Internet Security News

Tips For Safe Online Holiday Shopping

Cyber Monday, one of the busiest days of the year for online shopping, is quickly approaching (Nove.30), and a new survey from ISACS indicated employees plan to spend the equivalent of nearly two full work days shopping for the holidays using work computers, creating personal and business security risks.

Tips For Safe Online Holiday Shopping

"Online shopping can open the door to viruses, spam and phishing attacks that invade the workplace and cost enterprises thousands per employee in lost productivity and potentially millions in destruction or compromise of corporate data," said John Pironti, a member of ISACA's Certification Task Force and chief information risk strategist at Archer Technologies.

Tips for companies include:

1. Educate employees. Blocking sites can do more harm than good, causing employees to seek out less secure ways to get around your blockade.
2. Get employees on board with learning by teaching them how to protect their work and home computers.
3. Reinforce what you teach by having employees sign an acceptable-use policy every year.
4. Offer a "safe zone" for holiday shopping-create a virtual sandbox that can be taken down after the holidays.
5. Don't wait until Cyber Monday to step up security. Many employees begin shopping much earlier.

Tips for online shoppers include:

1. Use your desktop PC, not your mobile device, because your desktop browser is likely to be more secure.
2. Protect sensitive information by password-protecting both your mobile device and its memory card.
3. Update your anti-virus and anti-malware programs continually.
4. Treat social networking sites with the same caution as other web sites-they are a growing target for fraudsters and virus writers.
5. Be cautious of special offers from unfamiliar sites. Fake online offers and coupons may lead to harmful sites, so be suspicious.

Scientists Studying Ways To Make Computer Passwords More Secure

Computer scientists at Rutgers University are working on ways to make online passwords more secure.

Scientists Studying Ways To Make Computer Passwords More Secure

The scientist say when users forget their password for accessing their email account or an online shopping site the security questions, such as "what is your mothers maiden name?" are too easy for cybercriminals to guess.

Rutgers computer scientists are testing a new tactic that could be both easier and more secure.

"We call them activity-based personal questions," said Danfeng Yao, assistant professor of computer science in the Rutgers School of Arts and Sciences. "Sites could ask you, 'When was the last time you sent an e-mail?' Or, 'What did you do yesterday at noon?'"

Early studies suggest that questions about recent activities are easy for legitimate users to answer but harder for potential attackers to find or guess.

"We want the question to be dynamic," she said. "The questions you get today will be different from the ones you would get tomorrow."

Yao said she gave students in her lab a list of questions related to network activities, physical activities and opinion questions, and told them to "attack" each other.

"We found that questions related to time are more robust than others. Many guessed the answer to the question, 'Who was the last person you sent e-mail to?' But fewer were able to guess, 'What time did you send your last e-mail?'"

Yao says that it should not be difficult for an online service provider to formulate these kinds of security questions by looking at its users' e-mail, calendar activities or previous transactions. Computers would have to use natural language processing tools to synthesize understandable questions and analyze the answers for accuracy.

Yao is proposing further studies to determine the practicality of the new approach and the best way to implement it.

McAfee Partners With TheFind To Offer Safe Search Results

Vertical search engine for shopping, TheFind, has partnered with McAfee to display the security firm's secure trustmark on products found in its search results.

McAfee Partners With TheFind To Offer Safe Search Results

Shoppers searching on TheFind this holiday season can now look for the McAfee Secure trustmark and decide which sites are secure to buy from without worrying about identity theft.

"Displaying the well known McAfee Secure trustmark prominently within shopping search results helps to bridge the trust gap between secure e-tailers and shoppers," said Todd Gebhart, executive vice president and general manager, McAfee Consumer, Mobile and Small Business at McAfee, Inc.

A recent survey by Harris and TheFind revealed that "safety and security of an online retailer" is the second most important concern overall of online shoppers, behind only the price of a purchase itself.

Online retailers that display a McAfee Secure trustmark must pass daily test for vulnerabilities that post a threat to sensitive customer information.

McAfee also does daily network perimeter scanning, testing for more than 10,000 network and Web application vulnerabilities, ongoing security testing to ensure protection against malware, and business practice review for Web site owners and online retailers. The McAfee Secure trustmark is used by more than 80,000 websites.

"TheFind's goal is to help shoppers find exactly what they want to buy at the very best price from a store that they trust," said Siva Kumar, CEO and Co-founder of TheFind.

"Online stores that display the McAfee Secure trustmark clearly demonstrate their trustworthiness by helping to protect their customers from identity theft, credit card fraud, spyware, spam and online scams."

