NCHCPL Reader

Friday, May 27, 2005

Security Briefing #4

Phishing Gets Sophisticated

First, a cautionary tale:

Chris Prosise, a security consultant and VP at Foundstone (www.foundstone.com) shared a recent case history.

He told the story of an attorney who'd been defrauded $50,000 from her online bank account. It seems she logged into her account one day last summer and discovered that $20,000 had recently been transferred out of the account without her approval. She immediately called the bank and alerted them to what she believed was a security problem at their end. The bank changed her password and login and told her the new password and login over the phone. The bank also called in Prosise's company to do an immediate security audit to find out if the problem was at their end -- or if the woman had unwittingly given others access to her account. The woman logged into her bank account, using the new password and login and was reasonably satisfied the problem was behind her.

But when she logged into her account again later that day, she discovered that another $30,000 was missing.

So how did this happen? How did the intruders get her brand new password and login so quickly? Was her phone tapped? Was there an insider at the bank aiding the criminals?

A few background details:
--She was using a home computer, connected via dialup to the Internet --She had never logged into her online bank from anywhere but her home computer --She did not own a laptop computer and had never used any wireless networks --She said she had never responded to any bank or eBay phishing emails --She said she was very careful with her password and login and had never shared them with anybody or stored them on her computer --She was using a firewall and anti-virus software.

Since this message has 'phishing' in the title, you may have guessed that that's what happened -- she gave away the information as result of a phishing request.

If that was your guess -- you're right. But she didn't respond to the type of email we talked about in our last message. Instead, she followed what looked like a legitimate link to a legitimate website that she regularly visited.

The phishing she was hit with represents a new type of attack, one that's targeted at a specific audience. She was a real estate attorney. The site she visited was a professional real estate site aimed at real estate attorneys. The message looked like so many of the other messages the site sends out regularly to alert users of new content. She followed the link in the message, just as she had many times before. The regular site (actually a hacker's duplicate of the site) opened when she clicked the link in the email message. She read the page and thought nothing more of it.

What she didn't know (aside from the fact that this was a duplicate of the legitimate site) was that when she loaded the page, that page installed trojan software on her computer. (Yes, websites CAN install software on your computer.) This trojan software included a keylogger and an itty-bitty email program. A keylogger is a program which records keystrokes and mouse clicks. When she logged into her online bank, the keylogger recorded the password and login and emailed them to a recipient in Romania. Once she logged out, the Romanian logged in and transferred money to his account.

Note: even though the bank was using secure web pages (https://) the keylogger got around that and was able to record the information. So, don't think that using a secure site means you are secure.

So how can we protect ourselves from such attacks?
  1. Use a firewall and anti-virus software and keep them up to date. (It's possible that neither would have stopped this attack, though, since most AV software doesn't detect trojans and the installation program could've slipped by the firewall.)
  2. Keep Windows and Internet Explorer up to date and patched at all times. (Yes, Mac users, these kind of attacks have so far only been detected on Windows machines. But, most security analysts agree that as Macs gain popularity, they too may become targeted.)
  3. Don't use Internet Explorer. (My next Security Briefing installment will try to convince you to folow this advice.)
  4. Never follow links in email messages. Even if you trust the source. Another alternative to this would be to have your email software NOT display HTML messages. The message this woman received (as well as all those eBay and bank phishing messages) use HTML because with HTML you can do things like disguise web addresses. I'm hesitant to recommend this because so many legitimate organizations are now sending email in HTML and disabling this feature would make those messages very hard to read.
Another Note: Some of you may be wondering if the keylogger could've snagged the password and login had she cut and pasted her password into the login page instead of just typing them is. The answer is, 'yes, probably.' Most keyloggers can also catch data that's cut and pasted.

Next Security Briefing: Why You Should Not Use Internet Explorer.

Thursday, May 26, 2005

Security Briefing #3 - Phishing

Phishing

From Dictionary.com - Definition:
The practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization's logo, in an attempt to steal passwords, financial or personal information, or introduce a virus attack; the creation of a Web site replica for fooling unsuspecting Internet users into submitting personal or financial information or passwords.

