Graham Cluley's blog

Should hard drives be destroyed or wiped?

Hammer time

BBC News Online, one of the most popular websites in the UK, is running a story today advising people not to wipe old hard disks, but to take a hammer to them instead.

The story claims that secure data erasure isn’t as safe as it makes out, and the only real security when disposing of an old drive is to smash it to smithereens.

Sorry, but I just don’t buy this advice.

I started out my career in the computer security business some 17-odd years ago working for a firm called S&S International. Aside from producing Dr Solomon’s Anti-Virus Toolkit, which I was a fresh-faced Windows programmer for, they also had a nice line in data recovery.

Regularly I would see the teams working on hard disks that had been accidentally covered in tea (sugary tea is the worst - hot and sticky), accidentally fallen out of the window even lost over the side of a cross-channel ferry!

The wizards in the data recovery couldn’t perform miracles - but it was sometimes close. And, yes, it is extraordinary what data can be resuscitated even when a drive has been lurking at the bottom of the garden pond for weeks or seemingly wiped of its data.

Taking a sledgehammer to a hard drive isn’t the answer. For one thing, how is the average consumer supposed to know that they have physically damaged the hard drive enough to prevent data from being recovered from it?

Furthermore, it’s harder work (and undoubtedly more dangerous to your physical welfare - imagine the pieces of glass and metal flying about) than running a proper secure erasure tool.

I’m not denying the importance of handling the disposal of computer equipment properly. In the past we’ve discussed, for instance, how sensitive information has been found on computer hardware auctioned on eBay that hadn’t been properly wiped.

What firms and individuals should do is run military-grade secure erasure tools if they’re dumping their hard drives or planning to sell computer equipment on eBay. Such software can overwrite not just the files on your hard drive, but every single area - including the slack space where old “deleted” files might lurk. And they can do it multiple times, with random characters, ensuring that there is no residual magnetic echo of the data that was once on the drive still discernible.

Of course, there are some data erasure tools that may be better than others - and not all may do the job sufficiently. But choosing a data wiping solution carefully is better than trying to crack a nut with a sledgehammer.

* Image source: Alexmuse’s Flickr photostream (Creative Commons 2.0)

Posted on January 8th, 2009 by Graham Cluley, Sophos
Filed under: Data leakage, Identity Theft

TJ Maxx hacker jailed for 30 years in Turkey

TJ Maxx

Correction: In an earlier version of this blog entry I said the wardriving gang were charged in May 2005. In fact it was August 2008. Thanks to eagle-eyed blog reader Warwick for spotting my mistake.

Was it worth the risk? That’s the question a computer hacker from the Ukraine has plenty of time to ponder today, as a Turkish court slammed him with a 30 year prison sentence.

Maksym Yastremskiy, also known as “Maksik”, sold hundreds of thousands of credit card numbers and other personal information, and was one of the gang charged in August 2008 with stealing customer information from a number of companies in a major “war-driving” wi-fi attack.

Companies who had their data compromised included OfficeMax, Barnes & Noble, Boston Market, Sports Authority, Forever 21, DSW, BJ’s Wholesale Club and TJX, which operates retail stores T.J. Maxx (known as TK Maxx in the UK) and Marshall’s. Some of the companies were encrypting their credit card transmissions, but using the weaker WEP technology which made it easy for hackers to crack.

Stolen credit card details were then shared with other members of the hacking gang around the world, including in Eastern Europe.

When the loss of credit card data came to light, TJX published information on its website for affected customers.

Authorities alleged that the 25-year-old Ukrainian was responsible for losses totalling tens of millions of dollars worldwide through his criminal activities, but he was ultimately convicted for hacking into a number of Turkish banks.

The authorities should be congratulated for bringing another hacker to justice, and it will be interesting to see what else emerges from this ongoing case involving other suspects in the TJ Maxx case around the world.

Yastremskiy was arrested by authorities in July 2007, as he attended a nightclub in the beach resort of Kemer, Turkey after a secret service operation. One presumes he won’t be spending any nights out for a while.