Vulnerability Of Web Applications Increases

Web application security provider, Cenzic, has released its report detailing the most common types of Web application vulnerabilities for the first half of 2009.

Vulnerability Of Web Applications Increases

The report identified over 3,100 total vulnerabilities, which is a 10 percent increase in Web application vulnerabilities compared to the second half of 2008.

Popular vendors including Sun, IBM, and Apache continue to be among the top 10 most vulnerable Web applications named. The most common published exploits on commercial applications were SQL Injection and Cross Site Scripting (XSS) vulnerabilities, which account for 25 percent and 17 percent of all Web attacks, respectively.

Among Web browsers, Mozilla Firefox had the largest percentage of Web vulnerabilities, followed by Apple Safari, whose browser showed a vast increase in exploits, due to vulnerabilities reported in the Safari iPhone browser.

Key findings of the report include:

78 percent of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers, Plugins and ActiveX, which is a significant increase from last year.

Of Web browser vulnerabilities, Firefox had the largest percentage, at 44 percent. Safari vulnerabilities came in at 35 percent, significantly higher than even Internet Explorer.

Sun Java, PHP, and Apache continue to be among the Top 10 vendors having the most severe vulnerabilities for the first half of 2009.

"The fact that hackers can have direct access to your data using such common outlets is staggering," said Mandeep Khera, chief marketing officer at Cenzic.

"The worst part is that once they get in, it's a free for all. Nothing is safe because there is no such thing as a minor data breach. The average data breach can cost more than $500,000, which can also put a business' livelihood and reputation on the line.

GFI Acquires Spam Blocklist SORBS

Control of the Spam and Open Relay Blocking System (SORBS) has officially changed hands. Security specialist GFI confirmed its acquisition of SORBS late yesterday, and also shared an idea or two about what it will do with the entity.

GFI Acquires Spam Blocklist SORBS

One of GFI's top priorities appears to be improving the reputation of SORBS. Maintaining a list of email servers that are responsible for sending spam is a fine idea, but SORBS has been accused of being far too quick to puts stuff on its list and being far too slow to comply with removal requests.

Presumably as a result, GFI told John Leyden in a statement, "GFI is now actively developing plans for the future of SORBS, including SORBS 2.0 and methods to improve SORBS data and responsiveness."

GFI then continued, "Having a reputation service within GFI will allow us to provide a better service to our customers and to greatly enhance our standing in the anti-spam community as well as give us opportunities to report on spam trends and analyze real-time feeds in ways we have not previously been able to. We are very excited about this acquisition and look forward to the benefits in the months and years to come."

SORBS's rumored price tag was $451,000, so for the sake of both GFI and unfairly blacklisted companies and individuals, hopefully everything will get sorted out soon.

Congress Interested In Having ISPs Block Scam Sites

American lawmakers may soon pass a bill that would attempt to make the Internet a little safer for everyone. A new report indicates that ISPs could be asked to block scam sites and emails (among other things) that invoke the name of the Securities Investor Protection Corporation (SIPC).

Congress Interested In Having ISPs Block Scam Sites

The SIPC is, as its name might well have led you to believe, a nonprofit organization that aims to protect investors. Specifically, it steps in when brokerages shut down and tries to return investors' money to them. So, especially once you take all of the recent bank closures into account, you can imagine how it benefits scammers to pretend to be associated with the SIPC.

Representative Paul Kanjorski would like to put a stop to that. He proposed a bill that in part reads, "Any Internet service provider that, on or through a system or network controlled or operated by the Internet service provider, transmits, routes, provides connections for, or stores any material containing any misrepresentation (of the SIPC) shall be liable for any damages caused thereby, including damages suffered by the SIPC, if the Internet service provider...is aware of facts or circumstances from which it is apparent that the material contains a misrepresentation."

And that sounds reasonable enough at first listen. But of course, things aren't always as straightforward as they seem. The first detail that needs acknowledging is that many ISPs already try to block scam sites and spam email; it simply isn't good business to allow your customers to get robbed and/or bugged left and right. So, from a technical standpoint, it may be difficult or impossible to add additional layers of protection.

Then there's the classic slippery slope argument. Although protecting consumers from scammers is all fine and well, censorship of any sort leaves a bad taste in some people's mouths, and concerns exist about what the government might decide to block next.

Still, Declan McCullough reports that the language of Kanjorski's bill may yet be changed, and there's no guarantee that it'll be passed into law, anyway.

Yes, Windows 7 Needs Antivirus Software

More confirmation came yesterday that it is, quite simply, a terrible idea to leave a Windows 7 computer running without antivirus protection. Chester Wisniewski, a Senior Security Advisor at Sophos Canada, found that the operating system is vulnerable to all sorts of stuff.