EMAIL CONS: PRE-CURSORS to PHISHING
You've probably seen email con messages. Although not officially 'phishing,' they marked one of the first uses of the Internet and email to defraud people. Usually, these messages pretend to be from someone claiming to need help in transferring a large amount of money from a foreign bank. Usually the author promises (in fake broken English and LOTS OF CAPITALIZATION) that in exchange for your assistance in getting money out of their country, they will give you a cut of the stash. There's usually a hint at illegality or, at the very least, a need for 'URGENT CONFIDENTIALITY.' Normally, the goal is to get you to wire the sender cash or provide them with enough data so that they can steal your identity. Some of these messages may actually be from the third-world country they claim. (This is actually a very profitable cottage industry in Nigeria, although it's frowned upon by their government.) Others are copycat criminals, right here in the U.S. or in Eastern Europe or China. Most of these messages rely on you replying to the email or calling a phone number to begin the transaction. I seriously doubt that any of us have fallen for these ploys. But the rule here is to never give out personal information to strangers. Even if they promise you a cut of their 'US $15.5M.'

Do these scams work? Yes. More info can be found by Googling 'email hoax', 'Nigerian hoax' or 'Nigeria 419' (419 is the id for the Nigerian criminal code written to combat this type of fraud.)

PHISHING, eBAY STYLE
The next level of Phishing is a bit sneakier. The sender, pretending to represent a bank, eBay, PayPal or some other financial institution, sends you an email to alert you that someone else has either charged merchandise to your account or somehow compromised your account's security. Or they may be telling you that it's now time to update your account information. Some of these are pretty slickly done. They'll use the same fonts, graphics and even language and phrasing that the legitimate site uses. Occasionally, you'll see a misspelling or typo, though. (A recent 'eBay' message I received had a subtle clue: it mentioned that if I didn't update my information immediately, it would later cost me a 'fee of 350 $.' Why would a U.S. company write a currency amount like that, in European style?)

In this style of phishing, the sender will give you a link to follow to fix the alleged problems. If you follow that link, (BUT DON'T DO THIS) the page you see will look and feel like the real financial institution's site. And if your browser software isn't patched for the latest security exploits -- the location shown in the location bar at the top of the screen may appear to be the legitimate one. For example, Bank One's real online banking address is www.bankone.com.
Let's say I get a phishing email pretending to be from Bank One and I follow the provided link. Once I reach the page (If I have a vulnerable version of Internet Explorer) the location in the location bar may read 'http://www.bankone.com' -- even if the site is actually hosted on a hacker site in Eastern Europe and has an entirely different address.

A few things to learn from this:

  1. Keep your browser / computer / operating system up to date.
  2. Never follow a link sent to you in an email address. I know this sounds extreme, but this is the safest route to take.
    (Maybe I can convince you to follow this rule once you read the next installment of these security briefs: Phishing Gets Sophisticated.)
  3. Financial institutions will NEVER, NEVER contact you via email to get information from you. Visit PayPal or the eBay site or any online bank and you'll find the same disclaimer. Any such contact must be initiated by you. They will NEVER ask you to update your information via an email message.

If you view an suspicious email's header information you can get some information about the real source of the message. Some of the information in the header may be faked -- but there's one thing that can't be altered - the sender's IP address. You won't be able to tell who really sent the message (most phishers either move around, switching ISPs almost daily, or they know how to obfuscate their real location.) But, by looking at the header you will be able to tell who the message is NOT from. Example: This week alone, I've received about a dozen messages purportedly from eBay telling me my account information needs verification. If I look at the header information for any of these emails, I should see an IP address. (Your email software will have a menu choice saying something like 'view long headers' or 'view full headers,' so that you can view header information.)
Here's a sample header from one of these suspicious 'eBay' messages:
From: security@ebay.com
Subject: eBay Verify Accounts
Date: May 17, 2005 1:57:54 PM EST
Reply-To: security@ebay.com
Return-Path:
Received: from ebay1819.com (host-193-108-235-10.hfc.pellin.ro
[193.108.235.10]) Mime-Version: 1.0
Content-Type: multipart/related; boundary="29a61181-8f6b-4b7a-afa8-
da0d227399f8"
Content-Length: 4981
Look at the line labeled 'Received:'
Notice, there is a mention of 'ebay' on that line. But that part can be faked. You'll notice a number -- [193.108.235.10]-- listed twice in that line. That's the IP number used by the computer which sent the message. Again, you're probably not going to be able to find the original sender using this number, but you will be able to tell if this is really coming from eBay. How? Go to the American Registry for Internet Numbers: www.arin.net (OK, given what I said above, don't follow this link. Type it into your browser.)
When you get to the ARIN site,
Type in (or cut and paste) the IP number from above into the 'Search Whois' field.
You'll get the following:
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
Since the search pulls up an address in the Netherlands, this definitely is not eBay. In fact, the site lists RIPE (the European counterpart of ARIN).
The fact that the sender's IP address is listed in RIPE means the sender was sitting at a computer somewhere in Europe when they sent the email to me.
ARIN is only one of five Regional Internet Registries (RIRs) sites where you can conduct a "WhoIS" search to look up IP addresses. (See the whole list below.) All work about the same: you type in an IP address and the site spits out whatever relevant information it has about the number. Sometimes it has a lot of information, including contact people's names and phone numbers and sometimes it has nothing. Sometimes you have to search multiple sites for an answer, because each registry corresponds to a different area globally. But, the fact that our number was not in ARIN (which lists North American websites), and eBay is headquartered in California, means this email did not come from eBay. If a number doesn't show up in any of these
registries, that, too, is a very good sign that your email was not legitimate. Not all numbers are in these registries, because data has to be voluntarily submitted by the organization which owns the IP address. And not all domain registrars do this. But just about all legitimate businesses -- especially those concerned about Internet security, like banks and eBay -- are listed in the registries.


