PMC Consulting
For your Computer Security Needs

Index
whatsnewbusiness
contactsbusiness

Phishing

Lottery Scam

Encryption

Bio- Identification

Email Security

Electronic Mail has become increasingly problematic! Many of the recent scams have taken a new twist - their goal is to perform a Compromise of Resources Attack in order to gain control of your system and turn it into a SPAM mailer. Other attacks attempt to steal passwords and account information. Some recent emails purport to be "News Updates" - their titles suggest the latest news items - but the payload is a worm. Other attacks attempt to get you to provide critical personal and financial information - the "Phishing" expedition. Other email promotes outright frauds and scams. Read on for some tips, commentary and general advice.

Computer Security Tips

If you have arrived on this page from a link or a search engine, then you may not have seen our General Computer Security Page.

For a general look at good computer security and data maintenance practices, review our Security Brochure in PDF format. If you need the Adobe Acrobat Reader, download it at Adobe's Downloads Page.

Email Security Tips

  • 419 Scam - Worlds Funniest Take: The lady at Busted up Cowgirl has the Nigerian Scam worked out pretty good. I do not reccomend that you try her methods - unless you have a strong stomach, know how to hide behind a PO box and all that stuff. But it sure is an interesting thought..
  • Lottery Scam: It's silly season for the lottery scammers. We have been innundated with Lottery Scam emails - everything from the "European Union Lottery" to the "Even Bill Gates Donated Lottery". The reason they ask you to "keep it confidential" is so that you won't talk while they scam you with confirmation fees, entry fees processing fees, legal fees and the like. Just say no!
  • Phishing Scams: Royal Bank, BOM or US Bank or Paypal want you to verify your account because some dastardly person has been Phishing though your account? Yeah Right!!! Aside from the fact that you probably don't have an account at the named institution you should consider that the banks don't send these emails - ever. If you respond you can kiss your money goodbye. Some of them actually take you to the official site - to waylay your fears - then pop up a convenient form for you to verify your account. Just say no to "Phishing Schemes"! You fell for one of these? Get on the phone to your bank or your credit card company - NOW! No I am not giving you the phone numbers. The only thing you should trust right now is your friendly phone book or the information operator if you don't have the proper phone numbers in your home filing system. Now visit a couple of sites for more information. There is the Ant-Phishing organization. You can also visit the friendly Royal Canadian Mounted Police at the RCMP web site - to lodge a complaint.
  • Anti Phishing tool: Corestreet publishes a tool called Spoofstick usable with the MS IE and Firefox browsers. It is quite simple - all it does is intercept the URL and publish a tool bar showing the site that your browser is really displaying. It is simple to use and install. It helps you guard against sites that overwrite the code which displays the current URL window. I believe that tip cam through E-Week Magazine.
  • 419 Scam: You have an email in your inbox that promises untold riches - if only you will help smuggle money from Nigeria, lower Slobovia or some other unlikely place. Oh! You already fell for it? Well this news won't help -- will it? Yes - it is a SCAM. The Nigerian SCAM has been well documented. Canadian Readers go here, and US readers -just go here - and you can read all about it. Make sure you follow the directions to file the information with the SCAM busting unit. If all the letters, emails and faxes I have personally received had any basis in reality - then Nigeria would have hundreds of billions of dollars in loose cash hanging about and even the poorest street child should be able to have a chauffeur driven Rolls Royce. Come to think of it there would be no street children - would there? If we include your emails and faxes make that several hundred trillion dollars ($US no less).
  • Virus Scanner: Anti virus suites can assist you in preventing Trojans and Spy ware from being installed on your systems. Even the good systems do not detect equally well on certain Trojans, worms, viruses and malware applications. We use three different suites on our network - each has detected malware not seen by the others. If you have an anti-virus suite, keep it up to date by enabling auto-update or by going to its downloads and updates page on-line regularly! See our Security page for further information.
  • Transmission Security: Email is not secure on a server or in a packet stream (on the wire). Email usually passes through many routers and servers on its way to its destination. Communications routers and email servers are not always physically secure - it would be easy to "tap" these points. Recall the recent router thefts in New York City (Summer 2004) - from a major distribution point no less? It was likely due to poor to non-existent security and non-functional locks. Also note that most log in names and passwords are sent as "clear text" - unencrypted. So if you gain access to a major routing site then you have hit paydirt.
  • Encryption and Security Keys: If you are a sophisticated user, investigate the use of encryption for your sensitive data and emails. Thawte is one company that offers some of these services. You can go directly to their email page by following this link. Encryption by modern systems with "large" keys will allow you to prevent all but the most resourceful of intruders from reading your email - but only in the transmission and storage phases. If you have spyware running on your system your email will be read before you encode and after you decode.
