HP sued over security flaw in printers | Security – CNET News

My comments

An increasing trend that I have covered on this site and have noticed with equipment that I have reviewed is for the equipment to be updated with new firmware after it is sold to the customer.

Field-updating practices

Previously, this practice involved the device’s user using a regular computer as part of the update process. In a lot of cases, the user would download the update package to their computer and run a special program to deploy the update to the connected device. If the device, like a router, was connected via the network, the user uploaded the update package to the network-connected device via its management Web page or other network-file-transfer methods.

Now it is becoming more common for one to update the software in their device without the need to use a regular computer. This would be done using the setup options on the device’s control surface to check for and, if available, load newer firmware. 

It also includes the device automatically polling a server for new firmware updates and inviting the user to perform an update procedure or simply updating itself during off-hours for example; in a similar vein to the software-update mechanisms in Windows and MacOS.

As well, an increasing number of devices are becoming able to acquire new functionality through the use of “app stores” or the installation of add-on peripherals.

The HP lawsuit concerning printer firmware

Just last week, there has been a lawsuit filed against HP in San Jose District Court, California, USA concerning weaknesses in the firmware in some of their printers allowing for them to accept software of questionable origin. Issues that were raised were the ability to load modified software that could facilitate espionage or sabotage. This was discovered through lab-controlled experiments that were performed on some of the affected printers.

As all of us know, the firmware or apps are typically held on servers that can be easily compromised if one isn’t careful. This has been made more real with the recent Sony PlayStation Network break-ins, although data pertaining to users was stolen this time. But it could be feasible for a device to look for new firmware at a known server and find compromised software instead of the real thing.

They even raised the question not just about the software that is delivered and installed using a computer or network but the ability to install ROM or similar hardware chips in to the device to alter its functionality. I would also see this including the ability to pass in code through “debug” or “console” ports on these devices that are used to connect computers to the devices as part of the software-development process.

This could have implications as equipment like home appliances, HVAC / domestic-hot-water equipment and building security equipment become field-programmable and join the network all in the name of “smart energy” and building automation. Issues that can be raised include heaters, ovens or clothes dryers being allowed to run too hot and cause a fire or building alarm systems that betray security-critical information to the Social Web without the users knowing.

Further ramifications of this lawsuit

Device manufacturers will have to look at the firmware that governs their products in a similar vein to the software that runs regular and mobile computing equipment. This includes implementing authenticated software delivery, software rollback options and the requirement to keep customers in the loop about official software versions and change-logs (differences between software versions).

In some cases, business computing equipment like laser printers will have firmware delivered in a similar manner to how computer software is rolled out to regular computers in larger businesses. This includes software that enables centralised firmware deployment and the ability to implement trial-deployment scenarios when new firmware or add-on software is released.

Devices that have proper-operation requirements critical to data security or personnel / building safety and security may require highly-interactive firmware delivery augmented with digital-signature verification and direct software-update notification to the customer.

Similarly, security-software vendors may push for a system of integrating software solutions, including “edge-based” hardware firewall appliances in the process of software delivery to other devices.

Conclusion

What I would like to see out of this case if it is allowed to go “all the way” is that it becomes a platform where issues concerning the authenticity, veracity and safety of field-updatable firmware for specific-purpose devices are examined.

Scareware slingers stumped by Google secure search • The Register

My Comments

Google has allowed users to perform a “Secure Search” option where their search-engine transactions are encrypted between the Google servers and their computer. This can be either facilitated through the user typing https://www.google.com or setting it as a default for their Google services account.

Obviously this feature is intended to provide a private secure-search sessions over open networks like Wi-Fi hotspots that are set up in the common open manner. But this also has a side benefit where destination Web sites don’t know what search terms are passed to them, thus making it harder to tune search search listings without the use of tools like Google Analytics.

The key obvious benefit is to stop the appearance of “poisoned” search listings that lead users to “scareware”. These are Trojan Horses which appear to be legitimate system utilities but are intended to separate the user from their money by spruiking horrendous system conditions to the user. Of course, I have had to deal with this menace by removing these programs from various friends’ computers.

The only limitation with this setup is that it only applies by default for people who are currently logged in to a Google service of some form like GMail. For users who share computers, they would have to start a Google-services session then head to the Google.com Website to start searching; or simply remember to type the https prefix. This can be achieved through the Google bookmark, favourite item or Intranet page hyperlink pointing to https://www.google.com .

At least this is another Web security item that offers more than is typically highlighted.

Like the similar Facebook article that I have written for Facebook novices, this will list who will see which information you post when you use Twitter. Here, I would recommend this as a bookmark or favourite or as something to print out and keep near the computer or have available on the business intranet.

Twitter lexicon

Who sees what

What to do where on Twitter

If someone follows you on your Twitter account, it may be a good idea to check that person out when you receive the notification by email. Here, you could then consider following that person and being able to use direct messaging as appropriately.

It is also worth noting that a lot of social Twitter users use “textspeak” (abbreviations and acronyms for common expressions used when sending SMS messages) when they send out Tweets. So you may have to use resources like the Urban Dictionary to help you understand some of this lingo.

You might be considering setting up that complimentary hotspot for your guests to use but there are certain risks to be aware of concerning the security of your business and your guests’ data and identity.

Risks that have been highlighted include confidential-data and identity theft performed against customers as they work this data from their portable devices; as well as clandestine computer activity like the downloading or serving of illegal content; or the distribution of spam email, performed using computers connected to public Internet networks like wireless hotspots.

As well, there may be other imperatives required of people who provide Internet access to the public. These imperatives, asked for by various local, state / regional or national governments may include requirement like keeping a log of whom you provide Internet access to or requirement for session tracking. Therefore I am not therefore in a position to explain how to satisfy these needs and it is best to seek local advice on this topic.

Therefore, your business should know who is using the hotspot service and be able to make sure that the people who benefit are the business’s customers or guests. This means that the customers or guests are actually going to be operating the network device that they use when connecting to the service and also operate it on your premises. As well, your customers know that they are going to actually benefit from your hotspot service when they log in to this service.

The cafe or bar as a “second office”

This is more important for the cafe as an increasing number of businesspeople use these places as “second offices” where they can work without unnecessary office-borne distraction or as places where they meet their colleagues or business partners. Here, these people will be working on workplace-confidential data and most of these workplaces place high value on the security of this data as it travels between the laptop and the workplace’s main computer systems.

