* Posts by Graham Cluley

60 posts • joined 19 Aug 2007


Sophos puts 100 at risk of redundancy as future of Naked Security blog hangs in balance

Graham Cluley

Who’ll be writing it?

I would like to think you’re right, but If the roles of Naked Security’s writers and editor are redundant, they presumably won’t be recruiting a new editor or writers.

Maybe the name will be kept, maybe they’ll mothball the content, maybe they’ll post occasional pieces of research under the Naked Security banner. Maybe they’re merge it with the technical SophosLabs Uncut blog? (Naked Security Uncut? Ewww. Not sure that’ll go down well with puritanical management)

But it doesn’t sound to me like Sophos has a plan to continue it in its current form.

And yeah, I take it a little personally. But mostly I feel sorry for the people who worked on the site after I left. They did good work.

Fraudster convicted of online banking thefts using… whatever the hell this thing is

Graham Cluley

Tony Colston-Hayter and Wossy

As well as the high-tech heists against Barclays and Santander five years ago ( https://www.grahamcluley.com/bank-hackers-hardware/ ), Colston-Hayter is also infamous for handcuffing himself to Jonathan Ross live on air.


(Beware, images of 1980s fashion)

Oracle, for one, says we'll welcome our new robot overlords: '90%' of you will obey an AI bot

Graham Cluley

Re: Dalek Obsessive alert.

I specifically came to the comments section to see if I was the only one bothered by that.

As any kid who grew up in the 70s remembers, the Dalek is just a travel machine for the mutated Kaled within. Essentially, Terry Nation predicted Telsa and gave Elon Musk the name Davros.

Registrar Namecheap let miscreants slap spam, malware on unlucky customers' web domains

Graham Cluley

Re: Namecheap

> That Graham guy made an irresponsible disclosure.

I didn't disclose anything.

Kirk McElhearn wrote the blog post (I merely retweeted it, much to Namecheap's annoyance).

And Kirk didn't irresponsibly disclose anything either. He just reported that an unauthorised party had created subdomains for his domain via Namecheap, but he *didn't* (because both he and I simply don't know) explain how it was done.

As far as I can see Namecheap still hasn't informed affected customers.

TalkTalk teen hacker pleads guilty as firm reveals £22m profit jump

Graham Cluley

Re: What info was given about the hack itself

It was a SQL injection attack, combined with failing to apply a database software patch released 3.5 years earlier, according to the ICO's investigation into the monumental cockup.

They had suffered other SQL injection attacks earlier in the year, but not done much in response apparently.

All pretty shameful IMHO.

Kaspersky 'terminates' deal with security reseller Quadsys

This post has been deleted by a moderator

Zero-day hole can pwn millions of LastPass users, all that's needed is a malicious site

Graham Cluley

You could always ensure that the password manager's database that you are syncing via the cloud is itself encrypted.

I would be surprised if the password manager isn't doing its own encryption, but I would recommend using a tool which automatically encrypts any data before it's shoved in your cloud-syncing folder anyway.

Graham Cluley

Tavis's next target

Last sentence reads:

"Ormandy will set sights on popular password vault Password1 after this audit."

I suspect you mean 1Password from AgileBits rather than Password1.

The confusion is probably caused by password1 being many people's password. :(

TalkTalk CEO Dido Harding pockets £2.8m

Graham Cluley
Thumb Up

Support for Autism

Good to see autism getting support from TalkTalk.

After all, it's quite possible that it was someone from that spectrum who did TalkTalk's free penetration test for them in the first place.

Graham Cluley

Re: Reward for failure

I'm hardly a fan of Dido Harding and TalkTalk, but I believe the interview where she was infamously pictured in front of a creaky old computer and CRT monitor was filmed in a BBC office not TalkTalk.

Yes, I know that makes it less fun. Sorry about that.

'80s hacker turned journo, IT crime ace Steve Gold logs off

Graham Cluley

Nice guy

Such horrible sad news. I only heard yesterday that he was seriously ill, and now the inevitable ghastly news that has followed.

Steve was a really nice chap. A truel gent. He always loved a natter on the phone, had time for everyone, and would love to tell stories of his escapades from the early 80s.

Can't believe he's gone. They don't make many of them like that anymore.

RIP Steve. We'll miss you mate.

CONFIRMED: Sophos shifting threat response work to India

Graham Cluley

Right here.