Does phishing work? According to the May 2005 issue of Community Banker (Found through INSPIRE), phishing scams have led to losses of more than $3 billion since April 2003. And phishing attempts have increased by 400% in the past six months.

Next Security Briefing Installment: Phishing Gets Sophisticated.

Regional Internet Registries:
APNIC
Asia Pacific Network Information Centre
www.apnic.net
ARIN
American Registry for Internet Numbers
www.arin.net
LACNIC
Latin America and Caribbean Network Information Center www.lacnic.net
RIPE NCC
RIPE (Réseaux IP Européens) Network Coordination Centre www.ripe.net
AfriNIC
African Network Information Centre
www.afrinic.net
Other Whois Registries:
United States of America
Department of Defense
Network Information Center
http://www.nic.mil/dodnic/
Name.Space
(A commercial domain name registry company) name.space.xs2.net/

Wednesday, May 25, 2005

Security Briefing #2

Wireless Security Part 2

If you have a home wireless network you should take the time to set it up securely. Make sure you have a personal firewall installed on all computers on your home network as well as up-to-date anti-virus software. Make sure you do Windows updates, if you have Windows computers.

Home Wireless Networks Best Practices

You will need to view the documentation that came with your wireless WAP/router in order to do many of the following tasks. You can also go to the manufacturer's website or Google 'home wireless security' for more info.

Glossary:
WAP: Wireless Access Point. The hardware the broadcasts your Internet connection via radio waves.
WEP: Wired Equivalent Privacy. The earliest attempt at wireless security systems, flawed at best.
WPA: WiFi Protected Access: the current, and more secure wireless security system.
VPN: Virtual Private Network. The ability to create a 'private' network over the Internet. On a wireless network, it can give you the same privacy you would have had your computers been connected by cable, in the same building.
MAC: Media Access Code. Unique identifier hardcoded onto all Internet- connected hardware, including network cards, WAPs, routers.

  1. Buy the most recent, most secure wireless hardware you can afford.
    You can buy Wireless Access Points for under $50 which will allow you to set up a wireless network very quickly and easily. But, setting up a WAP to be secure can be difficult. Although they are pricier, if you can afford the pricetag (roughtly $200?) you should really consider getting a Wireless Access Point that can also act as a router or getting both a Wireless Access Point and a router. A router can set up a firewall and provide some built-in security.
    Things to look for in a Wireless Access Point:
    --Router capabilities
    --Built-in Firewall
    --WPA security
    --802.11g standard
    --VPN (Virtual Private Network) capabilities.
  2. Restrict broadcast of your SSID. The SSID is the name of your wireless network. If you don't publish or broadcast this, it's harder for outsiders to find your network. (Not impossible, though). See your documentation on how to NOT publish this. By default, most wireless routers will broadcast the SSID, advertising your network's presence to the world.
  3. Change the name of your SSID to something other than the default name. Even if you don't broadcast the name, it's possible for people to 'see' your network. If you've kept the default name, all they have to do is go through a list of common default names and they've found you. You want to avoid the default names like 'linksys' or 'apple'
    and avoid generic things like 'wireless.' You also want to avoid easily guessible things like EllisNetwork (people can always get your name off your mailbox on the curb). Change this SSID on a regular basis.
  4. Change the default password provided by the manufacturer on the access point or wireless router. IF you don't, anybody can break in after taking a quick visit to the manufacturer's website and going to the Support area. Most manufacturer's publish their default passwords.
  5. Place the access point or router in the center of your home and not near a window or exterior wall. Check the range (with a wireless laptop) Can you reach the network from your front yard or from down the street? If so, you need to be extremely vigilant about safeguarding your network.
  6. Restrict MAC addresses. Your WAP/router will allow you to restrict which computers can connect to your network by identifying their MAC IDs. This is not Apple related, this stands for Media Access Code. Every Network Card that connects to the Internet has a unique identifier -- the MAC -- which is hardcoded onto that card. By limiting access to only computers you 'know,' you will be providing a small amount of security. But don't get smug -- it's very easy for somebody who's already attached to your network to 'impersonate' an allowed user by taking on (spoofing) their MAC address. The intruders would, however, need to know what your MAC addresses are already. If they've already been on your wireless network, this is extremely easy to get and to impersonate.
  7. If you have an older (801.11 a or b) router and net cards, set up WEP. Most people don't do this because it's a pain to get right. And there's the added bonus that it's easily crackable. You should try, though. See your router documentation for details. WEP requires the WAP and each network card that attaches to the wireless network to exchange 'passwords.' Once set up, it will protect your data from packet sniffers (software that can eavesdrop on internet traffic). But, it's extremely easy to crack.
  8. If you have a newer (802.11 g) WAP/router, use WPA. This is a bit more difficult to set up but is more secure. Again, it relies on a 'passwords' scheme between the WAP and network cards to access data, but the encryption is more secure. See your WAP/router documentation for details.
  9. Once you buy your equipment - be aware that it, just like your software, will need to be updated occasionally. Example: Netgear sells a WAP/Router with VPN capabilities for which a recent exploit was found. The exploit allows hackers to very easily get your router's administrative password (meaning they can turn off the firewall, add themselves to the network, shut you out...). If you were using this particular router and hadn't upgraded to the latest firmware, you'd be at risk. Go to the manufacturer's website for more details about your own hardware.
  10. Turn off shared resources. Don't have Windows share printers, files or folders without any password protection.
  11. Turn off unused services. Don't run FTP or Telnet services.
  12. Set up a Virtual Private Network. Unless this ability is built into your WAP/router, this can be a daunting task. There are some Open Source tools that will allow you to do this on your own (Even with older equipment). But this can be a daunting task, even for system administrators.

