Now, this is really nobody’s fault, but it is notable. On the same page as a TimesUnion.com story about the theft of personal information at St. Peter’s Hospital here in Albany was a banner ad for their biggest competitor, Albany Medical Center.
The ad should have said – “Don’t go to the place where your personal data is stolen by a file clerk – Go to the place where the same thing could probably happen, but hasn’t yet.”
I refreshed this page 15 times for good measure, and saw the Albany Med ad twice, an ad for Ellis Hospital’s Mother of the Year program, and the rest of the ads were not related to medicine or hospitals.
A client of ours sent this over to me today asking if it was legitimate or not. We get questions like this quite often, and we always tell folks to reach out to us in moments of doubt, rather than doing something potentially harmful. We’re always, always glad you asked. Here’s what was sent over this morning.
Look below for the rest of the post.
—–Original Message—–
From: C Web Mail Team [mailto:webmailteam@webname.com]
Sent: Tuesday, April 13, 2010 8:00 AM
Subject: Attn: webmail Owner
Attn: webmail Owner
We just confirmed that you have not upgrade to the new web-mail version. That is why we are sending
you this massage to upgrade your account now. This is because we are preventing your web-mail from
closure. And also we have notice that your mail have been used for send spam mail to other mail.
To prevent your account from this you will have to send a verification massage so that we will
confirm from our computer system that you are the rightfully owner of this mail and also to upgrade
your account to the version. To upgrade your account you have to send us the following information
so that we can upgrade as soon as possible.
CONFIRM YOUR EMAIL IDENTITY BELOW
Email User name : ……….
EMAIL Password : ………..
Date of Birth :………….
Last login:……………..
Warning!!! if you refuse to send this information to us within (1) weeks of receiving this warning you will
lose your account. Warning Code: PX2G99AAJ
Thank you for using webmail
………………………………………………..
NOTE: This message is authorize by the webmail Project email account protector unit.Notification message will be send back to you after verifying your account before account could be reset.
C All right reserve.
This is a common occurrence, and a nasty potential threat so let’s look at how this played out. Someone – let’s call them Janice – receives an email asking her to click on a link, submit personal information, reply with answers to questions and so on, all in the name of making sure something bad doesn’t happen to her. Things like the protection of her bank account, the continuity of her webmail access, a shinny opportunity like free tickets or an iPod and so on. The request is presented in ambiguous enough a manner as to keep Janice from dismissing it out of hand. If it was something more cartoonish like a Viagra solicitation or an invitation to a gambling web site, Janice might have been able to click ‘delete’ and move on.
In this case, Janice is left to wonder – should she or shouldn’t she. Should she send her birthday, password and username to the system administrator or not? What if her webmail access was turned off? How would she re-activate it?
We hope that Janice and everyone else will consider a third option – ask for help. We can quickly answer the question for you. Avoid, avoid avoid complying with requests like this, no matter now legitimate it might look. Just ask us. We can help you stay out of hot water.
Nuff said.
From Info World and Network World come great pieces on this must-read tale about schools spying on students. It stems from an unbelievable story from the Lower Merion School District near Philadelphia. See if this summary gets you to read more.
School gives kids laptops with web-cams.
School doesn’t tell kids or parents they are monitoring the video from these web-cams.
School administrator sees kid eating Mike and Ike candy, doesn’t realize it’s candy, thinks the kid is popping pills.
Administrator brings kid into office to confront kid on what the administrator believes to be illegal drug use.
Massive lawsuit ensues.
Lower Merion schools used to be primarily known for being where Kobe Bryant played scholastic ball. Not anymore.
From: Google Enterprise Support <enterprise-support@google.com>
To: justin@wsg.net
Subject: Postini Services Incident Update
Date: Fri, 16 Oct 2009 01:17:21 -0400 (EDT)
Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043
Postini Incident Report
Service Disruption – October 13, 2009
Prepared for Postini Services Customers
Dear Postini Customer,
The following is the incident report for the issues with mail delivery and Administration Console access
that some Postini customers experienced on October 13, 2009. We understand that this service
disruption has affected our valued customers and their users, and we sincerely apologize for the impact.
Issue Summary
Beginning at approximately 10:25 PM PDT, Monday October 12 | 5:25 GMT, Tuesday October 13,
affected customers experienced severe mail delays and disruption. Also, during this time, affected
customers had intermittent access to the Administration Console, Message Center, and Search Console.
The root cause of the delivery problem was an unintended side effect of a filter update, compounded by
database issues that further slowed message processing.
Incoming messages may have been deferred; no messages were bounced from recipients or deleted. In
some cases, sending servers may have stopped resending messages after a deferral and returned
delivery failure notifications to senders. (Typically, servers are set up to retry sending for up to five days.)
During the incident, timely status information about the incident was not consistently available to
customers. We posted information on the Support Portal and from the @GoogleAtWork Twitter account;
however, customers often experienced problems accessing the portal due to load issues, and updates
were not included on the Postini Help forum. Also, the Postini status traffic lights intermittently showed a
“green light” instead of indicating the delivery delay. Customers calling in to report cases experienced
very long wait times.
