Microsoft this week teamed up with Prevx and Get Safe Online to demonstrate the real-life, online scams that criminals use to steal from PC users. Their message was simple: secure your PC, and do it today.

Criminals don't care how much money you earn, where you live or even what operating system you use - if you're online, you're fair game. That was the message this week from Microsoft's chief security advisor in the UK, Ed Gibson.

Former FBI agent Gibson was speaking at a Microsoft event in the heart of London's west end. Microsoft teamed up with Prevx and Get Safe Online to demonstrate the speed and ease with which criminals can target poorly protected PCs and networks.

Prevx's ethical hacker Jacques Erasmus successfully attempted, live, two 'key scams' that cybercriminals use on a daily basis to liberate money from individuals and businesses. And the message was clear: security starts at home, and a layered approach is no longer simply desirable - it's required.

Microsoft said it believes the solution to online fraud won't be found by any one business, organisation or even operating system. According to the company, cybercrime will be curtailed only when the IT industry, law-enforcement and - crucially - users take the necessary and simple steps to make crime not pay.

And best of all, the security tools we all require need not cost any money. Click here for the latest PC security reviews.

Web-based commerce in the UK is now a £30bn industry. But according to Get Safe Online's Tony Neate, where there's money, there's crime.

Neate, who was a police detective for 30 years, estimates that £875 per person, per year is lost to fraud. And in many cases, the loss is preventable. For instance - 40 percent of businesses protect only 25 percent of their network traffic, making them a sitting duck for the kind of crimes we saw demonstrated.

As Tony Neate says: it's actually easy to be safe online. Indeed, Ed Gibson estimates that 10 minutes of work can lead to 10 months of security. And the hacks that Erasmus demonstrated left nobody present in any doubt that the time to act is now.

Get the latest PC security news, reviews and tips & tricks at Security Advisor.

  1. Online scams: live and unleased
  2. Online scams: The USB stick hustle
  3. Online scams: The Wi-Fi hustle
  4. Online scams: Conclusions

Microsoft this week teamed up with Prevx and Get Safe Online to demonstrate the real-life, online scams that criminals use to steal from PC users. Their message was simple: secure your PC, and do it today.

The USB stick hustle

For Microsoft's first demonstration, imagine, if you will, that you are a busy executive, grabbing an over-priced coffee in a swanky coffee bar. (Perhaps it's a latte, an Americano or a double expresso. It's not important.)

On the shiny chrome counter is a bowl full of complimentary 4GB SanDisk U3 USB flash memory sticks. Naturally you grab as many as your pockets can hold, surfing a tide of caffeine- and freebie-induced euphoria.

Erasmus demonstrated how (relatively) easy it is in such a scenario for a hacker to hide a Trojan within a legitimate program on the U3 memory stick.

When the disk was inserted into the - unprotected - laptop set aside for the demonstration, we watched in real-time as the Trojan activated and quickly installed a keylogging program.

Within seconds, Erasmus was receiving email from a server in Texas, which forwarded every keystroke made by our putative executive.

The hacker could now see every process, program and file on the compromised PC - in real time. He could even perform desktop searches. Worst of all, it was a cinch to download files and folders from the hacked laptop.

It doesn't take a genius to appreciate how quickly in such a situation the laptop user's personal security would be compromised. Even if there were no sensitive documents lying around, one session of online banking, and his account could be emptied.

But, as Microsoft was keen to point out, if the laptop was used for business, the entire company would now be compromised. And all because of one unprotected laptop (as well as one employee's thirst for java).

As impressive as it was, our initial thoughts on the demo were cynical. Would signature-based anti-malware software have prevented such an attack, we asked? Yes. Would behavioural anti-malware have prevented such an attack? Probably.

But as Tony Neate said, it's actually not that uncommon for people to use unprotected PCs - and criminals need to get lucky only once.

Neate said that "criminals always go for the lowest hanging fruit", and that being safe doesn't have to involve any more than enabled, up to date, antispyware, plus antimalware and a firewall. And you can get all of those for free, should you be so inclined.

