Back in August, Australians were warned by Microsoft of a phone scam that fools people into giving cold callers their cash. Microsoft issued a press release, hoping they could nip this one in the bud, but the scamming seems to have spread to the U.S. Here’s how the scheme works:

Someone claiming to represent Microsoft or one of its brands contacts the victim and tells them that their computer has a problem, an infection, or a virus that Microsoft’s scanners were able to detect. The scammer then directs the victim to a website that allows the scammer to remotely control the computer. Finally, the scammer shows the victim these “problems,” and convinces the victim to pay for “services” rendered.

People: please don’t get fooled by these types of calls. Scammers are simply tricking people into believing that a problem exists when it really doesn’t. Sure, there might be something wrong with your computer, but wouldn’t you rather have someone you trust check it out?

And the sad thing is that even if something is actually wrong with your computer, Microsoft would never contact you first. You – or your trusted IT managed services provider – would need to create a support ticket with Microsoft. I’ll say this again: they will never contact you first.

So while it seems like you’re always shelling out for the latest from Microsoft, this is one case where even they say it’s safer to just hang up.

Two new studies have raised concerns about the transmission of private data by some iPhone and Android apps.

Last week, researchers from Duke University, Pennsylvania State University, and Intel Labs released the results of a study on 30 popular third-party Android apps. Using TaintDroid, a tool which the researchers created, they discovered that 20 of the studied applications exhibited “suspicious handling of sensitive data” and that 15 of the applications “reported users’ locations to remote advertising servers.”

In addition to location information, the researchers discovered instances of applications transmitting a device’s phone number, IMSI code (unique code that identifies a user of a GSM or UMTS network), ICC-ID (unique SIM card serial number), and IMEI number (unique identifier for an individual device). They found that one application transmitted information each time the phone booted.

“While this application displays a terms of use on first use, the terms of use does not specify collection of this highly sensitive data. Surprisingly, this application transmits the phone data immediately after install, before first use.”

Not only are applications transmitting information that could be used to personally identify an individual, they are also sending geographic location data. The researchers found that 50 percent of the studied applications “exposed location data to third-party advertisement servers without requiring implicit or explicit user consent.” And while two of these 15 did display a EULA when first run, neither EULA indicated that such data would be collected and sent to advertisers.

A second paper, written by Eric Smith, Assistant Director of Information Security and Networking at Bucknell University, raised similar privacy questions about iPhone applications. Instead of creating a tool to track transmitted data, Smith analyzed the network traffic sent from an iPhone through a specially configured wireless network.

“Packet captures were recorded using tshark12, the console-based libpcap capture utility. The resulting files were then analyzed using a suite of open-source tools including Wireshark, ngrep, and the Perl Net::Pcap libraries13 in order to determine what, if any, personally-identifiable information was being shared with third parties.”
Smith also analyzed browser cookies placed on the device by applications.

Of the 57 applications Smith evaluated, 68 percent transmitted the iPhone’s UDID (a unique device serial number), “to a remote server, owned either by the application developer or an advertising partner.” Some applications encrypted the data using SSL, but others transmitted the UDID and user’s name (either the logged-in user’s name or the iPhone’s user-assigned name) in plain text.

Applications were also found to place “extremely long-lived” tracking cookies on the iPhone. These cookies aren’t set to expire for several years. According to Smith, “these long-lived persistent cookies could allow for third parties to link UDIDs from old, discarded phones to individuals’ new phones as they upgrade to the newest iPhone model every few years.”

Choose apps wisely
In response to the Android study, a Google representative pointed out that users must approve the access when an application is installed. CNET quoted the representative:
“On all computing devices, desktop or mobile, users necessarily entrust at least some of their information to the developer of the application,” the representative said. “Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data…We consistently advise users to only install apps they trust.”

Under Apple’s latest iPhone Software License Agreement, users have already consented to having their location information collected.
“By using any location-based services on your iPhone, you agree and consent to Apple’s and its partners’ and licensees’ transmission, collection, maintenance, processing, and use of your location data to provide such products and services.”

What is the lesson here? Be VERY careful about the applications you install. If an application asks for access to information that doesn’t seem relevant to the application’s function, you might think twice about installing it. If you do allow an application to access your private data, know that the information may be used in ways you didn’t intend. William Enck, one of the Android researchers, made this point to CNET.

“Right now users have to be more diligent with the apps they install, look closely at the permission screen, and assume that that information may be misused.”

Spyware, the sneaky, unwanted bits of junk that lurk in the corners of your hard drive observing your behaviors and slowing down system performance, has become a serious problem in modern computing. A study by prominent security firm Webroot found that 80 percent of business computers are infected with pieces of spyware. It is not uncommon for techs to find dozens of types of spyware on a single system! Some infections become so numerous and severe that the only remedy is a costly system wipe or even complete replacement. What’s worse, most spyware generates bothersome pop-up ads while using the web and more malevolent varieties can even result in identity theft.

For the most part, this pain and expense is unnecessary. While over 80% of businesses install antivirus protection on their systems, only 43% have implemented a credible form of spyware production. Most spyware sneaks onto systems through spam e-mail and questionable websites with flashy banner ads (we’ve all seen “you’re our 1 millionth visitor! Click here to claim your prize!”). After a few years of observing such sneaky tricks, most internet users are too savvy to fall into the traps, but it still happens—mostly during employees’ personal use of internet resources.

If employers want to substantially reduce the impact of spyware on their companies, in addition to blocking spam, they should publish and enforce an acceptable use policy for employee internet access. Two-thirds of large companies actively monitor email and Internet use by their employees, but not many small businesses do. If you find your systems weighed down with the burden of spyware, network security and monitoring packages like those available through Responza can diagnose and cleanse your resources and make sure they stay spy free.

According to Symantec, over 40 million people have fallen victim to “scareware” scams in the past year. Online criminals make millions off these scams, by simply convincing computer users to download fake anti-virus software. Scareware sellers deliberately use pop-up ads that are designed to look legitimate, using the same styles as Microsoft and other software providers. They often appear when a user switches between websites, and falsely warns that the computer’s security has been compromised. If the user clicks on the message, they are directed to another site where they can purchase the fake anti-virus software.
Attorney General Rob McKenna called the practice a “blatant rip-off of consumers,” explaining that users were being “duped into downloading a fake scan (of the computer) and then duped into paying for software they don’t need”.

Software deemed useless by the suite include Scan & Repair, Antivirus 2009, MalwareCore, WinDefender, XPDefender and WinSpywareProtec.

In today’s tight economy, many consumers and businesses are cutting back. But it’s important to recognize that a strong partnership is worth more than saving a few bucks. This story at The Channel Wire perfectly illustrates how important it is to backup data and find a reliable IT service:

My Laptop Hinge Broke, So Geek Squad Replaced My Hard Drive

If you get a call like this, hang up the phone:

The caller claims to be a jury coordinator. If you protest that you never received a summons for jury duty, the scammer asks you for your Social Security number and date of birth so he or she can verify the information and cancel the arrest warrant.

Give out any of this information and bingo – your identity was just stolen.

The fraud has been reported in 11 states so far.

The FBI and the federal court system have issued nationwide alerts on their web sites, warning consumers about the fraud.