In fact, the reason I have decided to publish this article was because a cafe that I regularly visit in Camberwell (Melbourne, Australia) had just started to offer free public Wi-Fi access but I had wanted them to provide a free Wi-Fi service that is safe for their customers. Here, they had an ordinary wireless router as the Internet service but they needed help in getting this service working properly and safely. They also wanted to make sure that this resource was available just to their customers as part of their customer service.

Your equipment

When you start out with your complimentary-use hotspot service, you may use a wireless router hooked up to a separate Internet service or use one with a “guest-access” or hotspot function and is connected to your common Internet service.

This should be set up to cover your public area such as the bar areas in your bar or the dining room in your cafe. In some situations, you may need to use an additional access point to cover larger areas or get your signal past thick walls. This is something I have covered in this site as a separate article.

As well, if your equipment works on 802.11n technology, it should be set to work in compatibility mode where it can work with 802.11g and 802.11n devices. This is to cater for the fact that most devices that are in circulation, especially smartphones, are likely to work with 802.11g technology and people may operate battery-operated 802,11n-capable devices in 802.11g mode in order to conserve battery runtime. 

Your SSID or Network Name

The SSID or network name is very important to your hotspot’s identity. Here, it should reflect your business’s name and have a reference to public or guest Wi-Fi service. An example that I used for a basic complimentary-use Wi-Fi hotspot that I set up at a coffee lounge just recently was MORAVIA-PUBLIC-WIFI. Here this reflected the coffee lounge’s name (MORAVIA) as well as stating that the service was a public Wi-Fi hotspot service hosted by this business. Therefore, you can then identify any “evil-twin” or “fake-hotspot” devices left on or near the premises that exist to capture customers’ sensitive data.

This SSID must be used in all signage advertising your hotspot and the signage must reflect your company’s identity. This means that it either has your company logo and name or be in your company’s styling. In this case, the signage about the hotspot should at least exist beside the cash-register and the door, preferably at eye-level or near the main handle or pull.

Hotspot security

Basic security

Your hotspot network should be secured with a WPA-PSK passcode which your staff should give out to customers who want to use hotspot service. As well, the network should have wireless-client isolation enabled, so that customers who are using the hotspot cannot browse on to each others’ computers.

Previously, there wasn’t any wisdom in implementing link security on a public-use wireless network but now that most computers and handheld devices support WPA-based link security for wireless networks, adding this function to WPA-level is still worth it for achieving some control and security in a public-use wireless network.

It is still important to change the WPA-PSK passphrase regularly such as at least twice a month. Some environments may require the passphrase to the changed every week. This is so that it becomes hard to set up a “fake hotspot” using your service’s credentials or keep a computer logged in to the hotspot service without you knowing.

As well, your hotspot should properly support VPN pass-through for all protocols so that business users can log in to their workplace VPNs  without any headache.

Special hotspot-gateway devices

It may be worth knowing that if you want greater control over your public Internet service, it may be worth implementing a “docket-printer-based” wireless hotspot gateway like the Netcomm HS-1100, Solwise WAS-105R or Zyxel N4100.

Here, these devices direct users to a login page where they have to key in a session login and password that they transcribe from a paper docket that is printed from a docket printer attached to the hotspot gateway. If you intend to offer a paid service, these devices put you in a position to use the payment methods and paths that you use to accept payment for your goods and services.

This is unlike some other hotspot gateway setups that require the potential user to pay another company directly using their credit card or an account maintained by that other company using a payment form hosted by that hotspot. Typically, a lot of these setups are managed in a manner where you don’t have much control over how the service in provided and the service may be provided in a manner not dissimilar to how most vending and amusement machines are provided where you don’t own the equipment, representatives visit the premises to maintain the equipment and you get a small “cut” from the takings.

As well, the session login parameters that your users type in from these dockets exist only for a particular time limit. This is also important for people who run a paid service, but can be useful for managing complimentary service so you can be sure that the people who are using your service are your customers or guests who are in your public areas.

If you do run one of these dedicated hotspot gateway devices, such as a “docket-printer-based” device, the wireless network that these devices operate should still have WPA-PSK security with the passphrase changed regularly. The “docket-based” devices will list the WPA-PSK passphrase on that same docket so your customers can still log in to your hotspot from their device.

Branding options

If you do implement these devices, make sure that you know how to brand the customer-facing user interfaces.

Most of these devices can allow you to upload a graphic and integrate it in to the login interface or they can allow you to upload customised login screens or point to a Web server for the login interface graphics. The latter option may appeal to you if you have a good hand with creating basic HTML Web pages.

Here, make sure that you have your business name and logo and, if you can do it, set the colour scheme to your business’s colour scheme. As well, make sure that your business name appears on the access dockets that your hotspot gateway prints out.

Power outlets

With a hotspot, always expect that some of your customers will use the power outlets on your premises to power their laptops or smartphones from AC power to avoid compromising battery runtime. This is more so with customers are operating older equipment that has batteries that are “on their last legs” or are working VPN sessions in order to “pick up” files from work and want to be sure this is done properly.

Here, a few double outlets near the tables can work wonders here and if an outlet is used for powering a device like a lamp, the device could be connected to the outlet via a multi-socket power-board with extra outlet space for a few appliances.

Conclusion

Once you know how to choose and set up your public-use wireless network properly, you can make sure that this is a service that your customers and guests will benefit from fully. This may even put your business “on the map” as far as customer-service extras are concerned.

Phone scammers target computer owners | ABC News Australia

Alert over scam phone calls about bogus computer virus | Wolverhampton City Council (United Kingdom)

My Comments

Just today, a friend of mine who I live with received a phone call on our house phone saying that their computer is infected with a virus and she was being instructed to do certain procedures on the household computer. Luckily she told the caller to hang up and put the phone down and didn’t head towards the computer. This was very good for someone who hasn’t much familiarity with computer technology.

This is part of a scourge that is affecting home and small-business computer users and computer novices are more likely to be at risk of this fraud because they may not know the difference between a virus attack or a computer being very sluggish.

There has been some press coverage and coverage in government consumer-protection Websites and bulletins around the world concerning this topic, with a lot of weight placed on reference to the scammers claiming they represent Microsoft. But the scammers can pretend they represent other legitimate IT companies like antivirus software firms.

If you needed outside help regarding computer issues, you will most likely have initiated the contact yourself, whether through your computer-expert neighbour, relative, friend or acquaintance; your workplace’s IT support if your workplace has such a department or your computer supplier.