Actions and Root Cause Analysis
At approximately 11:30 PM PDT, Monday October 12 | 6:30 GMT, Tuesday October 13, monitoring
systems detected severe mail flow issues and automatically directed mail flow to the secondary data
center. Upon receiving the error alerts, the Engineering team immediately began analyzing the issue and
initiated a series of actions to help alleviate the symptoms. Message processing continued to perform
poorly in the secondary data center.
Mail traffic was then directed across both the primary and secondary data centers to maximize processing
resources. During this time, Engineering temporarily disabled the Administration Console and other web
interfaces to reduce impact to the processing infrastructure. Engineering performed a set of extensive
diagnostics and tests and determined the cause to be the result of a combination of the following
conditions:
• A new filter update appears to have inadvertently impacted the mail processing systems.
• Unusual malformed types of messages triggered protracted scanning behavior, and its
interaction with filter update affected mail delivery.
• A power-related hardware failure with database storage servers reduced input/output rates. The
latency in database access reduced our overall processing capacity.
The combination of these conditions resulted in high failure rates for mail processing and the deferral of
new connections from sending mail servers.
To fix the database issue, Engineering worked with the hardware vendor to replace the faulty hardware
component. At 11:00 PM PDT, October 13 | 6:00 GMT, October 14, database disk input/output
throughput returned to normal.
At 12:30 AM PDT | 7:30 GMT Wednesday October 14, the filter update was revoked, and mail processing
returned to full capability. As a precautionary measure, Engineering continued to process a portion of
traffic through both the primary and secondary data centers. Mail processing was restored to the primary
data center at 1:39 AM PDT | 8:39 GMT. Although mail processing was at normal speed and capacity,
some users may have seen delayed messages continue to arrive in their inboxes. These potential delays
occur when the initial or subsequent delivery attempt is deferred and the sending server waits up to 24
hours before resending the same message.
Corrective and Preventative Actions
The Engineering and Support teams conducted an internal review and analysis, and determined the
following actions to help address the underlying causes of the issue and help prevent recurrence:
• Implement standard procedures for reverting filter updates as a mitigation measure and to help
speed time to resolution.
• Perform an in-depth analysis of the filter update to help ensure this class of error is not
propagated.
• Investigate the unusual malformed messages to quickly identify the message pattern and
thoroughly understand any impacts.
• Enable monitoring for notifications of the class of power failure that may affect the database
storage system.
• Determine whether the database storage servers can be configured to maintain the throughput
level during reduced power situations.
• To improve communications during incidents, we will:
◦ Post timely status updates to the Postini Help forum for better visibility.
◦ Accelerate the work to monitor and communicate the Postini services status on the
Apps Status Dashboard. The dashboard offers a single location for the latest service
status and options for RSS feeds. This will replace the traffic lights system and provide
more accurate and in-depth information.
◦ Moving forward, update the phone status message more quickly to inform customers
during an incident.
◦ Expand phone support capacity to handle spikes in call volume. This capacity is
expected to be available within the next several weeks.
◦ Update the maintenance pages with up-to-date information that are displayed when the
Administration Console is unavailable.
Over the next several weeks, we are committed to implementing these improvements to the Postini
message security service. We understand that system issues are inconvenient and frustrating for
customers. One of Google’s core values is to focus on the user, and we are committed to continually and
quickly improving our technology and operational processes to help prevent and respond to any service
disruptions.
We appreciate your patience and again apologize for the impact to your organization. Thank you for your
business and continued support.
Sincerely,
The Postini Services Team
Information Week: Anti-U.S. Hackers Infiltrate Army Servers
We got into the nation’s cyber war capabilities and challenges on the radio last Thursday. The story about Turkey-based (basted? lol) hackers M0sted infiltrating US Army web servers very much stuck out in my mind. Not because hacking into a web server is that unique, or even the military element of it.
Most interesting to me was the very common method used to carry out the attack, namely SQL injection. As described in a comment by InfoWeek user DigitalGrimm on the article linked in our post here:
These ‘hacks’ are easy enough for any person worth their weight to exploit and happen every days to hundreds of web sites. Most likely, judging by the described defacement, these were 90% automated attacks. Furthermore, if the web server is setup correctly (be it Linux, Windows, MAC, BSD, etc) the most the group would have access to is the web site’s database which should have nothing more then information for dynamic content. As I doubt any company would be foolish enough to actually have an externally accessible server to have access to internal only data.
Sorry, but there will be no ‘kudos’ to the ‘hackers’ on this one.
We have seen many sites fall victim to this method of attack, and that an Army-maintained site was vulnerable just emphasizes what another recent Information Week article details quite well: Cybersecurity Review Finds U.S. Networks ‘Not Secure’.
This blog is one of my favorite recent discoveries. Their tag line is Each week we provide a handful of tips that will save you money, increase your productivity, or simply keep you sane” and it has feel similar to LifeHacker. With posts like “Mono-Task and Work More Effectively” and “How to: Share iTunes Media With All Your Computers” how can you not like it?
Reuters via the New York Times: Facebook Sells 1.96% Stake for $200 Million
According to the story “the stake, sold to Digital Sky Technologies based in London and Moscow, values the social networking site at $10 billion” which should bother you, even if you love Facebook.
