Get Safe Online (The Blog)

Yesterday, I went to the Get Safe Online summit at Somerset House, London. This annual event brings together security experts and partners from industry, government, civil society and law enforcement.

The speakers included the head of trust and safety at PayPal, his opposite number at HSBC, the head of e-crime at SOCA and Keith Mularski, a supervisory special agent with the FBI who had flown in specially to give a presentation on the sinister world of online criminals, including the infamous DarkMarket site which he himself had helped to bring down earlier this year.

What was striking for me was the extent, scale and organisation behind online crime. Criminality is now the root cause and driver of internet security problems.

At the same time, the speakers (and a subsequent panel discussion) underscored how easy it is to protect yourself. They’re looking for the path of least resistance. It’s much easier to install malware on an unprotected, unpatched PC or to con a naive user. An ounce of prevention is worth a pound of cure.

For more information

• Read about Get Safe Online Week 2008
• Download the 2008 Get Safe Online report

Sarah Palin, Governor of Alaska and would-be Vice President of the USA, had her email account broken into, according to media reports. (Hat tip BBC).

She was using a Yahoo! account. It seems that criminal hackers used publicly available information, such as her date of birth, zip code and other data from online databases to change the password on her account by pretending to be her.

This shows the danger of publishing too much information about yourself online. For example, does your Facebook page need your date of birth, phone number and email address?

Get Safe Online has lots of advice about social engineering, social networking, choosing strong passwords and protecting your privacy.

Nicholas Sarkozy, president of France, has been the victim of an internet bank attack according to media reports today (source: AFP).

It’s interesting that the thieves do not seem to be aware that they were stealing from a high-profile politician. After all, hacking the president’s bank account is likely to attract significant police attention. More likely, he was one victim among many.

Too often, when we talk about internet security, people say that ‘hackers aren’t interested in me. I’m not important’ In reality, internet criminals buy and sell personal details online in large numbers. They buy in bulk. Sarkozy is the exception that proves the rule.

A new study finds that viruses on websites increased fivefold in 2007. These new viruses lurk on websites, including legitimate sites if they have been compromised, and infect visitors.

As the number of sites increase and criminals become more sophisticated in using this type of attack, it will become increasingly important to protect yourself.

For more information about protecting yourself when you use the internet, visit Get Safe Online and, in particular, our advice on browsing the internet safely.

When Get Safe Online took over the old ITsafe alerting and warning service in July, we sent existing subscribers an email and also published a message on this blog to explain the changes.

However, I’ve had a few questions by email which must be representative of wider concerns. So, I thought it would be useful to put together an FAQ.

Where has the ’safe word’ gone?

ITsafe used a ’safe word’ so that you knew the alerts were authentic and not sent by an imposter. In practice, this caused a great deal of confusion because many people thought that the safe word was a password and were confused when they received emails containing their ‘password’.

In addition, we are using a new email system and implementing the safe word feature would have delayed the introduction of the service unnecessarily.

We don’t store any personal information other than your email address so we can’t use anything else such as your name or address to authenticate emails.

How can I verify the authenticity of your alerts?

It’s easy. Just check the original alert at www.getsafeonline.org/go/itsafe. When you’re ready, we also recommend switching to the RSS feed instead of relying on emails.

Why don’t you use OpenPGP, GnuPG or similar for verification?

In an ideal world, this kind of encryption and authentication would be widespread, well understood and easy to use. But it’s not. For the vast majority of our readers, it would be a barrier and a distraction. The techie-minded users who would understand it and benefit from it are savvy enough to get authenticated alerts from other sources such as RSS feeds. We will continue to review this question but our ultimate goal is to encourage users to transition to the RSS feed rather than rely on email.

As an aside, similar services around the world work in the same way. For example, De Waarschuwingsdienst in Holland or US-CERT in the USA.

Why has the format changed?

Previously, ITsafe alerts were drawn from government sources and edited by human beings. Now we use an automated system to filter and repackage alerts provided to us by the Government’s Centre for the Protection of National Infrastructure (CPNI). This ensures that they are sent out as soon as possible.

How do I unsubscribe?

Use the online form or the unsubscribe link at the bottom of any alert email.

