According to F-Secure, a program that can be installed on mobile phones, is a Trojan horse type of spyware (a malicious program that disguises itself as something innocuous).  The program is called ”FlexiSpy”.

The FlexiSpy application captures call logs, text messages and mobile internet activity, among other things. The software, released at the beginning of March, sells for $49.95 and is advertised by Thailand-based Vervata as a tool to monitor kids and unfaithful spouses. The data captured is sent to Vervata’s servers and is accessible to customers via a special website.

Source:

http://networks.silicon.com/mobile/0,39024665,39157681,00.htm

Well, Vervata thinks this is a feature, not a Trojan, even though the software is totally hidden from the user after install, and it captures call logs and text messages.

F-Secure has updated its security software for mobile phones to detect the program.

More info on F-Secure Mobile Anti-Virus is available here:

http://www.f-secure.com/wireless/

Highly recommended for web enabled cell phones.

Yes, Internet-Insecurity.com is celebrating our first anniversary.  We were founded on March 19, 2005.

We advise all users of RealNetworks Products to update their software immediately.  This applies to Windows, Mac and Linux versions of Real Player, RealOne Player, Rhapsody, etc. 

Check your version for updates by opening your RealNetworks program and going to: Tools > Check for Updates, and install any security updates available.

More information about the security vulnerabilities can be found here:

http://secunia.com/advisories/19358/

We would like to refer you to an exceptionally clear desscription and definition of a rootkit, curtesy of A Squared.  Now admitably, A-Squared sells software to find rootkits and other malware.  But that said, it is well worth reading.  And their software is very ca

A dangerous new rootkit based Trojan has been discovered in the wild.  It has been named Rootkit.hearse.  IT reports computer user information to a web server in Russia, including passwords and login user names and passwords to secure sites such as online banking.  And being a rootkit based Trojan it is hidden from the user.  Well almost, anyway.  For more information, please refer to the following site, (a blog for Sana Security):

http://www.nthworld.org/archives/2006/03/on_march_20th_w_1.htm

Most antivirus programs can now stop this threat, but only if they have been updated in the last day or two.

We urge caution ref. another phishing email cruising about the web that purports to be from the IRS.  Don’t fall for it.  It wants your credit card numbers.  But the IRS web servers probably are not in Poland, which is where you are redirected to, if you click on the links on the email.

This email has the following Subject Line:
IRS Notification—Please Read This

More info here: 

http://www.pcmag.com/article2/0,1895,1940116,00.asp

Wireless equipped laptops may be extremely vulnerable to wireless networks because, by default they may be configured to automatically connect to common network SSID’s, and assume it is your home network.  This may make your computer *very* vulnerable to snooping and attack and may give away your email passwords and other passwords.

How can you protect yourself? First, turn off your laptop’s wireless when not attempting to connect to a known network. Also, make sure your laptop doesn’t turn on its wireless when it can’t find an Ethernet connection. Most important, disable ad hoc networking, by clicking the Advanced button of the Wireless Network Connection Settings control panel to change it from Any available network (access point preferred) to Access point (infrastructure) networks only.

Source:   The Wireless Snare  By Robert Lemos

Phishing exploits by email scammers are getting more sophisticated all the time.  And all to often, they work.  It is all too easy to fall prey to one of these fake emails.  They appear very authentic and employ clever social engineering.  Their purpose, to put it bluntly, is to rip you off.

If you ever get an email that appears to be from your bank or from eBay or PayPal warning you about some dire problem with your account, don’t fall for it!  Do not, under any circumstances, click on any link in that email.

If you are concerned about your account, type the correct address in your browser, and check your account.  Do not click on any link in the email.

For more information, we want to refer you to a good article about phishing email scams, recently published by a respected Microsoft MVP (Most Valuable Professional), Marc Liron.  The article can be found at the following link:

http://www.updatexp.com/pay-pal-scam.html

“Practice Safe Computing”

In fact potentially, email is very public.  Especially web based email like Gmail and Hotmail.  But pretty much no matter what email client you use, email is easy to intercept and compromise.  Email is not private unless you encrypt your email in some manner.  There are a number of options available.  But beware of their limitations.

• Some can only encrypt attachments. 
• Some programs can only encrypt the contents of an email, but not the attachment or subject.
• Most will not encrypt the subject and header. 
• Most require extra steps on the part of the sender and the recipient.
• Most require that you send a password to your recipient, and obviously you can’t do that through email.

Even users of Outlook or other computer based email clients should realize that email is sent through the Internet in “plain text” and can be intercepted and read both legally and illegally.

“The gap between law and technology is widening every day, and privacy is eroding,” said Jim Dempsey, the CDT policy director who authored the report.

“What makes this even more troubling is that most users of these new technologies don’t realize they are putting their privacy in jeopardy.”

Modern consumers live in an age when web based e-mails pileup on services like Microsoft’s Hotmail and Google’s Gmail, and all kinds of files from personal photos to bank, medical and travel records are stored online.

Few computer users realize however, that web based e-mail is subject to much weaker protections than messages stored on home computers.

While the government needs a warrant, issued by a judge, to search someone’s home computer, it can access a person’s web mail account with only a subpoena, issued without judicial review.

Source: ‘Big Brother’ watching e-mail, computer data: US report

We recommend that all users employ a secure email service, or software, or client that encrypts their communications.   In particular, we highly recommend an email security system called Ciphire.  Ciphire does it all.   It completely wraps the email in a secure, encrypted package including the header, the subject, the body and any attachments.   And it does it seamlessly and competently in the background.  It works with most any email client.  The one requirement is that the recipient must also have Ciphire installed.  And please note that it does not work with web based email such as Hotmail or Gmail.

We have been testing Ciphire for some time now and it has evolved into a very capable and usable way to secure email transactions.  Once installed, it can be set to automatically encrypt email communications between any users of Ciphire, and do it in a very user friendly manner . 

It is also relatively unique among the various email security systems available in that it can encrypt the entire email, including the header, the subject, the body of the email, and an attachment, entirely automatically when it determines that the email is being sent to another Ciphire user.

Here is more about it in their own words:

Ciphire Mail is the world’s most powerful email security tool and requires no learning. It works smoothly with your regular email client. Just download, install, and forget.

Ciphire Mail has been optimized for the average, non-technical individual who has no real knowledge of security or cryptography, but who needs their benefits nonetheless.

Ciphire is free of charge for personal use and is available at https://www.ciphire.com/. 

Highly recommended.

Editor, Internet-Insecurity.com

Mini-review:

Now that you have strong secure passwords for your banking, email and other critical accounts (you do don’t you?), how do you remember them when you travel around?  How do you reduce the treat from key loggers? 

What is needed is a secure way to take them with you.  Enter Pass2Go by Siber Systems.  They are the same folks that make RoboForm, an excellent and well known password program.

Pass2Go is RoboForm for USB flash drives. 

• It stores your passwords in a secure encrypted manner. 
• It activated automatically when you plug your flash drive into any computers USB port.  (No installation required.)   
• It is protected by your master password. 
• Pull out the flash drive, and it leaves no traces of itself on the computer.
• It is Free for up to 10 passwords.

We highly recommend Pass2Go.   It can be found at the following link:  Pass2Go