off of consumers,” Washington State Attorney General Rob McKenna said, as reported on CNET news. He said that users were “duped into downloading a fake scan and then duped into paying for software they don’t need.”

These pop-ups have been around long enough for most of us to encounter one at least once, but now there is some news on the scareware front. Microsoft and the Attorney General’s office in Washington state filed or amended lawsuits last month against companies including Alpha Red, Branch Software, SMP Soft and Registry Update, all of which allegedly use the fake security warnings to scare users into spending money on a fix. In some of the cases, the defendants are listed as “John Doe” because the owners of the companies aren’t known. In the case of Alpha Red and Branch Software, James Reed McCreary is the owner named in the lawsuits. His Texas-based company sells a scam product called Registry Cleaner XP for $40. The lawsuits charge McCreary and the other companies with misrepresentation, harassment, and high pressure sales. The state of Washington seeks an injunction and undisclosed civil penalties from McCreary.

The lawsuits were made possible because of Washington’s Computer Spyware Act, which makes it illegal to create scary messages that appear to come from elsewhere (in this case, Windows) in order to terrify people into a software purchase. The Computer Spyware Act was put into place in 2005, and in that year, Microsoft and Washington state successfully sued Secure Computer (makers of Spyware Cleaner) for $1 million when they charged the company with using scareware pop-ups. The law was recently updated to include outlawing the sort of deception that McCreary and others allegedly conducted. The state has filed seven cases under the law since 2005, while Microsoft has filed 17 spyware-related legal actions in that time.

In the current case, consumers who have experienced the scareware ads can file their own lawsuits if they wish. Since many people have a healthy fear of a security breach on their computer, the messages work particularly well when the scammers play on that fear, suggesting that personal privacy and security are at stake. The defendants, if convicted in the current lawsuit, face fines of up to $2,000 per violation, plus restitution and attorney fees. We’ll keep you posted on the results and any future lawsuits brought against the companies.

So what should you do if the “Warning!” pop-up appears on your screen? Don’t click the red X in the upper right hand corner of the window, for one thing, says Christopher Null of Yahoo! Tech Blogs. While it appears to be the same sort of button that makes the standard Windows box go away, remember that this isn’t a true Windows box. Clicking the red X might start the download of the malware. Instead, go to the task bar at the bottom of the screen and right-click on the pop-up’s bar to close it. Other than that, you can close and restart your Internet browser to make the pop-up go away.

Just don’t click “OK”… It’s anything BUT okay.

Sources for this article: Yahoo! News, Yahoo! Tech News, Yahoo! Tech Blogs, CNET news, Scareware, Seattle Post Intelligencer

Clickjacking is the latest in a series of security threats to web surfers. The United States Computer Emergency Readiness Team (US-CERT) issued a warning about clickjacking on September 26, and the news has spread quickly. This is a crime in which hackers hide behind harmless-looking websites so that people who visit them might be accidentally revealing sensitive information to the hackers by clicking around the site. Matt Hines of Security Watchdescribes it like this: “Essentially, if hackers using a clickjacking attack tricked you into visiting one of their URLs, they could take control of your browser and begin secretly forcing the client to click on any links they desired. Scary stuff indeed!”

Clickjacking is a vulnerability that’s widespread across every major web browser and Adobe Flash player. One recently-revealed problem that can arise from clickjacking, for example, is that a hacker can remotely activate someone’s web camera and microphone without their knowledge via the Adobe Flash vulnerability. The ramifications of this sort of spying are powerful, and the industry is on high alert.

Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, CTO of WhiteHat Security, discovered the vulnerability and were scheduled to speak about it at the Open Web Application Security Project NYC AppSec conference in New York last month. The talk was put off, however, until the various browser companies could take a stab at fixing the problem. There was no sense, after all, in tipping off hackers about the problem before there were solutions to be found.

So far, there is some success, albeit not as much as one might hope. The free Firefox add-on known as NoScript has been updated to combat clickjacking attempts. Italian developer Giorgio Maone calls the update “ClearClick,” meaning that it reveals anything that’s hidden or obstructed when a user tries to interact with a website. The ClearClick update stops the interaction from completing and points out the disguised content present, giving the user a chance to back away from the potentially-dangerous content. But NoScript only works with Firefox and other Mozilla-based browsers, so what about Adobe Flash player, Internet Explorer and others?  

Just the other day, Adobe released a workaround for the flaw in its Flash player in order to deny hackers access to web cams and microphones. They promise to release a true fix by the end of the month. US-CERT and others suggest disabling browser scripting and plug-ins on our individual browsers, but that can limit the functionality of many websites, and it’s still not a comprehensive fix. Joe Wilcox of Microsoft Watch notes that Microsoft’s reaction to the clickjacking threat has been somewhat tepid, but perhaps with reason. One difficulty with software companies and how they address the threat lies in the fact that so little information has been released; while that’s good for avoiding exploitation of the flaw, it’s not great for assessing the true risk (although US-CERT’s warning is dire enough to take clickjacking seriously). One thing everyone can agree on: The problem is real, but there’s no easy fix, at least for now.

Sources for this article: Yahoo! News, Computer World, PC Magazine, Adobe, US-CERT, Security Watch, Microsoft Watch