Tuesday, May 24, 2005

Security Briefing: Wireless Networks

The following security briefing is provided by Kathy Ellis, INCOLSA Systems Specialist. Kathy has been sending out security briefings via email in installments. I thought they are very helpful information that our library community would find interesting.

Wireless Security Part 1

It is understood that you already should have a personal firewall and updated anti-virus software on your computer before even considering joining a wireless network.

When connected to wireless networks, be very, very careful. This includes any type of public access... whether you are in a hotel, on a university campus, at the airport, ballpark or in a coffee shop. And it doesn't matter whether you are paying for or getting free wireless service.

If you have a home wireless system and you haven't followed the Home Wireless Network Best Practices (which will be outlined in the next Security Briefing), you are vulnerable, too.

If you live in an apartment or multi-unit dwelling or even if you live in a free-standing home, be aware that the range of your wireless service can extend beyond your walls and be available to your neighbors. If you have a laptop equipped with a wireless card, take a walk outside your front door with it and see how far your range goes.

In a public environment (or unprotected private network), it is possible for others to 'hijack' your connection without you even knowing it. All they need is a laptop with a strong signal and a few pieces of freely-available software. In effect, another person can 'watch' everything you type and even change the information on web pages you are viewing. They are probably not going to be able to read data off your hard drive, but they will be able to grab data you send or receive, while it is in transit.

You never, never want to enter secure data into your computer while on a public (or insecure private) wireless network. This includes: credit card information, online banking information or your social security number. Don't buy things online when you're at a Starbucks or any other public network. You should never do online banking at such a locale. Even if the site you visit is protected by SSL (https:// pages) you are still vulnerable to eavesdropping or hijacking. And the person doing the hijacking doesn't need to be sitting right next to you. They could be in an apartment above the coffee shop.

If you are going to sign up for a paid-for public wireless network (such as at an airport or coffee shop) it's a really bad idea to transmit your credit card over this wireless network in order to sign up. I realize this is a real catch-22. How can you sign up without transmitting your card info when asked? One way is to do homework ahead of time and see if you can sign up online before you leave home. Some will let you call a toll-free phone number.

You also want to be careful about sending and reading email at such locales, as it too can be read by outsiders. Don't type anything you wouldn't want anybody else to see, including password or credit card information. Outsiders probably won't be able to read what's on your hard drive, but may be able to 'snag' message information as it travels from your PC to the net.

So, the rule of thumb on wireless networks is to be aware that others may be listening. Don't let them hear anything you don't want them to hear.

NEXT BRIEFING: Best Practices for a Wireless Home Network



Monday, May 23, 2005

Upcoming Library Closings

The library will be closed on Sundays beginning Sunday, May 29, until after Labor Day.

The library will be closed on Monday, May 30, for Memorial Day.