What these callers tend to do is to lead the user to download and install malware, usually in the form of spyware or fill in forms with email addresses and credit-card details in order to facilitate various forms of fraud against the user. This can be in the form of milking their bank account and credit-card of useable funds, inundating their email inbox with spam email or stealing other information that is confidential to them or their business operations.

So I would encourage all users to be careful of unfamiliar “call-centre” phone calls about computer viruses or similar issues and simply hang up when they receive these calls. As well, they should keep their desktop security programs on their computers up-to-date so as to protect against the various scams.

Other tactics that you may consider would be to threaten the scammers with legal action or question them about whether they can do business legally in your country. A good example would be asking them for their tax-registration details that are required of them if they do business in your country, such as the VAT registration details if you are in Europe or the Australian Business Number if you are in Australia.

Mobile Users More Susceptible to Phishing Scams – www.enterprisemobiletoday.com

My comments

Why are mobile (smartphone and tablet-computer) users more susceptible to phishing scams?

The main reason is that the operating interface on the mobile computing devices is totally different to the operating environment on a desktop or laptop computer.

One main reason is that most of these devices don’t have a large display area in their Web browsers or email clients due to them having smaller display screens. This leads to the software designers designing a “clean and simple” user-interface for software pitched at these devices with minimal controls on the interface; which eliminates such concepts as fully-qualified email addresses and URLs. A lot of these devices even conceal the address bar where the user enters the URL of the page to be visited unless the user directly enters a URL that they intend to visit. Similarly, the email client only shows the display name for the incoming email, especially in the commonly-used “list-view”.

It is also augmented by the lack of a “B-option” interface in a mobile operating system. This is compared to what is accepted in a desktop operating environment with functions like right-clicking with a multi-button mouse or using Ctrl-Click on a single-button-mouse-equipped Macintosh to gain access to a context-sensitive secondary menu. Similarly, all scientific calculators used an [F] key and / or an [INV] key to modify the function of formula buttons either to gain access to the inverse of a formula or obtain another formula.

Such an option would allow the user to select a “function” button before selecting the option or displayed item in order to open a context-sensitive secondary-function menu or select a secondary function.

This discourages users from checking the URL they intend to click on in an email or the fully-qualified email address for an incoming email.

What could be done?

The Web browser and email client could support “phish detection” which could provide a highly-visible warning that one is heading to a “phishy” Web site or receiving a suspicious email. This function is just about provided in every desktop email client that most of us use but could be implemented in a mobile email client. Similarly, an email service could integrate filtering for phishy emails as part of its value-added spam-filter service.

There could even be the ability to have a “magnifying glass” touch button on the browser or email-client user interface which, when selected before you select an email address or URL, would show the fully-qualified email address or URL as a “pop-up”. This would have the domain name emphasised or written in a distinct colour so you know where you are going. This same interface could also be in place if one enters a URL directly in to their Web browser.

The mobile browsers could also support the Enhanced Validation SSL functionality through the use of a distinct graphic for the fully-validated sites. As well, a wireless-broadband provider or Wi-Fi hotspot could offer a “phish-verify” proxy service so that users can see a “red flag” if they attempt to visit a phishy Website similar to what happens in Internet Explorer when a user visits a suspicious Website.  This is similar to how some mobile providers warn that you are heading to a website that isn’t part of their “free-use” Website list and they could integrate this logic in to these proxy servers.

Conclusion

In general, the industry needs to look at the various user scenarios that are or are likely to be in place to improve secure Web browsing and email. Then they have to enable user-experience measure that can allow the user to verify the authenticity of Websites and emails.

This is more so as the small screens end handheld devices end up as the principal Web user interface for people who are on the move. It will also become more so as the “10-foot” TV interface, with its large screen with large text and graphics, D-pad navigation technique and use by relaxed and mostly-tired viewers relaxing on comfortable furniture becomes a mainstream “lounge-room” interface for the Web.

Microsoft Security Essentials available to Small Businesses on October 7

My comments

Microsoft have an entry-level antimalware program called Security Essentials which was previously available free to home users and students. This required all business users to consider using their premium Forefront Security Suite or other competing desktop security software solutions for their computer security.

This put small businesses and organisations lie shops, medical practices, religious organisations, non-profits and the like who had a few computers on their network in a very difficult position especially when it came to easy-to-manage desktop security software, Now Microsoft have answered this need by varying the End User License Agreement for this program to allow small business users with up to 10 computers to run this program.

One of the reasons that I am pleased with this change is that it is easy for the owner of a small organisation (who is responsible for that organisation’s IT) to set up and manage desktop security on Windows-based computers with this easy-to-manage program. It works in conjunction with Windows Firewall and has very little that is needed to adjust, which will please most of this kind of user who may not have good computer skills.

This therefore may be a way for a small shop or similar operation with a few Windows computers to save money on their desktop security software. One improvement I would like to see is for Apple MacOS users to benefit from a free desktop-security program because as this platform becomes popular, malware writers will target it.

Mobile codes to boost Google account security | Security – CNET News

My comments

Google have worked on a way of improving security for Web-page login experiences because these login experiences are easily vulnerable to phishing attacks.

What is this technology

This method is similar to a hardware security “token” used by some big businesses for data security and increasingly by some banks to protect their customers’ Internet-banking accounts against phising attacks. This is a device that you keep with you in your wallet or on your keyring which shows a random number that you key in to a login screen alongside your user name and password and is based on “what you have” as well as “what you know”.

This time, the function of this “token” is moved to the mobile phone which nearly all of us have on ourselves. It will appear as a smartphone “app” for the Blackberry, Android or iPhone platforms that shows the random code number or will operate in the form of your phone showing an SMS with the token code or you hearing a code number from a call you answer on that phone. Of course, you will register your mobile number with Google to enable this level of security.

The direction for the technology

Google are intending to use it with their application platform which covers GMail, Adsense, Analytics, Picasa and other Google services. Initially it will be tried with selected user groups but will be available to the entire user base.

They will provide an option to avoid the need to use this “Google codes” system on the same computer for a month, which would appeal to users who work with their GMail account from their netbook or desktop PC. They will still need to have this work if they “come in” to their GMail account from another computer and it will work if someone else uses the same PC to check on their GMail.

What I am pleased about with this is that they intend to “open-source” this system so that it can be implemented in to other platforms and applications. Similarly, the “apps” can then be ported to newer smartphone platforms or “baked in” to other PDAs and similar devices. As far as the “apps” are concerned, I would like to allow one piece of code to service multiple service providers rather than loading a smartphone with multiple apps for different providers.

