Protect yourself from phishing

Uncategorized

Some ask, “What exactly is phishing? Isn’t that just sitting in a boat and drinking beer?” Sadly, no. In a perfect world, we wouldn’t need to know about, nor protect ourselves, against phishing. Phishing is an attempt to STEAL your password. Most phishing attempts are websites designed to look just like another. Your bank, for instance, may be a potential phishing site. eBay and PayPal are common as well. They look just like the real thing, but instead of signing into your account after putting your password in it gives you an error message like “Due to technical difficulties, we can not sign you in.” or simply a white page. In the background, however, your password has been stored for someone to access it and use it against you and for their own personal gain. Here’s a typical phishing attempt:

I receive an email from eBay saying I won a bid for an item, let’s say an Xbox 360, for 20 bucks. Great deal, right? I click the link in the email and am presented with a page in my browser asking for my username and password. I try and sign in, it says that I have a bad password. Try again? Sure, I could have mistyped it. Nope… still not letting me in. Well, dang. Did I use a different password? I try all my normal passwords. Nothing. I click the reset password link, it says “Sorry! Due to technical difficulties we can not reset your password. Try again later.” Fine. I push it to the back of my mind, to be dealt with later.

Let’s think about this and derive how to protect ourselves from this attack.

1. I received an email, for an auction I did not partake in. RED FLAG. This is my first clue.
2. It’s a great item that I could easily get, but for much less than normal. RED FLAG #2. Xbox 360 for 20 bucks? Way too good to be true.
3. I clicked the link from the email, taking me to a page that looks like eBay.
4. I inserted my username and password, came back invalid multiple times.
5. I tried my other passwords that I may have used, thinking I was remembering the wrong one. The rest is pretty obvious.

Now, how to protect yourself from it. First, take everything in email with a grain of salt. Don’t believe it’s true. Secondly, if it seems too good to be true, IT IS. Third, never click a link that was emailed to you. If the email is true, just go to the site it proclaims to be by entering its address in your browser. Go directly to ebay.com and sign in there. If it’s important enough, the site will tell you on first login. If you feel there still might be a chance for a problem, most websites protect themselves with security certificates signed by Certificate Authorities recognized by big names. For instance, look at the following screenshots from Google Chrome:

Addressbar: Notice the green lock with the verified companies name in it.
addressbarcert

Clicking that lock provides something to this affect. Tells us the details and some technical information. Note this certificate is signed by VeriSign, a reputable Certificate Authority.

detailedcertchrome

Clicking Certificate information on the bottom left of the above screen gives the below screen. Note it restates that the certificate was issued to signin.ebay.com and by VeriSign.

This proves that it’s unmodified and as intended by the eBay company. The only way for this to still result in identity theft is if an attacker got into eBay, which is outside of your control and highly unlikely (so I’d hope). That’s for another article.

Lastly, NEVER send your username and password to people through email. I can be your Banks CEO if I word it just right through email.

I hope that this helps someone in understanding how phishing works and how to avoid it. Please comment with any other tips or feedback.

Take a lesson from me – Server Admin Lessons

Uncategorized

There are many things that you should know about me. None of these are things like I like long walks on the beach, as a matter of fact I hate walks pretty much anytime. I, however, do trust technology a bit too much. Maybe more than a bit!

As a friend of mine said, paraphrasing, “For a techie, you have more computer problems than anyone I know.” Why does he say this? Let’s recount my record of recent events. I had my server fill the hard drive it’s using… twice. I had issues with my server to the point where it was easer for me to reformat my hard drive and start over. I use a virtual server from my main computer (yes… cringe at it, I know). It’s current iteration is a VirtualBox server running Ubuntu 9.10 Server with ISPConfig 3. During that reformat of my hard drive, I also reformatted my host computer back to default of Windows 7, which caused something to happen with the virtual hard drive, causing it not to boot anymore. Now I had to find a way to get at data stored on a Ext4 partition on a virtual hard drive that wouldn’t mount with that then version VMWare Server / Disk Mount Utilities! Not to mention, I forgot setting LVM on it, which caused about 4 days to be lost. Finally getting at that, I was able to recover one of the critical parts of the HDD, the latest backup for a site I host, Kristas Kakery. Now all that is done, I realize that this iteration of my server has been down for one of the previously mentioned reasons (full HDD) for a matter of days, and no one bothered to tell me! Not to mention that I have done live upgrades to items that have messed up the server, because I’m simply too lazy to spend the resources to copy over the virtual HDD, run it in a virtual server as well, and test changes first.

With all that covered, here’s a list of things not to do. Learn from me.

1. Don’t use a virtual server software on your main computer.

2. Set up some monitoring service to alert you when your site/server goes down. The linked one is free for one website.

3. ALWAYS have a development machine to test upgrades before making said upgrades/changes live.

I’m sure I’m missing a few, but it’s currently 1:15 in the morning, and I’m tired. I’m sure this isn’t the only part in the series of lessons I hope to relay to you, so you don’t make the same mistakes I do.