Graham Cluley

Re: How?

The link works for me.


Or you can go straight to the technical paper (PDF) here: http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

Graham Cluley

10,000 or 25,000

The explanation is that currently 10,000 Unix servers are compromised by the Windigo attack, but in the entire lifetime of the campaign up to 25,000 servers have been hit.

Hope that helps

Ten top stories from New Who

Graham Cluley

Re: Midnight

Midnight is superb.

A fantastic piece of writing by Russell T Davies (just when I thought he'd run out ideas) and a terrific piece of acting by the small cast.

I would rate it above Blink personally - although my wife thinks Midnight is the most boring episode of Who ever. Different folks, different strokes I guess.

(Glad to see Girl in the Fireplace also make an appearance)

Does F-Secure's antivirus turn a blind eye to spook spyware? CEO hits back

Graham Cluley

I believe him

In over 20 years working for anti-virus companies, I never once heard about any pressure being put on us by government agencies to not detect malware.

To be honest, I can't imagine a govt agency *trusting* an anti-virus company (and the variety of nationalities employed inside a typical security lab) to keep such a request secret anyway.

Not to mention, how exactly would an anti-virus company be expected to respond if a customer (who was being spied upon by the agency) sent in a sample, and asked why we weren't detecting it when - say - F-Secure was?

So, I don't think this is happening.

Rather than nobbling the anti-virus companies, I suspect govt agencies are writing malware (just like the bad guys) and working their damndest to avoid detection (just like the bad guys). The fact that any state-sponsored malware is likely to be designed for specific targeted attacks, helps their hand of course...

John McAfee releases NSFW video on how to uninstall security code

Graham Cluley

Re: Pot meet kettle

I never sawed a person in half on stage at Infosec.

I did once guillotine Janet "Blue Peter" Ellis's hand off. But that was at Networks 96. And I was working for Dr Solomon's at the time.

Sophos tended to be a fair bit more corporate in its trade show presentations than Dr Solomon's, but anything that breaks the monotony of presentations about virtualization, high wire gymnastics on the Symantec booth, and dollybirds handing out USB sticks has to be a good thing I reckon.

Google bod exposes Sophos Antivirus' gaping holes

Graham Cluley

Onel de Guzman

Point of order. Onel de Guzman, creator of the Love Bug, did his dastardly deed back in 2000 - ten years before the Naked Security blog was written. So we wouldn't have that many articles about him other than the odd retrospective piece. :)

Study: If your antivirus doesn't sniff 'new' malware in 6 days, it never will

Graham Cluley

Flawed methodology

From VirusTotal's own website:

"Those who use VirusTotal to perform antivirus comparative analyses should know that they are making many implicit errors in their methodology"

In a nutshell, it ain't a real world test, as VirusTotal does not (and doesn't claim to) mimic the protection that users would experience in the real world where they may have multiple levels of protection, cloud-based lookup, runtime behavioural analysis etc etc..

Anonymous hacktivists dump 1.7GB load slurped from DoJ site

Graham Cluley

Guy not wearing the mask

He's the host of one of the shows on the TV channel RT (Russia Today).

I don't think we should assume he's in any way connected with the rest of the vid.

Cyber crime now bigger than the drugs trade

Graham Cluley

Lest we forget..

Anyone else remember The Register's 2009 article: "'Cybercrime exceeds drug trade' myth exploded"?


30,000 Shreks besmirch BeautifulPeople

Graham Cluley

It's clearly a publicity stunt

As I explain at http://nakedsecurity.sophos.com/2011/06/20/beautifulpeople this story has duped the likes of The Telegraph, The Daily Mail, The Guardian, Fox News, BBC Radio 4 and now The Register too!

It's clearly poppycock, dreamt up by BeautifulPeople's PR firm. If the Shrek virus exists, I look like Brad Pitt.

One thumb up for Facebook security improvements

Graham Cluley

Cluley ill?

I'm not medically qualified so I can't give you a definitive answer on this one - but I feel fine, thanks.

Dear Facebook: your privacy sucks

Graham Cluley
Thumb Down

Facebook's https option

As our letter makes clear, Facebook doesn't turn on https by default - and if you do turn it on they only use it "whenever possible".

What they mean by "whenever possible" is whenever it's convenient for them.

So not, for instance, when you visit the mobile version of their website. And not when you visit third party apps running on the Facebook platform.