Friday, May 20, 2005

Go Where the Experts Go

When you need reliable, verifiable, quantifiable, accurate information, go to www.inspire.net, Indiana's online research library.

INSPIRE.NET brings access to full text articles from over 75 national and international daily newspapers, 4000 professional journals and research-driven periodicals to help Indiana move ahead and keep up with our competition.

Not only does access to INSPIRE.NET help students and those in our universities and colleges stay current with latest developments and technologies, INSPIRE.NET is also an extremely effective tool for growing businesses.

INSPIRE.NET is available 24 hours a day, seven days a week. Indiana residents can access INSPIRE.NET from their library, school, workplace, or home!

Thursday, May 19, 2005

Today in History

What happened on this day in history? Find out at Today in History from the Library of Congress American Memory historical collection.

"Today in History mines the American Memory historical collections to discover what happened in American history today...and every day."

If something from this day in history catches your eye and sparks you imagination, check out what your NCHCPL library has to offer to help you learn more about it.

Friday, May 13, 2005

Construction Pictures

Construction continues at the library.




Tuesday, May 10, 2005

Children's Author Comes to Library



Author Terry Reeves will visit the New Castle-Henry County Public Library on Tuesday, May 17, at 6:30 p.m.

The event is part of the monthly series of Family Night Story Time programs and will be held in the library's auditorium.

Reeves recently released his book Six Little Kitties, which was illustrated by his granddaughter Amber Wetherell. The book is based on a true story about orphaned stray kittens who came to the author's childhood home, and features optional endings, repetition, anticipation, and counting.

During his visit, the author will share from and about his book and talk about his upcoming books.

Register here or call 529-0362 ext. 366.

Friday, May 06, 2005

Spring Cleaning Tips

Now that Spring has returned, you may feel the need to start cleaning. For tips on how to make your house sparkle and shine check out these cleaning tips for your home.

Thursday, May 05, 2005

Self-Checkout Use Increases






You may have noticed that one of the features of the new library is a self-checkout station located on the second level.

For the month of April, 17% of the 21,971 items checked out from the library were checked out by patrons themselves using the self-checkout machine.

Try self-checkout today!

Library Offers Free Computer Classes

The library is offering two free computer courses during the month of May.

In the "Learning the Library Catalog" workshop, participants will learn how to use the library catalog features, how to conduct an effective search of the catalog, and how to use "My Account" functions such as renewing and reserving materials. Two sessions of the same class will be offered on Thursday, May 12, at 1 p.m. and Wednesday, May 25, at 3 p.m.

Three sessions of the same "Introduction to the Internet" class will be offered on May 17 from 10 a.m. to noon, May 18 from 1 to 3 p.m., and May 19 from 3 to 5 p.m. This class provides basic information about the daily use of the Internet including e-mail basics and how to avoid viruses. Questions concerning the Internet will be covered.

Register for these classes by calling 529-0362, ext. 310, stopping by the main desk at the library, or logging on to www.nchcpl.org.

Wednesday, May 04, 2005

Need to do research?

Try the Encyclopædia Britannica Online, available from the library's website.

Encyclopædia Britannica Online includes the complete encyclopedia, as well as Merriam-Webster's Collegiate Dictionary and Thesaurus, Britannica Student Encyclopedia and the Britannica Book of the Year. You can also use Encyclopædia Britannica Online to search an Internet directory that includes more than 300,000 links to Web sites selected, rated, and reviewed by Britannica editors.

Through this service, you can find more than 118,000 articles, updated and revised by Encyclopædia Britannica editors and contributors; over 14,000 illustrations, including photographs, drawings, maps, and flags; and more than 215,000 entries--including definitions, pronunciation guides, and word histories--from Merriam-Webster's Collegiate Dictionary and Thesaurus.

Advanced search and navigation capabilities and the power of the Internet make Encyclopædia Britannica Online an invaluable reference and research tool.[1]

[1] "About Encyclopedia Britannica Online." <http://www.search.eb.com/help/about> [Accessed May 4, 2005].

Monday, May 02, 2005

Spring Fun for Teens @ the Library

Celebrate Cinco de Mayo on Thursday, May 5, at 4 p.m. by making a Mexican Tin Ornament craft and enjoying chips, salsa and queso.

The May Teen Movie is Lemony Snicket's: A Series of Unfortunate Events, which will begin at 4 p.m. on Wednesday, May 11.

Get Your Game On! Teen Game Times is on Thursday, May 26.

All activities will be held in the future teen room, near the Audiovisual Department. For more information, or to save your seat, click on the calendar link or call Angela at 529-0362, ext. 313.