  • Authentication and Security Keys: Most Authentication systems will allow you to verify that that an item was sent from (or received by) the computer of a individual. It will not verify that a specific individual sent it. Also consider generating a public/private key pair and using a digital signature to sign your email. Thawte is one company that offers some of these services
  • BIO Identification Systems: Bio-identification systems ensure only that an individuals thumb, eyeball or other body part was presented to a security device - not that it was attached to the individual. Maybe these systems should be redesigned to look for blood flow and heart beats. They do not detect coercion either.. yet!. Voice identification might be better - and better suited to stress analysis. The Nexus Group offers a range of solutions for corporations. They produce Facial Recognition Systems, incident tracking systems and other security related products.
  • Passwords: The object of much of the network hacking is to obtain your passwords, bank card numbers, credit card numbers SIN numbers etc. The easiest way to do this is to "crack" your passwords and access your accounts. A word to the wise: "secret", "kitty", "doggy", "topdog" etc. are not passwords - they are minor annoyances to a good password thief. Most thieves are aware that they can download a dictionary (in the language of their choice - or yours) and try all the known words as well. A secure password is something like "m1a3r5y7" or "johnny!6321" or better yet "g3tur08pkkl". If the program you are protecting allows use of special characters and the number isn't your birth year - or something easily guessable - then set your passwords accordingly.
  • Safe Browsing and Emailing: Are you using Microsoft Internet Explorer or Microsoft Outlook? Consider changing your email and browsing software. Your computer is at extreme risk for virus infection! Check below for links to Mozilla and Mozilla Thunderbird.
  • Anti Spyware Software: This is not virus checking software, but rather is a utility that can check to see whether you have picked up "tracking" baggage during your WEB browsing. Some of the packages can block access to known malicious sites. All of them typically remove tracking cookies installed by "banner advertising" and web pages that track and sell your browsing habits. Almost all can remove the code and Registry entries that have "stuck you" on a new home page that you don't want. We like SpyBot - and it also gets rid of Demon Dialers keystroke loggers, and other "crudware".
  • Microsoft Ant-Spyware: Microsoft has purchased an antispyware software and is offering a free trial in advance of the software release. It can be found by visiting the Microsoft site.
  • Anti Spam Research: IBM is doing some interesting anti-SPAM research. If you want to read about their spoof detection, plagiarism and pattern matching algorithms for detecting spam visit their Anti-SPAM Research page.
  • Email Scripting: It is our opinion that EMAIL SCRIPTING is a dumb idea whose time never came. Allowing an email package to execute script code is the reason that we have so many malicious viruses. MS Outlook permits attachments to run scripts. Script kiddies and other malicious types just love this capability. Choose something else - it would be difficult to find a more dangerous package - so make another choice. Eudora, Netscape, Mozilla and Thunderbird can't be worse than MS Outlook. Just say no to MS Outlook - in all its variations.
  • JavaScript and Java: Turn off Java script and Java for Newsgroups and mail packages. Save the scripts for web pages. In Netscape and Mozilla - from the Mail package choose "edit -> Preferences -> Advanced " You can turn off Java and Scripting for email, and turn off pop-ups and other malicious behaviour.
  • Throw away (most) email with attachments - If you can't recognize the person it came from Then throw it away - unread - or quarantine it if you have a sophisticated mail reader. If you don't know why you are getting an attachment from anyone - be leery of the email. If you don't know the sender and can't get verification of the contents - then you don't need the hassle of inadvertently spreading a virus. Just don't blame us because you tossed a Million dollar Purchase Order...! All we are suggesting is that you verify the email before you open an attachment. If you have the resources, set up 'secret' email addresses to deal only with your trusted clients who regularly send you attachments. Do not publish it, and do not give the addresses to any other parties - that's all it takes to keep it secret.
  • Backup: Did we mention backup? We did? Just checking!
   
 

Security News: The latest information on threats, virus attacks, new products, and tips.

Internet Storm Center: Internet Storm Centre Status
 

Secure Browsing and Email:

Concerned about weaknesses in MS Internet Explorer and Outlook? Try Mozilla's browsers and email program -they're secure, easily customized to fit your preferences, and they're reliable!
 

Security and Webmaster Communities worth spending some time monitoring:

  • Hacker Watch.Org- Find out where the latest hacker attacks are occuring here.
  • Spamcop- Send your spam-mail to these people, who will have the spammers checked out, and another step closer to being OFF-line!
  • Anti-Phishing.Org- Read about the latest, and the oldest, phishing/email scams here!
  • Security Radar - Visit here for information on the latest threats, and links to other security info sites!
 

January 26, 2005

PMC Home | General Security |What's New | Contact Us

Found a mistake? A broken link? Let the Webmaster know. Your assistance is always appreciated!
Material Copyright © 2004 PMC

Updated February 26, 2005