how not to get a virus

I came across the following virus site when following up on an internet search. http://193.169.235.225/index.php?q=B5AF6D87821K0M332YPU6SPKL92L67Q302… (I have not listed the whole link to protect the reader!)

A quick lookup shows that the IP address 193.169.235.225 is owned by “Jamaica research center” from Titan-net LTD. The IP address is being managed on the Internet by ECOMD-COLOQUEST out of the Ukraine. (Yet, the IP address appears to be physically located in Chicago.)

If you are sent to the website, you are greeted with a pop-up window telling you that your system might be infected. The alert says ”

Warning! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti viruses check! System Security will perform a quick and free scanning of your PC for viruses and malicious programs.” (this is the exact quote from the message.)
Then, the browser window looks like a scan is being performed. Check out this image…

Virus Main Screen

 While the pop up messages sound pretty dire, I didn’t see any virus yet. And, whatever you do, don’t accept a virus scan from any of these pop-ups. Instead, just close the windows by pressing the red “X” in the upper right corner of the browser windows.

When you try to close the browser, you will be greeted by one more message.

Exit warning

Continue reading “how not to get a virus”

private peek into public lives…

The NY Times published an article on September 1st detailing how tabloid reporters in the UK gained access to celebrity voicemails. Using this access, the reporter were able to peek into the very private lives of public figures. (The articles can be found here).

Basically, the tabloid reporters built a list of celebrities’ cell phone numbers by working with private investigators. The reporters then went further and directly or indirectly gained access to the cell phone voicemail.

There were two different, very low-tech techniques that were used to get to the voicemails. The first one involved guess the 4-digit PIN associated with the voicemail. Often, this one succeeded when the default voicemail pin was used, since many people don’t seem to change their voicemail PIN.

The second method was a little more scary. The reporter would call the phone company and convince them to either reset the PIN or tell them the PIN for the voicemail. Either way, once they had the PIN, they could listen to voicemail messages on the cell phones.

Once the reporters started listening to the voicemails of the royal family, the police got involved. During their investigation, the police discovered a list of 91 cell phone numbers and associated voicemail PINs during a search of Glenn Mulcaire’s residence. (This search happened in 2006). Mulcaire was a private investigator working with Clive Goodman, a reporter at the “News of the World”.

Now the police were in tough position. They had a list of compromised voicemails. Should they notify all of the people on the list that their voicemails were potentially compromised? It appears from this article, the answer in the UK is no. The government was under no obligation to notify the individuals that their voicemails were compromised.

Would the laws in the US be different? After all, many states in the US have passed laws where private companies are obligated to notify affected parties when their security has been breached. By extension, would the police in the US be bound to notify people if their cellphone numbers and PINs were found on a list seized in the residence of a hacker? It appears from my discussions with those in the field that the answer is “no” here too.

This article points out a couple of very important issues:

  First, voicemail security is weak while the contents of voicemail are interesting. It seems likely that the contents of voicemails might be interesting in a civil court proceeding or business negotiation. At a minimum, make sure that you have a PIN that is the not the default PIN. It probably makes sense to change it periodically as well.

Second, if the police have discovered that your voicemail was hacked as part of a broader investigation, keep in mind that it appears in the US that they are not under any obligation to notify you. Basically, it comes down to the fact that you alone are ultimately responsible for the security of your voicemail.