Thirty years is, of course, a very severe prison sentence for anyone to receive, and one that should give some people reason to reflect. In fact, I don’t think I can recall ever hearing of a cybercriminal receiving such a severe sentence.

Now, it’s quite possible that there are people reading this blog entry who are engaged in cybercrime. If that’s you - than here’s a message as simple as I can think to put it.

Stop now. The rewards for cybercrime can sometimes be large, but you are at risk of ruining the rest of your life - and causing years of misery for your family and friends.

You may think your chances of being caught are small, but there are more and more convictions happening all the time, and the authorities are getting better than ever at co-operating at an international level to catch people like you.

* Image of TJ Maxx store source: Ztil301’s Flickr photostream (Creative Commons 2.0)

Posted on January 8th, 2009 by Graham Cluley, Sophos
Filed under: Identity Theft, Law and Order

British tax payers struck by phishing scam

Metro newspaper

British newspapers are warning their readers of a phishing scam that has been spread via spam email, telling recipients that they have been awarded a tax refund from the HMRC (Her Majesty’s Revenue and Customs).

The phishing attacks have been seen arriving from faked addresses such as refundtax@hmrc.gov.co.uk or taxrefund@hmrc.gov.uk, and the fact that it is being seen so much now is no surprise. January 31st is the deadline for self-assessment forms to be filed with the HMRC, and some taxpayers will be hoping for a rebate.

Of course, for many people it’s a dream come to true to think that they might actually be getting some money back from the tax man rather than having to give money to the Inland Revenue, so it’s not surprising if people might eagerly click on the link without thinking of the possible consequences.

The HMRC has warned the British public of the threat, and posted information on its website. They emphasise that while they might send tax payers emails from time to time, they would never do so requesting login, bank or credit cards details.

Furthermore, the HMRC says it would always inform tax payers of rebates via post - and not by email.

HMRC phishing email

What’s that old saying? In this world nothing can be said to be certain, except death and taxes? Maybe they should add a third certainty: phishing.

Posted on January 8th, 2009 by Graham Cluley, Sophos
Filed under: Banking, Scam, Spam

How celebrity Twitter accounts were hacked, and how it can be stopped in future

Wired has published details of how a hacker managed to hack into Twitter’s internal systems earlier this week, opening the door for criminals to break into the Twitter accounts of the likes of Britney Spears, Fox News and Barack Obama.

The teenage hacker, who uses the online handle GMZ, claims he gained entry to the micro-blogging site’s administrative control panel by using a dictionary password guesser at a Twitter staffer’s account.

Unfortunately for Twitter and its hacked users, the staff member had chosen the dictionary word “happiness”.

Wired has published a YouTube video made by GMZ, demonstrating the hack in action. Unfortunately the quality of the video capture is very low, but it does appear to demonstrate that any account was accessible.

GMZ claims that he did not use other hacked accounts himself, but posted a message on a hacking forum offering access to any Twitter account by request.

What lessons can be learnt from this?

Firstly, you should never use an easy-to-guess password to secure your online website accounts. Using a dictionary word like “Happiness” shows a complete lack of knowledge about how to use computers safely. Twitter could help avoid this problem by insisting that passwords are not known dictionary words, or forcing the use of numbers and other characters (such as underlines, exclamation marks and percentages) in users’ chosen passwords.

Secondly, Twitter and other websites should be able to tell when hackers are trying to brute-force their way past a password. GMZ says he ran his automatic password guessing program overnight before it finally broke its way in. There’s no reason why Twitter couldn’t, say, notice that someone has entered the wrong password three times in a row, and then insist they wait 15 minutes before trying to log in again.

If you use Twitter, don’t be a twit. Make sure that you are using a sensible hard-to-crack password today.

Posted on January 7th, 2009 by Graham Cluley, Sophos
Filed under: Clu-blog, Identity Theft, Video, WWW, Web 2.0

New year, old tricks

It may be a brand new year, but many cybercriminals will continue to use old tricks - just as long as they carry on working.

Take this attack for instance, which we saw in our spam traps this morning.

Malicious email

An email is spammed out, claiming to come from Microsoft and urging the recipient to download a critical update to patch their systems.