I thought I had unsubscribed but now I’m getting emails again?

This sometimes happens if emails sent by the old system were blocked by a spam filter. We’re using a new email sender so they may start coming through again without being blocked. Feel free to unsubscribe (though we’ll miss you).

The alert I received is a bit too technical for me - what do I do?

Each email alert contains a link to a more detailed source of advice, typically from the vendor or software company that first reported the problem. This will usually contain instructions for protecting yourself.

GetSafeOnline.org has lots of useful information about protecting yourself in less technical language, including advice about keeping your computer up to date.

A new survey by Credant Technologies found that Londoners forget over 100,000 mobile phones a year in taxis. The figures are based on interviews with cabbies themselves who reckon that passengers spend up to half their time in the back of the cab catching up with calls or emails.

Also left behind in London’s famous black cabs: a sawn off shotgun, false teeth, artificial limbs, 12 dead pheasants, a casket of funeral ashes and (in one interview I did a few years ago) a bag containing £100,000 worth of diamonds.

With so much personal data being stored on mobile phones, losing one is a potential disaster. It pays to protect your mobile phone.

Colin Wells gets 44,000 spam emails a day. 44,000! A day!

And, according to anti-spam company ClearMyMail, the UK is the source of 19.7 percent of it.

When people’s computers are infected with a virus, they often turn into spam-sending factories. This is one reason why it is vital to protect your computer against malware.

(Hat tip: IT Pro)

Get Safe Online has just taken over the ITsafe alerting and warning mailing list and we’re using a new system to send out emails.

Today we discovered a technical glitch that meant we sent out the same alert three times. We’ve fixed it and it won’t happen again.  Sorry.

The second Tuesday of every month is always a red letter day for people in IT security. It’s when Microsoft releases their monthly batch of patches and updates. August is no different. We expect to see seven critical patches and five important fixes released today. 

Sign up for our warnings and alerts service to get timely notification of security issues (including Microsoft updates).

At the same time, be wary of acting on emails that purport to offer an update to Internet Explorer 7 (IE7). Several readers have written in to ask if they are genuine. Alas, no. For more information about safely updating your PC, read our advice on GetSafeOnline.org.

There’s a good article in the latest edition of The Atlantic.  It summarises the FBI’s latest Internet Crime Report.

• The FBI receives around 200,000 online crime reports a year.
• Fraud on auction sites like eBay caused the most complaints.
• Some of the most expensive crimes were investment fraud ($3,548 per incident) and advance fee fraud ($1,923)

One interesting observation is that social networking is the occasion for a rising number of scams.

Connecting an unpatched, out of date Windows PC directly to the internet is a bad idea, according to Lorna Hutcheson from the SANS Internet Storm Center. (Hat tip: Slashdot.)

If you do, the odds are that your computer will be infected by malware within four minutes. Other reports suggest you might have more time and a hardware firewall, such as an internet router with a built-in firewall, can give you extra protection.

So what to do about it?

First, read GetSafeOnline.org’s advice:

• Use a firewall
• Get the latest Windows updates
• Install anti-virus software

In addition, SANS publish helpful guides to setting up new PCs, whether they run Vista or Windows XP.

With effect from 15^th July 2008, Get Safe Online will operate the ITsafe Warning Service using government-sourced information.

Get Safe Online is a joint initiative between the government, the Serious Organised Crime Agency (SOCA) and private sector sponsors from the worlds of technology, retail and finance to help individuals and small businesses protect themselves against internet security risks.

Existing subscribers will notice some minor differences after this date, but the service will remain fundamentally unchanged.

The main differences are:

1. The “From:” email address for future messages will change from noreply@itsafe.gov.uk to itsafe@getsafeonline.org.
2. Emails will not include the “ITsafe Word” any more. You can verify alerts by visiting the website.
3. ITsafe had three different types of information: alerts, warnings and news. Get Safe Online will merge the three types into a single feed online, by email and RSS.
4. The messages may use a different format, but the underlying information is still sourced from within HM Government.
5. The supporting web pages will be hosted at http://www.getsafeonline.org/go/itsafe. If you go to the old ITsafe.gov.uk site, you will automatically be forwarded to the new site.