It should be on, by default, all the time you're connected to Facebook. Period.

[ps. can we have a Zuck avatar?]

Hacked BBC streaming websites serve up malware

Graham Cluley

Don't use VirusTotal for detection comparison

VirusTotal itself says that you shouldn't use it to compare detection capabilities.

See http://www.virustotal.com/about.html#importantnotes


Those who use VirusTotal to perform AV comparative analyses should know that they are making many implicit errors in the methodology, the most obvious being:

* VirusTotal AV engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioral analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.

* In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.

-end quote-

Sophos has been blocking the site linked to by the script on the BBC website since 20:42 GMT on 9 February 2011, for instance. But VirusTotal doesn't test that way so it won't know that we'd pick it up as Troj/ExpJS-BO and Mal/IFrame-F.


Cockeyed 'Knob Face' confusion masks real malware threat

Graham Cluley

Detecting hoaxes

The difficulty in detecting hoaxes is telling the difference between

"Please watch out for emails about Ed Stewart - the so-called Crackerjack virus will turn your CPU into blancmange. Forward this warning to all of your friends - we need to stamp this one out!"


"There's a new hoax doing the rounds. It warns you to watch out for emails about Ed Stewart - claiming the so-called Crackerjack virus will turn your CPU into blancmange. Please forward this advice to all of your friends - we need to stamp this one out!"

And then there's the issue that virus hoaxes can spread via newspapers, fax, Radio 2, etc. or even as publicity stunts. (Read the story of the Irina hoax virus publicity stunt here: http://virusbusters.itcs.umich.edu//hoaxes/irina.html )

Graham Cluley


It must have been almost ten years ago. I was in a car, and Ed Stewart was pontificating on Radio 2 about some computer virus or other.

My ears pricked up, and I realised he was telling his loyal band of listeners a load of old nonsense - and was actually reading out a virus hoax.

I called the station, to try to get them to put out a correction, but they must have thought I was a nutter.

Which I probably was. For listening to Ed Stewart.

New attack bypasses virtually all AV protection

Graham Cluley

Need to correct that headline - it DOESN'T bypass virtually all AV

KHOBE can't be described as a way that malware can be installed on computers.

What Matousec describes is a way of "doing something more" **if** the malicious code manages to get past your anti-virus software in the first place.

In other words, KHOBE is only an issue if anti-virus products such as miss the malware. And that's one of the reasons, of course, why security vendors offer a layered approach using a variety of protection technologies.

How can that be bypassing?

There's a good write-up on this by my Sophos colleague Paul Ducklin:


Sophos sorry for blog comment spam campaign

Graham Cluley

Google is your friend..

Check out the image of the spam on the upset blogger's post.

The offending spam comment includes the commenter's name. Google his name, and you should be able to find out the name of the agency he works for pretty easily.

Sophos is no longer working with the company.

Graham Cluley

Rent-a-quote Graham's right here!


I'm right here - who do you think was the "spokesman" who spoke to The Register? :-)

My opinion - as you read in the article - is that what happened is appalling, and something that we're all mortified about here at Sophos.

We're not in the business of adding to the spam problem, and we are terribly sorry to those bloggers who received these inane messages from the marketing agency we hired.



Facebook Fan Check scareware begets malign ware-scares

Graham Cluley

Still no evidence that the Facebook app was malicious

Hi, I thought I'd just post a follow-up.

We've still seen no evidence that the Fan Check Facebook app which has got everyone scared witless is malicious. We can't be specific about what precisely "Fan Check" does to Facebook users as we're unable to access it.

What isn't in doubt, however, is that the bad guys have set up websites which have been optimised to appear high in Google search results for people hunting for info on Fan Check, but are designed to spread a fake anti-virus application instead.

So, even if it's true that the Facebook app is harmless - there is still a danger out there, that many Fan Check-fearing people are being directed to.

Graham Cluley, Sophos

Erin Andrews peephole footage spreads Trojan

Graham Cluley
Paris Hilton

Video of malware blocked by YouTube

For reasons best known to YouTube they've deemed the video of the malware attack "inappropriate content".

If you want to watch what the malware does, you can check it out at http://vimeo.com/5662308

Apple fans targeted by smut-punting malware

Graham Cluley

@Tim 49

Tim, I think you've interpreted how this works the wrong way because Pareto just posted a picture of the Windows payload on their blog.