The download and installation links, however, point to an executable program hosted on a website in Italy. Installing the code on your computer is obviously not a good idea.

We will, no doubt, see plenty of new tricks and variations on old themes from cybercriminals during 2009. But that shouldn’t make us close our minds to “golden oldie” threats that have been deployed by hackers time and time again over the years.

Posted on January 7th, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam

Sick Macworld news feed hack claims Steve Jobs has died

Steve Jobs

For some time now there has been speculation on the internet about the health of Steve Jobs, CEO of Apple, following what appeared to be a substantial loss of weight.

Indeed, the whispers and rumours have sent shivers down the spines of some people who have invested in Apple stock.

Of course, things weren’t helped when Bloomberg accidentally published his obituary.

So, when it was announced that in an unusual move Jobs - who has suffered from pancreatic cancer in the past - would not be giving the keynote presentation at this week’s Macworld conference in San Francisco, tongues began to wag again.

In fact, the rumour mill began to stir up to such an extent that the notoriously private Jobs took the unusual step of issuing a statement about his health on the Apple website, saying that he was suffering from a hormone imbalance.

By acknowledging the issue, Apple was able to revert attention back to where it wanted: its announcements at the opening day of Macworld.

The technology media were there in force to report the keynote address given by Phil Schiller (Steve Jobs’s stand-in), and a number of Apple-watching websites published live feeds containing details of the announcements second-by-second.

Unfortunately one popular website, MacRumors, hadn’t done a good enough job in securing its live feed, and hackers were able to inject their own comments - including claims that Steve Jobs had died:

MacRumors live feed hacked

The problem got so bad that they froze and removed the feed, and published an apology on their website.

MacRumors apologises for hack

This is just the latest in a long line of very public hacks. It may not have caused any financial loss, and no data appears to have been stolen from MacRumors users, but it has left another website with egg on their face.

Hacked feed image source: Mobodojo.

Posted on January 7th, 2009 by Graham Cluley, Sophos
Filed under: Apple, WWW

Hackers use celebrity image SEO to spread scareware

Scareware, the fake anti-virus programs which try and frighten you into reaching deep into your wallet, have been one of the biggest security stories of the last twelve months.

By displaying bogus security warnings their intention is to panic you into purchasing a product you don’t need, or install a malicious program you don’t want.

Late last week, Paul Baccas (aka ‘pob’) of SophosLabs found out that scareware scammers were using search engine optimisation (SEO) techniques in combination with photographs of celebrities like Warren Beatty and Shania Twain in their attempts to steal money.

Below you’ll find a video made by Paul demonstrating the problem in regards to “Beaches” actress Barbara Hershey, and make sure to also read the additional information he has posted on the SophosLabs blog.

You can learn more about the rise of scareware and web threats in Sophos’s 2009 Security Threat Report.

Posted on January 6th, 2009 by Graham Cluley, Sophos
Filed under: Malware, Video, WWW

Naked celebrities on LinkedIn lead to malware

A blog post by our friends at Trend Micro caught my eye this morning, and got some of the guys inside SophosLabs looking a little closer at some of the profiles listed on the business networking site, LinkedIn.

It’s surprising how many people signed-up on LinkedIn have words like “nude” and “naked” in their job title. It’s possible that some of these are genuine (for instance, the person who claims to be the Chief Nude Parachutist at a New York-based company), but many of them are not.

For instance, I think it’s very unlikely that Paris Hilton works for a firm called “company B”, and that she would want to post links claiming to be of her infamous sex video.

Another celebrity who has fallen foul of a private home movie becoming public is Kim Kardashian. It seems that the hackers who have peppered LinkedIn with fake profiles also believe that people will be searching for videos of her, and so they have created a page for her too.

Other names (of various levels of fame) with fake profiles on LinkedIn include Jaime Pressly, Christina Aguilera, Keri Russell, Zooey Deschanel, Lizzy Caplan, Brooke Hogan and Tila Tequila.

Some of the links contained in these profiles are currently down, but SophosLabs can confirm that as recently as January 1st 2009 the malicious Troj/Decdec-A Javascript code was being found on them, downloading further malware onto visiting computers.