Making the home network secure

I would like to see this technology being tried out as a method of securing devices that use Web-based data-access or management interfaces, similar to D-Link’s use of CAPTCHA for securing their home-network routers’ management login interfaces. This is becoming more so as nearly every home uses a wireless network router as the network-Internet “edge” for their networks. Similarly, there is an increasing tendency to use a network-attached storage for pooling data to be available across the network or as backup storage and most of these units use a Web-based user interface.

Conclusion

One feature that I like about this Google project is that they have applied a security technology normally available to big business and made it available to small business and consumer users.

Intel acquires McAfee for $7.68 billion – Engadget

My comments

Most of the laptops that I have reviewed on this blog came with a trial edition of a McAfee desktop-security program. Similarly, there are some people who have cottoned on to a McAfee desktop-security solution of some form, either by taking out a full subscription to a trial program that came with their new computer, used a business-supplied program or, for long-time computer hobbyists and students, ran the shareware program on their DOS-based PCs to keep the likes of “Ping Pong” or “Stoned” off their hard disks.

This program, one of the “old dogs” of PC virus control and desktop security, has served many users very well but some users would find that Intel owning McAfee may change the course of the McAfee product lineup either to make it more cheaper or costlier. It could also be a chance to make for a “vertical” desktop-security package directed at a particular user group or, as I would hope for, prepare a competitive antivirus program for the Apple Macintosh platform. This is because as more people take to the Macintosh platform, the “computer underworld” could work on that platform and create malware for it.

A good question to ask is whether McAfee, being profitable, was simply bought out by Intel or whether McAfee was posting a loss and Intel offered to buy out the software company to offset the losses. The latter situation may be brought about by the arrival of the free desktop antivirus programs offered by AVG, Avira, Avast and Microsoft; and the fact that Microsoft is providing a highly-competent desktop firewall program that is baked in to the Windows Vista and 7 operating systems.

Who knows what could be the direction for premium desktop security programs, especially for the Windows platforms.

Scareware Indictments Put Cybercriminals on Notice – Microsoft On The Issues

Swede charged in US over ‘scareware’ scheme | The Local (Sweden’s News in English) – Sweden

US-Behörden klagen Scareware-Betrüger an | Der Standard (Austria – German language)

From the horse’s mouth

FBI Press release

My comments

What is scareware

Scareware is a form of malware that presents itself as desktop security software. Typically this software uses a lot of emphasis on “flashing-up” of user-interface dialogs that mimic known desktop security programs, whether as add-on programs or functions that are integral to the operating system. They also put up dialogs requiring you to “register” or “activate” the software in a similar manner to most respected programs. This usually leads you to Web sites that require you to enter your credit-card number to pay for the program.

In reality, they are simply another form of Trojan Horse that is in a similar manner to the easy-to-write “fake login screen” Trojans that computer hackers have created in order to capture an administrator’s high-privilege login credentials. Some of the scareware is even written to take over the computer user’s interactive session, usually with processes that start when the computer starts, so as to “ring-fence” the user from vital system-control utilities like Task Manager, Control Panel or command-line options. In some cases, they also stop any executable files from running unless it is one of a narrow list of approved executable files. They are also known to nobble regular desktop anti-malware programs so that they don’t interfere with their nefarious activities. This behaviour outlined here is from observations that I had made over the last few weeks when I was trying to get a teenager’s computer that was infested with “scareware” back to normal operation.

Who ends up with this scareware on their computer

Typically the kind of user who will end up with such software on their computer would be consumers and small-business operators who are computer-naive or computer-illiterate and are most likely to respond to banner ads hawking “free anti-virus software”. They may not know which free consumer-grade anti-virus programs exist for their computing environment. In a similar context, they may have found their computer is operating below par and they have often heard advice that their computer is infested with viruses.

What you should do to avoid scareware and how should you handle an infestation

The proper steps to take to avoid your computer being infested with scareware is to make sure you are using reputable desktop security software on your computer. If you are strapped for cash, you should consider using AVG, Avast, Avira or Microsoft Security Essentials which have the links in the links column on the right of your screen when reading this article on the site.

If you have a computer that is already infected with this menace, it is a good idea to use another computer, whether on your home network or at your workplace, to download a “process-kill” utility like rkill.com to a USB memory key or CD-R and run this on the infected computer immediately after you log in. It may alos be worth visiting the “Bleeping Computer” resource site for further information regarding removing that particular scareware threat that is affecting your computer. This is because I have had very good experience with this site as a resource when I handled a computer that was infested with scareware.

If you are at a large workplace with a system administrator, ask them to prepare a “rescue CD” with the utilities from the “bleeping-computer” Web site or provide a link or “safe-site” option on your work-home laptop to this site so you can use this computer as a “reference” unit for finding out how to remove scareware from a computer on your home network.

How the criminal law fits in to this equation

The criminal law is now being used to target the “scareware” epidemic through the use of charges centred around fraud or deception. Like other criminal cases involving the online world, the situation will touch on legal situations where the offenders are resident in one or more differing countries and the victims are in the same or different other countries at the time of the offence.

This case could raise questions concerning different standards of proof concerning trans-national criminal offences as well as the point of trial for any such offences. 

Conclusion

Once you know what the “scareware” menace is, you are able to know that criminal-law measures are being used to tackle it and that you can recognise these threats and handle an infestation.

Disclaimer regarding ongoing criminal cases

This article pertains to an ongoing criminal-law action that is likely to go to trial. Nothing in this article is written to infer guilt on the accused parties who are innocent until proven guilty beyond reasonable doubt in a court of law. All comments are based either on previously-published material or my personal observations relevant to the facts commonly known.

Scareware Indictments Put Cybercriminals on Notice – Microsoft On The Issues

Swede charged in US over ‘scareware’ scheme | The Local (Sweden’s News in English) – Sweden

US-Behörden klagen Scareware-Betrüger an | Der Standard (Austria – German language)

From the horse’s mouth

FBI Press release

My comments

What is scareware

Scareware is a form of malware that presents itself as desktop security software. Typically this software uses a lot of emphasis on “flashing-up” of user-interface dialogs that mimic known desktop security programs, whether as add-on programs or functions that are integral to the operating system. They also put up dialogs requiring you to “register” or “activate” the software in a similar manner to most respected programs. This usually leads you to Web sites that require you to enter your credit-card number to pay for the program.