The malware served up is different depending on whether you visit the site using Windows or Mac OS X.

We have a video demonstrating what happens if you visit on a Mac over at


We're seeing more and more of these two-pronged attacks - working out if you're visiting via Windows or a Mac, and serving up the appropriate flavour of malware.

Graham Cluley

@Anonymous Coward

What makes you think it only works on Internet Explorer?

We tried it on IE, Safari and Firefox using Windows and Mac OS X computers.

The attack is based around social engineering rather than a flaw in a browser - so any user with a hunger for porn may find themselves tempted into downloading the codec.

Sophos punts anti-virus for Klingons

Graham Cluley

Klingon response to The Register

The page has been updated to mention The Register


(and some further explanations at http://www.sophos.com/blogs/gc/g/2009/05/19/klingon-antivirus-facts/ )

Viral web infection siphons ad dollars from Google

Graham Cluley

Some more information

The obfuscated JavaScript on compromised sites (which Sophos intercepts as Troj/JSRedir-R) accounts for about 42% of all of the infected webpages we've seen in the last week.

That's a mightily impressive six times more infections than the tried and trusted malicious Iframe attack of Mal/Iframe-F.

We've published some further information and stats on our site at http://www.sophos.com/blogs/gc/g/2009/05/14/malicious-jsredir-javascript

I'd recommend that surfers check their protection is up-to-date and fighting this one.

Twitter worm author gets security job

Graham Cluley

@Nicholas Ettel

*If* Mikeyy Mooney did make a sincere effort to warn Twitter (quite a big "if" to my mind, as it hasn't been suggested before) and they ignored him then his response should never have been to unleash the worm.

*If* they had ignored him, a better thing would have been to have gone to a security journalist, demonstrated the flaw to the journo, and allowed the journo (without publishing details of how to reproduce it) to write about it. You can be sure that would get the attention of Twitter's powers-that-be.

But the fact is that there's no suggestion that Mikeyy has ever contacted Twitter to work out a responsible way of disclosing the flaw. Instead he endangered many innocent Twitter users and disrupted the business.

Graham Cluley

And guess what the *latest* Mikeyy worm says

In case anyone missed it, shortly after it was revealed that Mikeyy had been offered this job, a new worm was spreading around Twitter.

One of its messages?

"I work for exqSoft Solutions now - http://www.exqsoft.com/ - mikeyy"

Not a good sign. The CEO of exqSoft says he did not ask for the worm to be written and has been unable to contact his latest recruit to ask if he is the originator.


Japanese porn at heart of Home-Office terrorism snooping

Graham Cluley

The link is still there

Well, in the form of PDFs about the Technical Advisory Board anyway.

Thanks to the wonder of PDFs they are available as clickable hotlinks for anyone who is bored of technical advice..

Melissa anniversary marks birth of email-aware malware

Graham Cluley

Regarding Gigabyte

Re: Cameron Colley's question about Gigabyte, the notorious female virus writer (real name Kim Vanvaeck)

She got arrested in Belgium in 2004 (http://www.sophos.com/pressoffice/news/articles/2004/02/va_gigabyte.html ) but ultimately was let off the hook by the cops with little more than a smacked wrist and a promise not to cause trouble again. As far as I know she followed their advice

I know a guy who met Gigabyte, and told me she was a rather cute-looking blonde. Bizarrely I was once invited to a security conference to sing a karaoke duet with her, but probably wisely turned down the opportunity..

BBC botnet investigation turns hacks into hackers

Graham Cluley

Will USA want to extradite BBC reporter?

Do we know where the compromised PCs are based in the world?

What if some of those botnet computers were in the US military? The Pentagon? NASA?

Will the USA try and extradite the BBC's Spencer Kelly just like Gary McKinnon?

I'm running a poll on my blog if anyone wants to give their opinion on whether the Beeb were justified or not in what they did.



Graham Cluley, Sophos

Conspiracy theories fly around Norton forum 'Pifts' purge

Graham Cluley

And the malware authors are close behind..

It looks like the bad guys are up to their trick of jumping on the bandwagon again.

We're seeing evidence that websites containing malware are showing up in search engine results when people hunt for PIFTS. Sophos is picking up some of these sites as Mal/BadRef-A.

The Mal/BadRef-A script redirects to another malicious script (Troj/Reffor-A) which then itself redirects to a page detected as Mal/FakeAvJs-A.

