Just how paranoid do you have to be?

The problem with security and technology is that it can make you paranoid. Don’t be! Most things aren’t out to get you. But you do have to be careful and you do have to be aware of the risks, as this helps when you encounter a piece of software (or hardware) that really is out to get you.

Take digital signatures. A system has evolved over time that aims to help ensure that signed software is safe. Digital signatures are intended as a form of guarantee that a piece of software has been examined for malware and doesn’t contain any. But sometimes it does. Or, at least, in one case a piece of signed software contains malware. It’s unlikely to be alone.

Avast’s Michal Krejd reports in his blog that many users asserted that some instances of Avast detecting Win32:Injected-AZ were false positives. A Google search for Win32:Injected-AZ shows up plenty of forum entries by users about the malware.

In practice, what seems to have happened is that a version of a package named Aventura in fact contained Win32:Injected-AZ, even though the developer had signed off the software as clean, using a digital signature. This can arise because developers, rather than re-inventing the wheel, will routinely re-use software from third parties to perform specific functions.

So in this case, even though the package’s container was malware-free and was signed, some of the contents were not — and were not signed. The issue is, how can you tell? If you run a signed installer, for example, you expect it to be malware-free if its signed. Yet Avast picked up the fact that the software contained malware, even though it was signed.

The moral of the story is that a signature does not necessarily guarantee that all the contents of a package are clean. Fortunately, as Krejd notes in his blog, “the malcode inside seems to have never been executed, therefore this specific case is not a critical issue”.

Krejd’s approach for the future? “If you encounter this detection on your PC, replace the infected binaries with original ones. And if the original binaries are also infected, ask their vendor to provide you with clean binaries.”

Going mobile
Do you know where you are? Probably, but do you want everyone else to know where you are too? There’s a new game out for the Android operating system for smartphones. It’s called TapSnake, and it’s a spin on the classic snake game, which used to be found on Nokia phones.

It turns out that the game contains a Trojan. The new rev of the game plays fine — but while it’s running, the game turns on the GPS location device and uploads data to a remote server so that your location is made public. All you need to find out where players of this game are is to download and run a package called GPS Spy on another Android device. It means you can see where players of the game have been and when.

Effectively, mobile software can compromise you in ways that personal computer software does not. Be aware – check the provenance of those fun little games…

Who do you think you are?

Who you are matters. Thing is, you know who you are but, to the Internet, you’re a collection of data. This includes your name, date of birth, address, mother’s maiden name, names of your pet, siblings and so on.

If someone wants to steal or imitate your identity, all they have to do is collect enough of those pieces of information to fool a computer system into thinking that they are you. You’re not significant enough? It doesn’t matter: crooks will be happy to get small amounts of money every month from your credit card — yours and those of hundreds of thousands of other people — amounts small enough for you not to notice or want to go to the trouble of reporting.

You’ll probably have seen some of the warnings from your bank telling you to look out for bogus emails asking for your password and so on. That’s one way for crooks to steal pieces of your identity. That way, and by installing Trojans via infected websites that log your keystrokes and beam them home.

Of course, you should never pass details such as that over the Internet unless at the very least you are certain you trust the source of the request, and the link is encrypted. (You do encrypt your outgoing emails, don’t you? If not, go to your email program now and change the SMTP settings that to prevent anyone else reading the emails you send.)

And we’re now hearing of bogus phone calls to individuals warning that their PC is infected, and suggesting how to put it right. It’s in our nature as human beings to trust others but you have to assume that, unless you know the individual calling you, calls such as this are designed to extract personal information from you that can at some point be used to your disadvantage. Moral of the story: never give your passwords to anyone.

If it so happens that your PC does become infected, don’t panic — find a reputable anti-virus application and use it according to the instructions. And don’t assume that free means worse: in the world of software, it’s not better just because it carries a price tag.

Are you a nerd?
Don’t go to nerdtests.com. Avast’s user community has discovered malware (a hijacked google analytics script)on that site — and from the screenshot of the page on Avast’s blog, it looks like Avast was the only AV package to pick it up.

If you’re an Avast user, be pleased with yourself — and keep your eyes open and your software up to date.