In reality, they are simply another form of Trojan Horse that is in a similar manner to the easy-to-write “fake login screen” Trojans that computer hackers have created in order to capture an administrator’s high-privilege login credentials. Some of the scareware is even written to take over the computer user’s interactive session, usually with processes that start when the computer starts, so as to “ring-fence” the user from vital system-control utilities like Task Manager, Control Panel or command-line options. In some cases, they also stop any executable files from running unless it is one of a narrow list of approved executable files. They are also known to nobble regular desktop anti-malware programs so that they don’t interfere with their nefarious activities. This behaviour outlined here is from observations that I had made over the last few weeks when I was trying to get a teenager’s computer that was infested with “scareware” back to normal operation.

Who ends up with this scareware on their computer

Typically the kind of user who will end up with such software on their computer would be consumers and small-business operators who are computer-naive or computer-illiterate and are most likely to respond to banner ads hawking “free anti-virus software”. They may not know which free consumer-grade anti-virus programs exist for their computing environment. In a similar context, they may have found their computer is operating below par and they have often heard advice that their computer is infested with viruses.

What you should do to avoid scareware and how should you handle an infestation

The proper steps to take to avoid your computer being infested with scareware is to make sure you are using reputable desktop security software on your computer. If you are strapped for cash, you should consider using AVG, Avast, Avira or Microsoft Security Essentials which have the links in the links column on the right of your screen when reading this article on the site.

If you have a computer that is already infected with this menace, it is a good idea to use another computer, whether on your home network or at your workplace, to download a “process-kill” utility like rkill.com to a USB memory key or CD-R and run this on the infected computer immediately after you log in. It may alos be worth visiting the “Bleeping Computer” resource site for further information regarding removing that particular scareware threat that is affecting your computer. This is because I have had very good experience with this site as a resource when I handled a computer that was infested with scareware.

If you are at a large workplace with a system administrator, ask them to prepare a “rescue CD” with the utilities from the “bleeping-computer” Web site or provide a link or “safe-site” option on your work-home laptop to this site so you can use this computer as a “reference” unit for finding out how to remove scareware from a computer on your home network.

How the criminal law fits in to this equation

The criminal law is now being used to target the “scareware” epidemic through the use of charges centred around fraud or deception. Like other criminal cases involving the online world, the situation will touch on legal situations where the offenders are resident in one or more differing countries and the victims are in the same or different other countries at the time of the offence.

This case could raise questions concerning different standards of proof concerning trans-national criminal offences as well as the point of trial for any such offences.

Conclusion

Once you know what the “scareware” menace is, you are able to know that criminal-law measures are being used to tackle it and that you can recognise these threats and handle an infestation.

Disclaimer regarding ongoing criminal cases

This article pertains to an ongoing criminal-law action that is likely to go to trial. Nothing in this article is written to infer guilt on the accused parties who are innocent until proven guilty beyond reasonable doubt in a court of law. All comments are based either on previously-published material or my personal observations relevant to the facts commonly known.

Over this last few weeks, there has been hysterical media and political activity in Europe and Australia concerning Google’s Street View activities. This activity has become focused on the collection of Wi-Fi network data by the Street Survey vehicles which grab the initial street images.

The hysteria focused on identifying details about Internet use and Wi-Fi devices that existed at individuals’ addresses and that this data could be used to spy on individuals.

The truth

Wi-Fi site surveys are a part of Wi-Fi networking life

The Wi-Fi site survey is associated with nefarious activities like wardriving but it is commonly practised as part of Wi-Fi network use.

When you want to connect to your Wi-Fi wireless network with a client device, you will come to a point in the device’s setup operation where you see a list of SSIDs, then you choose the SSID that you wish to connect to. This is an elementary form of a site survey.

This is extended to technology enthusiasts like myself who activate Wi-Fi network scanning functions on smartphones to see a list of wireless networks operating in the neighbourhood that they are in for curiosity’s sake. Here, we see the list of SSIDs and an icon beside each SSID that indicates whether the network is protected or not. The practice also extends to use of “Wi-Fi-finder” devices to look for open Wi-Fi networks.

Similarly, people who are optimising wireless networks will use software like inSSIDer (which I have reviewed) or HeatMapper for site surveys and wireless-network optimisation. This software can also yield information about the BSSID and operating channel for that particular SSID and more sophisticated versions can use spectrum analysers to determine interfering frequencies or determine the location using support for GPS modules.

This leads me to Navizon and Skyhook Wireless who have done these surveys in order to turn these beacons in to a location tool in a similar manner to GPS or mobile-phone-tower-based positioning. The most common application of this is the Apple iPhone platform which uses this information for locating the phone during setup, avoiding the need for users to determine their time zone or location.

What does my Wi-Fi network yield

A normally-setup wireless access point or router will send out a “beacon” with contains the following data:

• SSID or ESSID which is the wireless network name
• BSSID which is the MAC address for the access point’s radio transceiver. This MAC address does not have any relationship to the Ethernet MAC address or the broadband (WAN) interface’s MAC address on your wireless router.
• Information required to determine security protocol to establish a successful conection

This data that is in this “beacon” is publicly available in a similar context to the information written on a vehicle’s registration label which would have the registration number (written on the number plates / license plates) and the VIN (vehicle identification number) for that vehicle.

It is also worth knowing that all access points and wireless routers have the option to turn off SSID broadcast. Here, you don’t have the SSID made available but have the network listed as a “hidden network” on some devices. This is something you can do in your router’s or access point’s Web-based management interface

When your network client devices are active in your wireless network and are “talking” to your wireless access point or router, they don’t broadcast an SSID or other beacon because they have “latched on” to that access point or router. This data will usually be encrypeted as part of the WPA security protocols that should be in place on your private wireless network.

Conclusion

Once you know how the Wi-Fi network works, you should then know that a site-survey operation should not gather the actual data that is moved across the network.

There are an increasing number of WiFi wireless hotspots being set up, mainly as a customer-service extra by cafe and bar operators. But there have been a few security issues that are likely to put users, especially business users off benefiting from these hotspots.

This is becoming more real due to netbooks, mobile Internet devices, WiFi-capable smartphones and other easily-portable computing devices becoming more common. The hotspots will become increasingly important as people take these devices with them everywhere they go and manage their personal or business data on them.

The primary risk to hotspot security

The main risk is the “fake hotspot” or “evil twin:. These are computers or smart routers that are set up in a cafe or bar frequented by travellers, business people or others who expect Internet access. They can be set up in competition to an existing hotspot that offers paid-for or limited-access service or on the fringes of an existing hotspot or hotzone. They offer the promise of free Internet access but exist for catching users’ private information and/or sending users to malware-laden fake Websites hosted on the computers.