That page leads to a fake anti-virus scan (scareware) designed to frighten you out of your hard earned cash.


Graham Cluley, Sophos

Conficker call-backs threaten to swamp legit domains

Graham Cluley

Why we don't install an anti-Conficker on those websites

I'm afraid that it would be against the law - under the Computer Misuse Act - for us to change the visiting infected computers without the owners' permission.

Booby-trapped emails fly back into fashion

Graham Cluley

A new strain

Yes, there was a malware attack spammed out in the summer which was similar in its use of the airline ticket disguise (I refer to it in my blog entry on the Sophos website at http://www.sophos.com/blogs/gc/g/2008/12/04/email-malware-flying-high/), but this is a new campaign which has some new characteristics - and is spreading different malware.

Why are they using such a similar cloak of disguise? Well, a simple reason - it worked before, so they're banking that it will work again. :(

This isn't about believing that you've been sent air tickets you never ordered, but believing that either an airline has screwed up or (most likely) that someone else has used your credit card to make a purchase. Naturally people get so affronted that they open the attached file without thinking of the possible security consequences.

Malware authors play Mario on Daily Mail website

Graham Cluley

Who should have found the infection?

@Anonymous coward and @Steen Hive

I do believe it is impractical for the millions of websites out there to check every advertising link served up to them by a third party advertising company to check if it is legitimate. Can you imagine the resources required to do that? Sure, it would be nice if it happened - but is it realistic to expect it?

Didn't The Register itself serve up a malicious banner advert four years ago? As I recall, they responded the right way (as I would hope the Daily Mail would do) by pulling the ads and presumably asking tough questions and perhaps breaking the relationship with the advertising network.

The ad networks need to do a much better job of weeding out the malicious adverts - this is not necessarily easy to do of course.

The addition point I made to The Register, but which got left out of the report I think, is that everyone browsing the web needs to defend themselves. Many websites deliver ads via third parties, and most are not checking them for malicious links. If you have a decent anti-virus solution on your computer then that can help reduce the threat to you.

David Tennant quits Who

Graham Cluley

After all, that's how it all started...

It's time to go back to basics with Doctor Who.

When the show started in 1963 it starred a doddery old white-haired man and his granddaughter as his assistant.

Andrew Sachs, anyone?

Anonymous hacks Sarah Palin's Yahoo! account

Graham Cluley
Paris Hilton

Another Paris Hilton?

What I'm curious about is how was Sarah Palin's email account broken into?

Was her PC compromised with spyware? Did she carelessly connect to an unencrypted Wi-Fi hotspot? Did she choose a dictionary word for her password ("aardvark") that was easy for the hackers to crack?

Or did she fall for a similar trick as the one that caught out a certain Miss Paris Hilton back in 2005. If I recall correctly, Paris's mistake was making the name of her pet chihuahua (Tinkerbell) the secret question/answer to reset her Sidekick's password. Uh-oh.

I made a video comparing Sarah Palin's plight with Paris Hilton's experiences, which Register readers might like: http://www.sophos.com/blogs/gc/g/2008/09/18/paris-hilton-sarah-palin-video/

SQL injection taints BusinessWeek.com

Graham Cluley
Paris Hilton

@Gordon Fecyk

The SQL attacks *always* have been hitting the big sites as well as the little ones.

These attacks are automated - it's not as though BusinessWeek was specifically targeted. The bad guys use search engines to find vulnerable sites (big or small) and zap! infect them with their malicious scripts.

(Paris, in honour of The Reg bringing back the old icons)

30 years of Spam - and we ain't finished yet

Graham Cluley

11% of people who came to Sophos's website

The poll was run on our website. According to the marketroids, the typical make-up of people who come to our website are IT specialists and system administrators (as we don't have a consumer product).

I expect they know the difference between spam and "legitimate" marketing emails - but who knows..

We've published links and more information on the Sophos Spam Pledge page at http://www.sophos.com/pledge

Graham Cluley

Sophos's 95 percent spam stat @Gordon Fecyk

Hi Gordon.

Sophos's figure of 95% of email is spam comes from our spam filtering software and appliances at companies worldwide. We count the amount of legitimate email they receive, and we count the amount of spam they receive. And then do the maths to get a percentage.

Of course, individuals may have varying experiences.



Biting the hand that feeds IT © 1998–2021