Yes, Windows 7 Needs Antivirus Software

Wisniewski put Windows 7 and its User Account Control tech to the test by exposing a machine to ten viruses. Without UAC active, two of the ten were stopped. UAC (at its default settings) then just kept an additional one from wreaking havoc.

These results are, of course, not exemplary - no one would ever buy security software that lets 70 percent of the bad stuff through. Heck, something like that couldn't even be given away.

Still, since Windows 7's UAC isn't actually security software and hasn't been marketed as such, the results may not be much to worry about, either. Just about everyone, from tech experts to grandmas using AOL, understands that something extra is necessary to keep a computer safe.

Consider this an FYI, then, and, whether you're trying to spare an old computer the extra burden or simply feeling adventurous, continue to resist the urge to do ill-advised, no-protection experiments.

M86 Security Purchases Finjan

This morning, M86 Security became bigger and better than ever. Or, to be more explicit: M86, which is a company that specializes in Web and messaging security products, acquired Finjan, an organization focused on Web gateway solutions for the enterprise market.

M86 Security Purchases Finjan

John Vigouroux, the CEO of M86 Security, stated as a result, "We are very pleased to add Finjan's technology, products, customers and employees to the M86 team. With M86's complementary Email security and reporting products and worldwide distribution, we anticipate a broad opportunity for Finjan's enterprise-class Web security solutions to existing and new customers."

Gadi Maier, the CEO of Finjan Software, also said, "We are very excited to see Finjan become part of M86 Security. Finjan is well known for its advanced malware detection technology and leading secure Web gateway and hybrid SaaS solutions. Integrating it into M86's broader Web and messaging product lines and utilizing its worldwide distribution is a win-win for M86 Security and Finjan."

And indeed, it doesn't look like there's much reason for anybody to be upset about the deal. Granted, the financial terms remain unknown, so it's hard to guess how investors should feel, but on the security side of things, little besides a straightforward combination seems to be planned.

Vigouroux even hails from Finjan (he changed jobs about seven months ago) so he's in an especially good position to make sure that everything is integrated properly.

Microsoft Security Report Highlights Worm Problem

The latest Microsoft Security Intelligence Report (dubbed SIRv7) has been released, and while rogue security software was the "single largest threat category for the first half of 2009," the real news relates to worms. Worm infections became very common during the same period.

Microsoft Security Report Highlights Worm Problem

According to the report, "[W]orm infections in the enterprise rose by nearly 100 percent during the first half of 2009 over the preceding six months." Which, to put it another way, means worm infections about doubled in a very short period of time.

Conficker led the charge, posing a special threat to businesses because it can operate well within firewalled network environments. Taterf, meanwhile, went after a different group of people because it targets MMORPG players. And detections of it were up 156 percent.

That makes for a scary situation with folks getting attacked on all fronts.

Still, on the bright side, Microsoft recorded a tenfold decrease in Zlob disinfections, and rogue security software infections were down 20 percent.

As for some other info included in the report, the U.S. turned out to be roughly average in terms of computer security consciousness. Japan, Austria, and Germany all performed rather better.

Americans Lacking In Online Security

Many Americans still need to focus on securing online accounts and backing up critical data, according to a new study by the National Cyber Security Alliance (NCSA) and Symantec.

Americans Lacking In Online Security

The majority (85%) of Americans feel they are most responsible for keeping computers secure, and 40 percent feel that individual computer users are most responsible for keeping the entire Internet secure.

Only 27 percent of Americans make an electronic backup of their critical files on a weekly basis. More than 55 percent backup their files less often than once a month. Couple those findings with the fact that the use of computers to store personal data such as photos (76%), music (60%), banking information (39%) and tax returns (30%) continues to rise, computer users risk significant losses of valuable information.

Passwords are another area where computer users need to improve security. The study found that less than 25 percent of those polled change passwords quarterly and more than 50 percent of Americans never change them. In addition, 40 percent don't use different passwords for their various online accounts.

The NCSA recommends the use of long, complex passwords that include upper and lower case letters, numbers and symbols. In addition to prevent hackers from accessing multiple accounts, computer users should have different passwords for every account and change passwords at least once every 90 days.

"The fact that 85 percent of Americans believe they are most responsible for their own online security is a significant sign that awareness efforts are paying off and each one of us understands the important role we play in securing the Internet," said NCSA Executive Director Michael Kaiser.

"However, cybersecurity requires vigilance, maintenance and contingency planning every day of the year. Complex passwords and backing up are critical. Americans are doing better; they need to do better still and integrate cybersecurity into their lives until it's second nature."