Standard customer-education practices

The common rhetoric that is given for wireless-hotspot security is for the customer to put most of their effort into protecting their own data without the business owner realising that their hotspot service could be turning in to a liability. This can then lead to the hotspot service gathering dust due to disuse by the customers it was intended to serve.

The typical advice given to users is to check whether the premises is running a wireless hotspot or if there is a hotzone operating in the neighbourhood before switching on the wireless network ability in your laptop computer. Then make sure that you log on to a network identified by a legitimate ESSID when you switch on the wireless network ability.

Other suggestions include use of VPNs for all Web activity, which can become difficult for most personal Web users such as those with limited computer experience. Some people even advise against using public Internet facilities like Internet cafes and wireless hotspots for any computing activity that is confidential on a personal or business level.

But everyone involved in providing the free or paid-for hotspot service will need to put effort into assuring a secure yet accessible hotspot which provides a high service quality for all users. This encompasses the equipment vendors, wireless Internet service providers and the premises owners.

Signage and operating practices

When Intel promoted the Centrino chipset for laptop computers, they promoted wireless hotspot areas that were trusted by having a sticker with the Centrino butterfly logo at eye level on the door and the premises being scattered with table tent cards with that same logo. Similarly hotspot service providers and wireless Internet service providers used similar signage to promote their hotspots.

But most business operators, especially small independently-run cafes and bars, commonly deploy “hotspot-in-a-box” solutions where they connect a special wireless router that they have bought to their Internet service and do their own promotion of the service. This may simply be in the form of a home-printed sign on the door or window or a home-printed display sign near the cash register advising of WiFi hotspot service.

An improvement on this could be in the form of the ESSID matching the business’s name and listed on the signage, which should have the business’s official logo. Similarly, the network could be set up with WPA-PSK security at least with the passphrase given to the customers by the business’s staff members when they order hotspot service. Most “hotspot in a box” setups that list the customer’s username and password on a paper docket also list the ESSID and WPA-PSK passphrase on these dockets. As well, I would modify the login page to convey the business’s look with the business’s logo and colours. A complimentary-use hotspot could be secured with a WPA-PSK passphrase and the customer having to ask the staff member about the passphrase. This could allow the facility to know who is using the hotspot and the organisation who runs that hotspot can have better control over it.

It may be worth the industry investigating the feasibility of using WPA-Enterprise security which is associated with different usernames and passwords for access to the wireless network. Most portable computers and handheld devices in current use can support WPA-Enterprise networks. This can be implemented with the typical “paper-docket” model used by most “hotspot-in-a-box” setups if the authentication system used in these units works as a RADIUS server and the built-in wireless access point supports WPA-Enterprise with the unit’s built-in RADIUS server. The same setup could work well with a membership-based hotspot service like a public library with the RADIUS server linked to the membership database. But it may not work easily with hotspot setups that work on a “self-service” model such as paid-service hotspots that require the user to key in their credit-card number through a Webpage or free-service hotspots that use a “click-wrap” arrangement for honouring their usage terms and conditions.

The organisation who runs the hotspot should also be aware of other public-access wireless networks operating in their vicinity, such as an outdoor hotzone or municipal wireless network that covers their neighbourhood; and regularly monitor the quality of service provided by their hotspot. Also, they need to pay attention to any customer issues regarding the hotspot’s operation such as “dead zones” or unexpected disconnections.

People who own private-access wireless networks should also keep these networks secure through setting up WPA-secured wireless networks. They should also check the quality of their network’s service and keep an eye on sudden changes in their network’s behaviour.

When wireless-network operators keep regular tabs on the network’s quality of service, they can be in a better position to identify rogue “evil-twin” hotspots

Improved standards for authenticating wireless networks

There needs to be some technical improvement on various WiFi standards to permit authentication of WiFi networks in a manner similar to how SSL-secured Web sites are authenticated. This could be based around a “digital certificate” which has information about the hotspot, especially:

• the ESSID of the network ,
• the BSSID (wireless network MAC) of each of the access points,
• the LAN IP address and MAC number of the Internet gateway
• the venue name and address and
• the business’s official name and address.

The certificate, which would be signed by public-key / private-key method could be part of the “beacon” which announces the network. It would work with the software which manages the wireless network client so it can identify a wireless network as being secure or trusted if the signature is intact and the network client is attached to the network from the listed BSSIDs and is linking to the gateway LAN IP.

The user experience would be very similar to most Internet-based banking or shopping Websites where there is a “padlock” symbol to denote that the user is using an SSL-secured Website with an intact certificate. It will also be like Internet Explorer 7 and 8 where the address bar turns green for a “High-Assurance” certificate which requires higher standards. In this case, the user interface could use colour-coding and / or a distinctive icon for indicating a verified public network.

The provision of cost-effective wireless-network management software

There are some programs that can turn a laptop computer in to a wireless-network survey tool, but most of them don’t show much useful information, are hard to operate for anyone other than a network technician; or are too costly. They miss the needs of people who run home or small-business wireless networks or wireless hotspots.

What needs to exist is low-cost wireless-network management software that can work with the common Microsoft or Apple platforms on computers that have common wireless . The software should be able to use commonly-available wireless network adaptors such as the Intel Centrino platform to perform site surveys on the WiFi bands and display the activity on these bands in an easy-to-view but comprehensive manner. The software should be easy to use for most people so they can spot interference to their wireless network easily and can “tune” their wireless network for best performance.

An application that is matching this need is MetaGeek’s inSSIDer, a free wireless-network site survey tool for the Windows platform which I have reviewed in this blog. It has the ability to list all the networks receivable by signal strength, MAC address, SSID or channel; or plot a graph of the networks by signal strength over time; or plot a graph of all the access points by signal strength over channel. This may help with managing your hotspot by identifying rogue access points and “evil-twin” hotspots.

Similarly the popular smartphone and PDA platforms like Applie iPhone, Android, Symbian S60 / UIQ, Blackberry and Microsoft Windows Mobile could have low-cost wireless-network management software written for them so they can make a handheld PDA or mobile phone work as a site-survey tool for assessing quality of service.

Once this kind of software is available for small business and home users, it empowers them to assure proper coverage of their network and check for any “evil twin” or other rogue hotspots being set up to catch customers.