It’s a shame that LinkedIn aren’t keeping a closer eye on obviously bogus profiles being created on their site. Undoubtedly spammers, malware authors and other cybercriminals may be abusing the system to link to their webpages in the hope that it will generate a higher ranking in search engines like Google.

Posted on January 6th, 2009 by Graham Cluley, Sophos
Filed under: Malware, Spam, Web 2.0

Twitter: Britney, Barack, Rick and Fox News weren’t phished - they were hacked

Britney Spears

The guys at Twitter have posted more information on their website about the high profile accounts (belonging to the likes of Britney Spears, Barack Obama, Fox News, CNN’s Rick Sanchez and others) that were compromised on their website today.

Fascinatingly, Twitter claims that these accounts were not broken into as a result of the widespread phishing attack that has taken place on Twitter over the last couple of days, but instead were the result of Twitter’s own systems being compromised by hackers.

As a result, tools that normally only Twitter’s technical support team can use to help locked-out members reset their email address were accessed by hackers, enabling them to steal control of the high profile accounts from their rightful owners.

As a result, Britney Spears’s Twitter stream made claims about a sensitive part of her anatomy, Rick Sanchez’s Twitter entry declared that he was high on crack, and Fox News appeared to published breaking news that Bill O’Reilly was gay.

This is actually much more serious than these people and organisations falling for a simple phishing attack. It appears that Twitter’s systems were potentially exposing everybody’s account to the danger of being taken over by hackers - it’s just that they chose some 33 high profile accounts to abuse with their defacements.

Here’s part of the statement from Twitter co-founder Biz Stone:

These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can’t remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We’ll put them back only when they’re safe and secure.

What is still unclear is whether the person who hacked the accounts was an external hacker, or someone inside the Twitter organisation.

Twitter seem convinced that it was an individual rather than a gang of criminals, so it may be that they have identified the person responsible. If so, they may choose to involve the authorities to see justice done for what was both a cruel and criminal act.

Whether the full details of what actually happened are ever revealed remains to be seen. But one thing is for certain: Twitter has had an appalling start to 2009 from the security point of view.

So what of Britney herself? Well, there’s been no word from the singing sensation - but someone who claims to be her Social Media Director did post a message on the Rolling Stone website apologising for any offence caused by the vulgar message:

Message on Rolling Stone website

Posted on January 5th, 2009 by Graham Cluley, Sophos
Filed under: Identity Theft, Web 2.0

Has Britney Spears had her Twitter account phished?

(Read the update to this story: Twitter: Britney, Barack, Rick and Fox News weren’t phished - they were hacked).

Could Britney Spears, the troubled pop princess, have become the victim of the phishing scams that have shaken Twitter users in the last few days?

I just visited her page on Twitter and saw the following update, which I find unlikely to have been approved by her management team who are taking care to control her public image as she rebuilds her career:

At approximately 17:30 UK time the message was removed - but clearly this is a sign that someone broke into her account. Whether this was a result of the current Twitter phishing attacks or not is hard to prove, but it seems a strange coincidence if not.

Other Twitter accounts which have had bizarre messages posted to them include ones belonging to Barack Obama’s election campaign, Fox News and CNN anchorman Rick Sanchez.

In a Twitter update which has since been deleted, Sanchez’s account - which is followed by some 40,000 people - displayed the message:

i am high on crack right now might not be coming into work today

The message is clear. Whether you are world famous, a business organisation, or a general member of the public, you have to be much more careful about securing your online presence.

Hackers may have hooted with joy at realising they had the power to post messages under the names of Britney Spears or Fox News, but normally their intentions are to hurt people in the pocket through scams and identity theft.

If you believe you may have clicked on a link to a possible phishing site, and think it is possible that you may have given your password to someone else or that account may have been compromised, change your password now.

Twitter confirms multiple accounts hacked

At about 18.30 UK time, Twitter posted an update on one of its blogs in an attempt to reassure users, confirming that multiple accounts had been hacked and advising members that it may be prudent to reset their passwords.