Sandy Family from the Sanford Financial Group - who we know from our association with Talk 1300 -- invited me to speak at a seminar about how to protect one’s self against identity theft. The turnout was great -- about 80 people came to the Holiday Inn on Wolf Road in Albany. My last post on ID theft was written as a reference for the event.
My luck was pretty good that night. In addition to being fortunate to be included on a panel with the Chief of Colonie Police, a high-profile attorney and a staffer from the State Attorney General’s Office -- I got on the local news too.
Beth Wurtman from local NBC affiliatt WNYT asked me to taped some remarks in the hallway during the tail end of the event. I took some ribbing at the office too. As the TV spot identified me as a “computer expert” -- our design staff felt compelled to make stickers (see pic). Everyone at the WSG offices was wearing one of these stickers when I came in the next day.
Here’s the video:
The Internets are a nasty, foul, disorganized place full of people and systems designed to steal what you have and who you are. Whenever you are about to do something on-line ask yourself if an idiot would do that thing. If the answer is yes, do not do that thing.
Every time you lower your defenses you become an easier and easier target. Never forget that your common sense if one of your best defenses. Do not suspend your skepticism and common sense when you open up a web browser or read your email. Instead, keep these things in mind:
1. Do not be an idiot.
You are a target, and don’t ever forget that fact.
Just because you can’t write or read HTML, or can’t describe a packet of data doesn’t mean you don’t know enough to protect yourself. Not to be cruel, but spammers, phishers and scam artists thrive on naive and unguarded users and their behaviors. A Google search for “Nigerian Prince” brings you this 2002 post on the InformIT blog about the notorious phishing scam where someone posing as a Nigerian Prince asks users to divulge their personal and banking information. Why do spammers keep sending these spam emails long after the Nigerian Prince’s pleas have become a punch-line? Simple: Because people keep falling for it. We call these people idiots.
Ask yourself -- do you know a Nigerian Prince? How about anyone at all from Nigeria? Do you have the phone numbers of any Princes in your mobile phone? No. You don’t. You also don’t know 97% of the people who send you email, and you likely know none of the senders of emails found in the junk or spam folder of your email inbox. If you don’t know the email sender’s name on sight, don’t open the email. If a random box pops up on your machine asking you to enter your credit card number or allow a download you did not request, don’t allow it.
2. Use strong passwords, not ‘password123′ and use fake answers for security questions
A password is intended to restrict access to a given resource, such as your personal or work computer or a password-protected web site. To keep out everyone who is not you. How secure are those systems if you select passwords which are easy to remember and easy to crack?
Create random passwords which are highly secure and extremely difficult to crack or guess due to an optional combination of lower and upper case letters, numbers and punctuation symbols. So, like this:
Bad: password123
Good: c4APa96qu
Good passwords are more difficult to remember. That’s the point. One would also do well to change their password every few months or so, and avoid using the same password across the board. Your bank account login should be different from your email login, which should be different from your Amazon.com login.
Also, when establishing answers to security questions, be careful not to use real information. Don’t enter your mother’s real maiden name. Use names and answers to security questions which are not connected to your identity.
3. Keep protection systems current and use them regularly
The protections systems around you include the security suite on your home network as well as everything around it -- including your telephone, mailbox and garbage cans. Here’s a quick rundown of the big things to be aware of in your home.
Bills and other personal documents: Shred what you do not need to save. Store what you need to save in a private, preferably locked location.
Computer anti-virus and anti-spyware: Keep your subscriptions up to date, and utilize them. Run scans on your machine; keep your software firewall running. We are often asked which security suite is the best, and we usually give the same boring answer. Using a free tool the right way is better than using an expensive tool the wrong way. If you are going to purchase a system, we recommend checking out these reviews first:
PC World: The Best Security Suites for 2009
CNet’s Internet Security and Firewall Reviews
Wi-Fi: Always, always, always have your wireless internet connection encrypted and not open to the public. This involves usage of an encryption key which is required Each wireless router has a factory default username and password, and will say so in the manual. Follow the instructions, or seek advice on how to change these credentials.
When discussing the topic of personal security online, I’m reminded of early childhood expert Dr. Benjamin Spock’s advice to new parents. In the preface of his long, detailed book on caring for young children, he implored parents to trust themselves. He tells them they know more than they think they do. The same advice hold true when protecting yourself online. If something doesn’t make sense to you, don’t risk your personal data to avoid feeling dumb. You may feel dumb erasing the email which appears to be from your old schoolmate, but not as dumb as if you handed over your wallet and keys to a crook. When you give in to on-line predators, that is excatly what you are doing. Stay safe; don’t be an idiot.
Protecting yourself online takes a mix of common sense and the right tools. Here are a few.
WSG uses Mozy Pro for off-site backup over the web.
Lifehacker helps you protect your data and again here
Another way to look at making your own passwords
eWeek – Los Alamos lab missing almost 100 computers
Net-Security.org’s Top 9 IT security threats for 2009
ReadWriteWeb.com’s look at emerging threats
MarketWatch.com tells us how to dodge the threat bullet