Summary

There needs to be more effort put in to setting up secure public-access wireless networks so that people can benefit from portable computing anywhere without forfeiting the confidentiality of their personal or corporate data.

It also will encourage people to gain the maximum value out of their WiFi-enabled portable information devices whether for their business life or their personal life.

‘Maga No Need Pay’: Nigeria Gets Creative to Fight Cyber Scams | Microsoft On The Issues blog (Microsoft)

Music video – “Maga No Need Pay”

Turn up the volume to enjoy this clip!

Direct link to YouTube clip for TwonkyBeam users to “push” to DLNA media players or if you can’t see the clip on this page.

At the moment, there aren’t any reliable sources where one can obtain the song as an MP3 file.

My comments on this action

Previously, I had written about social networking sites being used as part of 419-style scams, primarily in the form of the “lost traveller” appeal on these sites.

After reading the blog article about Microsoft assisting Nigerian music talent to take steps to educate the youth against cybercrime, I was impressed about how this country can turn itself around and out of the “419-scam” quagmire.

The song was emphasised at the youth there who would think it was cool to become engaged in these scams and other cybercrime, especially thinking they could “live large” on the profits of these scams at the expense of their victims or “maga”. It is part of the Microsoft-led programs which work in a similar way to “Hand Brake Turn” and similar redirection programs sponsored by churches and similar non-profit organisations to steer youth who are at risk of committing crime away from it.

Here, it is definitely a break from the usual information that exists about these scams where the emphasis is on preventing people becoming victims of these scams.

Installation and Use

The installation went ahead very smoothly and was able to draw attention to a clash between this program and my prior setup which was Windows Firewall as the desktop firewall solution and Avast Home Edition as the anti-malware solution, and offered to uninstall Avast Home Edition before installing itself.

Kaspersky's main operating console

The main software dashboard has a “traffic-light” bar at the top which glows green for a safe environment, yellow for situations that need your attention and red for dangerous environments. It uses a tabbed interface which can show information that pertains to particular aspects of the program. This dashboard can be minimised to a “red K” indicator located in the System Notification Area on the Taskbar and ends up being relative unobtrusive. If it needs to draw your attention, a coloured “pop-up” message shows near that area. You don’t even see “splash screens” when the program starts during the system’s boot cycle, unlike what happens with Norton AntiVirus and other computer-security software delivered as “crapware” with many Windows computers.

Notification Tray icon

The program does download many updates through the day because of the nature of the computer-security threats that evolve too quickly. This is typically indicated with a “globe” symbol underneath the “red K” indicator when the program is minimised to the System Notification Area.

Performance

Kaspersky’s performance under a “full-scan” situation is typical for may desktop computer-security applications because this involves reading files from the computer’s hard disk which is competitive with applications that need use of the hard disk. It had highlighted a password-protected executable file as a risk because of the fact that this can become a way of concealing malware.

The software’s “behind-the-scenes” behaviour can impinge on system performance if you are doing anything that is graphic intensive. But there is an option to have the program concede resources to other computing tasks.

Gaming Profile option

The program also has options available for optimising its behaviour to particular situations. For example, there is an option to disable scheduled scans when a laptop computer is running on batteries and a “gaming mode” which reduces its presence and can disable scheduled scans and updates when you are playing a full-screen game or video and you don’t want the program to interrupt you.

From what I have observed, Kaspersky does a very good job at maintaining a “sterile zone” for your computer. For example, if you plug in a USB memory key, the program will scan the memory key for malware. This is important with malware like the Conficker worm that has been attacking Windows computers and creeping on to USB memory keys.

Privacy protection and security options

There is an optional on-screen virtual keyboard that works against keystroke loggers which capture data from the hardware keyboard.It may not be a defence against keystroke loggers that capture the character stream that is received by an application or software that records on-screen activity.

There is also an anti-banner-ad module which may appeal only to those who “hear no ads, see no ads, speak no ads”. I wouldn’t use this for most Web browsing activities and you still need to be careful that you run only one “pop-up blocker” at a time. I would rather that this can be used to filter advertising that is used for “fly-by-night” offers.

The e-mail protection does work with Windows Live Mail but, if you want to run it as an anti-spam solution for any e-mail client, you have to have it list your mail on a separate screen so you can tell which mail is which. This feature may be useless if you are running multiple other anti-spam measures such as a spam filter integrated in to your mail client or provided as part of your email service.

Desktop content filter

I do have a personal reservation about desktop-based “parental-control” programs because these programs only control the content that arrives at the computer that they run on. This may be OK for situations where the Internet access is primarily on the general-purpose computer that they run on. It doesn’t suit an increasingly-real environment where Internet access is being done on other terminals such as smartphones, multifunction Internet devices, games consoles, and Internet-enabled TVs. Here, I would prefer a “clean feed” that is provided as an option in the Internet service or the content-filtering software to be installed in a very fast router. The desktop filter can work well if a computer is taken to places like hotspots that don’t provide a filtered Internet service.

The content control is also limited to few categories such as the “usual suspects” (porn, gambling, drugs, violence, weapons, explicit language). There isn’t the ability to filter on “hatred” and “intolerance” sites which may be a real issue in today’s world, although the weapons and violence categories may encompass some of that material. I would like to see more granular filtering to suit different age groups and needs.

Nice to have

A feature that this program could have is management of interface to UPnP IGD routers. This could include identifying port-forward requests by applications and checking that these port-forward requests are destroyed when the application is stopped. This could include destroying port-forward requests when the application crashes or clearing all port-forward requests when the system starts so as to clean up port-forwarding “holes” left when a UPnP-enabled application or the system crashes. This is because I have noticed port-forward settings being left standing when an instant-messaging application, game or similar UPnP-enabled application crashes and the router’s UPnP port-forward list has settings from these prior sessions still open. This can provide various back door opportunities to exist for hackers and botnets to operate.

Macintosh users are looked after by Kaspersky through the “Kaspersky AntiVirus For Mac” program which provides virus protection for that platform. It doesn’t provide the full Internet security options that this program has to offer but there may be a desktop firewall built in to MacOS X which can protect against Internet hacks.

As far as the desktop content filter is concerned, I would like to see increased filtering options like an option to filter out “hatred” / “intolerance” sites; and “games and sports” for business needs. There should also be the ability to set up granular filtering options to suit different user needs.

Conclusion

This program may be a valid option for those of us who want to pay for “that bit more” out of our computer security software and want to go beyond the operating-system-standard desktop firewall and the free anti-virus programs like AVG and Avast.