Get the latest PC security news, reviews and tips & tricks at Security Advisor.

  1. Online scams: live and unleased
  2. Online scams: The USB stick hustle
  3. Online scams: The Wi-Fi hustle
  4. Online scams: Conclusions

Microsoft this week teamed up with Prevx and Get Safe Online to demonstrate the real-life, online scams that criminals use to steal from PC users. Their message was simple: secure your PC, and do it today.

The Wi-Fi hustle

Okay, it may take a little more method to get into character on this one. You are a brilliant medical-research scientist, working for a pharmecutical company on formulae that may one day be worth millions of pounds.

A team of cyber-criminals has targetted your company, and decide that the best way to gain access to its valuable data is through your home network.

Erasmus demonstrated how a relatively weak link - in this case Wi-Fi network with WEP, rather than WPA, protection - can be used to access a well-protected company VPN.

First Erasmus searched for and found the wireless network. (In the scenario he would have been sitting outside the victim's house with a large aerial, but it was a filthy day and Microsoft was providing pastry so we let him sit in the same room). Once the network was found, the hacker used a widely available crack to discover its channel and Mac addresses. He could also see what systems were connected to the network.

Then by injecting thousands of packets of information across the network, Erasmus was able to uncover the network's service set identifier (SSID) and, eventually, password. It took tens of thousands of attempts, but only a few minutes.

After that, it was a cinch to get on the network (although your reporter retains a cranky regard for anyone who manages to get on to a wireless network at the first time of asking).

Once inside the network, Erasmus accessed the router's interface. As the password and channel settings had been left unchanged from the manufacturers' - a regular occurrence according to those present - this was a simple process.

Once 'in' the router, Erasmus simply changed its domain name server (DNS) setting to one he'd set up previously. The next time the victim browsed to certain website, his internet connection briefly took him to a malware site, before dumping him at his chosen destination.

In that split second, a Trojan was downloaded and installed so that the next time the user accessed his work's VPN, the hackers could harvest all the security details required to access those precious formulae. And the whole process took only half an hour or so.

Of course, a WPA (or preferably WPA2) wireless network couldn't be hacked in such a way. But as Neate was keen to point out, plenty of people don't have even WEP security. And you can hardly blame a less than tech-savvy user who choses one 'security' acronym over another. After all, security is security, right? Er, wrong: that will be £875 please.

Get the latest PC security news, reviews and tips & tricks at Security Advisor.

  1. Online scams: live and unleased
  2. Online scams: The USB stick hustle
  3. Online scams: The Wi-Fi hustle
  4. Online scams: Conclusions

Microsoft this week teamed up with Prevx and Get Safe Online to demonstrate the real-life, online scams that criminals use to steal from PC users. Their message was simple: secure your PC, and do it today.

Conclusions

Those of us with an interest in IT security can become desensitized to stories of hacks. But seeing someone perform real-world cracks, in real-time and realistic situations does make the whole process seem horribly, well, real. But it doesn't mean we're all doomed. Far from it.

PC Advisor has long espoused a simple formula for PC peace of mind. Get antimalware software and keep it updated. You can never have too many layers of security, and if something looks too good to be true, it is.

Serendipitously, this message is echoed by Tony Neate and the Get Safe Online campaign (so there may be something in it). Neate summarises it thus: "Get S.A.F.E. AntiSpware, Antivirus, Firewall, Enabled."

We couldn't agree more.

But Neate points to the fact that organised cybercriminals now invest in people and training in much the same way as legitimate businesses - even in some instances putting potential hackers through university. And like vaccination, the S.A.F.E message works only as long as the majority of people adhere to its principles.

That means manufacturers, vendors, law-enforcement groups and educated users such as PC Advisor readers passing on the message of secure PC use wherever they can.

Be safe, tell a friend and don't have nightmares.

The real hustleThe real e-Hustle - don't have nightmares

Get the latest PC security news, reviews and tips & tricks at Security Advisor.

  1. Online scams: live and unleased
  2. Online scams: The USB stick hustle
  3. Online scams: The Wi-Fi hustle
  4. Online scams: Conclusions