Viruses target social networks

Last week i fell victim to a virus. More correctly i fell victim to  a piece of maleware / spyware. Being as i a work in IT it didn’t cause to much of a problem, but it did make me take another look at the whole spyware problem.

The first think that surprised me wass that my current anti virus/maleware software had not picked it up. I’m a bit of a security control freak and actually run online, gateway , server and desktop Av, none of which detected or matched the patterns in this virus. The virus managed to set up its own proxy server on my machine, bypass my own proxy server, disable my local Av software and  run a number of exe files that mimicked the windows alert modules telling me the system had detected a problem and offering to install software to help. In fact even when i ran deep scans with trend, and spybot search and destroy, 2 leading titles in anti maleware they reported that my system was running normally with to viruses found. It was obvious that i did have a problem, in that there were around 160 exe files running and a new windows explorer window appearing every couple of minutes. It didn’t take long to do a quick google search on the individual exe files and find something that could remove it.

The second thing that surprised me, how easily i almost fell for providing my credit card details on a machine i knew to be affected. After 2 days of working on my laptop, while the very time consuming deep scans ran on my workstation,  I was so pleased to have found something that promised to kill the virus for once and for all that i very almost, went ahead and payed the $30 for an online license.

The third thing worth mentioning is how i fell for getting the virus in the first place. I guess it was a cross between a social engineering attach and a straightforward maleware attack. I in short i got a message on facebook inviting me to view a movie clip from a friend, this then took me to what looked like that persons you tube account, but where you would expect to see the movie playing there was a message saying that my version of flash player was out of date and to click to continue, the usual warning popped up before installing. All of which i clicked through, as it look so similar to a genuine flash updater. Next think you know i’ve restarted and all sorts of pop ups are saying a virus has been detected and linking to software products to purchase to remove this.

When you think about it, this is genius. The latest generation of internet users are very into social networks, but are much less tech savvy when it comes to security, and protecting themselves. They are so used to clicking ‘yes’,  ‘install’, ‘accept’, ‘i agree’, without reading anything of what they are actually agreeing to that they are easy targets when it comes to installing harmful stuff, like maleware and viruses. I myself am a classic example, busy day in the office and a box pops asking me to agree to an update to software i trust from a person i know and i say yes without a second thought.

It would seem that i am nt the only one thought, cnet this week reported on the koobface virus currently hitting facebbok users, and there are no end of others popping up everyday.

Viruses target social networks

Who’s Responsible for Data in the Cloud.

While trawling through the internet i came accross an a couple of articles that made me think, about

The first one was on the bbc technology site and it talked about cloud computing and the US Patriot Act, this is similar to the UK’s anti terrorism legislation and as far as i can see it gives the US government the right to look at data stored in the states if they think that it might include information about terrorists.

You might me thinking, well what does that have to do with me i’m not an american, so what if the americans can look at data within their own country. But what you have to remember is that many many services like amazons S3 data storage, hotmail, skydrive and gmail are all hosted in the states, so any data stored on these is covered by the Patriot Act.

What’s i bet that if they really wanted to they could make these laws extend to any data travelling through there network, so if you send an email, a twitter message, a file or any other string on ones and zeros and its routed through the us or any ther country they would be at liberty to read that information, and use it to whatever purpose they saw fit.

This got me to thinking as a system administrator, if i’m storing data in the states and viewing it on terminals in the Uk, do i need to adhere to both the Uk’s data protection Act and any american version of the same act, or does the data protection act only apply to data held on citizen of a particular country, if so do what laws do i have to adhere to if i have a mailing list which contains data from people in several different countries.

The second artical i came accross was something on tech crunch about a German Politician, that had a legal ruling made to prohibit the local german version of wikipedia from accessing information on the main wikipedia database in miami.

The focus of my thoughts here really is were does responsability lie if an english company say has a website hosted in the US, but bought and paid for in the UK, and you want to take them to stop them from false advertising, do you persue the Uk company, or the US isp hosting their data? And what if for example the banner ads you object to on the site as simply embedded links to data on a video server in say germany. In fact the whole area of links seems quite complicated, if you for example display an rss on your site from elsewhere on the internet and they say something that is could be slanderous are you also guilty of slander and howdoes this work across borders, i mean something may be deemed slanderous in one country but not another. There was talk yesterday that the german politicians background in the german police was protected under german law, but does that extend outside of germany.

what are you thaughts on this?

Who’s Responsible for Data in the Cloud.

Are IP addresses personal data?

.net this month (April) has an interesting piece about whether our ip addresses should be regarded as personal information and protected under the data protection act.

It would seem that this debate has been raging across Europe if not the world, with the German data protection commissioner (peter Scharr) telling the European Parliament that if a person can be identified from an IP address, then it has to be regarded as private. A recent French court, on the other hand argued that IP addresses relate to specific computers or networks and not specific users therefore they do not constitute personal data.

While it may seem an insignificant point, as to whether an IP should be classed as personal data or not, it has huge impact of the way search engines and webmasters collect data on who is accessing, and indeed how there sites are being used.

Googles spokes person told .net that it “depended on the context”, where an ISP assigns an IP address to a user, and knows that users name and address this may be considered personal data, but where an IP address is collected by a website simply as a statistic then it is not. Google store IP addresses for all users performing a search for at least 2 years to help improve their search statistics and accuracy.

The implications for all of the worlds websites and search engines that collect IP’s for statistical purposes having to treat these as confidential data, and go through the data protection procedures to protect them are huge.

Another huge implication will be to the peer to peer piracy police, where IP addresses are being used to identify, track and prosecute people illegally copying, sharing and publishing audio/video and software illegally.

This is a very grey area and I would imagine that the debate will go on for some time.

Are IP addresses personal data?

Data Security

Following the loss of 2 disks containing Customs and Revenue records of 25 million people including names, dates of birth, bank and address detail, there has been quite a lot in the press about all sorts of changes to the law to protect this data. This is quite confusing as an IT manager i thought that the Data protection Act already covered all of this data. and that the data should have been encrypted at the very least. I believe that if it had been a private company that lost the data they would have been in a lot more bother. I haven’t heard any mention of the police being called in to investigate (although they called to help find the missing disks) or criminal charges being pressed.

What is more disturbing is that recent survey by SafeBoot (admittedly they are a supplier of mobile data encryption tools so they may be a little biased) showed that nearly 80% of public sector employees ignored their own data security policies and carry out insecure data practices. The survey also found that nearly 50% of private sector employees admitted to ignoring their data security policies.

Another survey this time by Orthus (another security service provider i know) found that 1/3 of data security leaks were down to IT staff.

Data Security