Statement of benefit: I have been provided with the 3-computer 2-year subscription which is worth AUD$159.95 including GST (street price $84 including GST) as a complementary product in order for me to review it.

When I write here on Facebook, who sees it?

Where should I write this in Facebook?

My comments and further explanation on this topic

This article in Facebook’s blog touches on a very common risk that can affect any social-networking site and user community. It mainly talks of the “money scam” which is really similar to the common “Nigerian” or “419” scam that many of us have encountered through the spam that comes in our mailboxes.

In the social-network version, a fraudster “sets up shop” on a Facebook or similar site and takes over a user’s account. They will then message the user’s social-network friends claiming that they are in another land and out of money. This will be via a message on the Wall or a direct message via the Inbox or a Chat session. They will typically require the friends to wire a huge amount of money to the scammer.

If you do receive one of these kinds of contacts from your friends via a social-networking Website, make a call by regular telephone to the number that you know the friend (or a person that you are sure knows them well such as their spouse / partner, child or employer) can answer such as their home or mobile number. Here, I would prefer to make a voice call rather than use text messaging. Then you can ascertain whether it is the friend who is in need or simply a scam taking place. As well, confirm the situation with mutual contacts. If the friend’s account is being compromised, tell them to change the account’s password immediately. Sometimes, companies like Facebook can lock down a compromised account and e-mail the account holder about what is going on. Then they advise the account holder to change their password immediately.

As well, know what resources do exist in your social-networking service for reporting compromised user accounts and be ready to identify “out-of-character” messages, links or pictures posted up on these services by your friends. For Facebook users, the link is http://www.facebook.com/help.php?page=420 .

My comments on the issue concerning free anti-virus software

I always prefer that every computer has a reputable anti-virus software program running on it and, through this blog, I have always recommended AVG or avast free anti-virus solutions for home users and students. I would also consider the paid-for versions of these programs for users that don’t fit the mould provided for the free versions.

From my experience, these programs and their paid-for equivalents from the same suppliers, can do their job without placing too much stress on the computer. This is compared to the likes of the “big majors” (Trend Micro, Symantec, etc) who supply the computers sold in chain stores with trialware anti-virus solutions that can place a dent on the computer’s performance with their dominant graphics.

As well, the free programs and their paid-for equivalents work tightly with the operating system rather than take over the operating system. This is more so with the latest incarnations of Windows because of the designed-in security functionality that these operating systems have like Windows Firewall. Here, you can do most of your configuring through Windows and your default browser rather than through weird panels that take up a large part of the screen. The programs are as regularly updated as the majors and are even updated to include protection from newer infection vectors like instant messaging.

One thing that AVG, avast and the like could do is “offer” a trade-in deal where if a person who is subscribing to a “major” anti-virus solution like Norton or Trend Micro can switch over to the “professional” versions of these free anti-virus solutions for a cheaper price or for free. If the “professional” solution is sold on a subscription basis, they could offer a longer subscription deal like a “2 years for 1 year” package or a “first year is on us” deal.

This could allow the user to save money on their anti-virus solutions without forfeiting the security level that they are benefiting from..

D-Link’s CAPTCHA in action | DigitalMediaPhile (Barb Bowman)

My comments on this feature

A lot of blogs, comment pages / forums, social-network sites and Webmail services use a CAPTCHA as part of verifying what kind of user is signing up or adding comments to the blog or forum. Infact, users who wish to contact me via the blog’s contact form will be using CAPTCHA as part of proving who they are. This method, which typically requires a user to transcribe letters or numbers from a purposefully-distorted machine-generated graphic, has worked for a long time as a way to keep spambots from these sites.

By the way, a CAPTCHA-based verification system is a feature that I would like to see as part of adding comments to a blog post like this one or others on my blog. It would make life a lot easier for blog authors like myself when it comes to sorting out genuine comments from irrelevant comment spam.

This technique has been added as part of a firmware upgrade to most current-issue D-Link routers in response to recent security attacks against this class of equipment. These threats, typically in the form of Trojan Horses, take advantage of home-network equipment that is ran at “out-of-the-box” settings because most home users may not know how to configure the devices properly.

What will typically happen with these routers is that if the user wishes to change configuration or set up / modify an administrator account, they have to transcribe characters from the machine-generated graphic in a similar way to authenticating themselves with a blog or Webmail service on signup.

But this kind of security will not replace common-sense network security practices like setting the SSID of your wireless network away from the default and using a strong password on the device’s administrator account. It will augment these measures and more home-network equipment should be equipped with these features. Other practices that can be implemented for best security could include devices working on “least privilege” all of the time with the option of password and CAPTCHA verification for serious configuration tasks. This is similar to how Windows Vista and Windows 7 operate; and how a properly-setup building alarm system operates. For example, the network status page on a router could be available “without login” but you have to log in to change status.

At least this is one step being made towards a secure home and small-business network.

The recent Facebook scam with the image of a man standing beside a Ferrari had involved images lifted from a holiday album that was published on Picasa although intended to be private.

One of the main thrusts in this scam involved the photographer’s pictures being used without knowledge or permission of the album’s owner and a possible privacy and reputation threat for both the album’s owner and the Ferrari’s owner (if the Ferrari had front number plates).

One thing that needs to be looked at regarding photos published on Web sites like social networking and photo sharing sites is a secure way of publishing these pictures. Some would say that the most secure way is not to use these services at all, but to send pictures using removeable media (optical disk or USB memory key) via at least “snail mail”, preferably certified mail or courier service.  But many people want to still use these services due to the ability to quickly share large numbers of pictures with people over long distances.

Issues that can be looked at could include a watermarking system for personal images so that users can detect improper use of their images; and improved security practices for online services that handle personal and amateur pictures. The watermark system could use a machine-readable watermark and the option of a visible watermark and could be provided by an ISP, enterprise, Web-hosting facility or a photo-sharing / social-network service. The machine-readable watermark should be able to be detected in thumbnails and low-resolution images; synthesised images such as “photoshopped” images and collages; as wel as high-resolution images. This can work in hand with users, ISPs and hosting services using agents that can scour for improper use and let the users know.

Other practices could include a limit on how the picture is seen by untrusted users, such as “low-resolution only” viewing or inability to download, copy (Ctrl-C / Command-C), print or zoom into the actual picture. As well, the systems that host these sites could be checked regularly for hack attempts.

What needs to happen is for action to be taken concerning misuse of amateur and personal images that have been put to the Web, This could be achieved through codes of practice and / or technology implementations.