Security Pitstop

PayPal Considers Safari To Be Insecure

Joe — Thu, 06 Mar 2008 02:11:59 +0000

If you’re looking for a safe browser for Internet commerce, PayPal says you should stay away from Apple’s Safari.

In an interview with Michael Barrett, PayPal’s chief information security officer, the focus was on two specific features: phishing filters and EV-SSL support. Both Firefox and IE7 have phishing filters built in and turned on by default. IE7 has support built in for Extended Validation (EV-SSL), which shows a green address bar for authenticated sites; Firefox and Opera will in upcoming versions.

Safari has no phishing filter and Apple does not participate in the CA/Browser Forum, the group that developed EV-SSL.

“Apple, unfortunately, is lagging behind what they need to do, to protect their customers,” Barrett said. “Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera.”

Barrett went further, echoing the thrust of VeriSign’s No More Abandoned Carts campaign, that the green bar instills confidence in users, claiming that IE7 users are noticeably less likely to abandon the login process. Confidence isn’t the same thing as security, but it’s not nothing. VeriSign says that similar effects have been observed by Overstock.com, DebtHelp.com, and now Scribendi.

Kid-Proof Your Computer

Joe — Wed, 05 Mar 2008 02:13:47 +0000

When the kids were little you installed safety outlets, put a lock on the knife drawer, and padded sharp-edged furniture. Now that they’re older you can get rid of those old gadgets–and install a whole new round of safety tools on the computer. Parental control software lets you steer kids away from bad Web sites and bad choices.

There are plenty of different products for different parenting styles. You can lock the kids out of adult Web sites, control when they can use the computer, and limit their instant messaging to parentally-approved pals. Or you can eschew limits but log their every activity silently. Many of the products can send violation notifications while you’re away from home and even let you tweak parental control settings remotely. Which one’s right for you? Check out PC Magazine’s roundup of 12 Tools to Keep Kids Safe Online.

Pakistan Takes Down YouTube

Joe — Wed, 27 Feb 2008 06:25:07 +0000

Following orders to take down content deemed offensive by the government, Pakistan’s telecom company went the extra mile and took down the whole YouTube site.

They did this using an abusive networking trick called “BGP Injection” in which they told the world that the IP address listed in DNS for YouTube was on their network. When YouTube requests came in to the Pakistani network they were, of course, not satisfied. The problem lasted about 2 hours before the rest of the world caught on and undid the changes.

BGP Injection is impossible to prevent and difficult to address, and you only see it if you’re looking for it. In many ways it’s the ultimate phishing tool. If the right people in Pakistan had gone further and put up a fake YouTube site to satisfy incoming requests it would have been hard for users to see the problem.

It’s not a secret, but it hasn’t gotten that much attention. Now perhaps a rogue network operator will be inspired to use this technique to its ultimate, malicious ends.

Tax Refund Scam

Joe — Sat, 23 Feb 2008 02:26:27 +0000

The latest IRS phishing e-mails redirects victims to sites hosted in Russia, and they mimic the actual Internal Revenue Service web site almost perfectly. And to complete the illusion, as soon as you’ve entered your personal and financial information you get redirected to the actual IRS site. Fiendish! Message Labs reports that this type of spam spiked in January, hitting ten times the normal level.The IRS isn’t unaware of this problem - in fact it has a page devoted to warning about scams. They point out that “The IRS does not send unsolicited e-mail about tax account matters to individual, business, tax-exempt or other taxpayers.” If you’re wondering how your refund is doing, go directly to www.irs.gov and check the “Where’s My Refund?” page. Don’t click any links in email that claims to come from the IRS–it doesn’t!

Use of Rogue DNS Servers on Rise

Joe — Sat, 16 Feb 2008 23:26:11 +0000

They’re called “servers that lie.” Mendacious machines controlled by hackers that reroute Internet traffic from infected computers to fraudulent Web sites are increasingly being used to launch attacks, according to a paper published this week by researchers with the Georgia Institute of Technology and Google Inc.

PassPub - Generate Strong Passwords

Joe — Fri, 15 Feb 2008 23:22:32 +0000

PassPub generates unique passwords to give individuals increased security. Passwords are used everyday to gain access to personal information e.g. email, banking, online shopping. Standard guidance given on selecting secure passwords is to use a combination of letters and numbers. This is a task ideally suited to a computer generated process.

PassPub provides many easy ways to obtain a randomly generated unique password to protect your personal information.

https://www.passpub.com

Test your Browser for Security Threats with Bcheck

Joe — Fri, 15 Feb 2008 23:04:05 +0000

Browser Security Test is a registration-free service that scans your browser for security issues. It works on Firefox, Internet Explorer and Opera browsers. The service is free and takes a couple minutes, depending on your connection speed.

http://bcheck.scanit.be

Verizon Rejects Hollywood’s Call to Aid Piracy Fight

Joe — Mon, 11 Feb 2008 03:25:14 +0000

More often than not companies in similar positions have similar views. But when Hollywood asked the two big phone companies to help with its fight against piracy, they responded in opposite ways. AT&T, as we wrote, is talking about developing a system that would identify and block illicitly copied material being sent over its broadband network.

Verizon, however, opposes the concept. I spoke to Tom Tauke, Verizon’s executive vice president for public affairs, on the subject. He said the company’s view combines a concern for the privacy of its customers with self interest. It may be costly for it to get into the business of policing the traffic on its network. Indeed, phone companies have largely spent a century trying not to be liable for what people say over their lines.

Montreal Startup Wants To Solve Identity Theft

Joe — Sun, 10 Feb 2008 03:47:28 +0000

Cryptographer and entrepreneur Stefan Brands runs Credentica, a Montreal-based startup that is rolling out an encryption-and-authentication system called U-Prove that allows users to disclose the absolute minimum to complete digital transactions — and to do so in a way that ensures the information they need to reveal has no shelf life whatsoever.

“By protecting privacy, you can actually enhance security,” Brands says. “My goal is to get the best of both worlds.”

Maintaining digital privacy and security has never been more important. As more and more people trust their personal information to electronic databases, security and privacy are plummeting. More than 79 million personal electronic records containing data like credit card and Social Security numbers were compromised in the United States last year — almost four times the number reported in 2006, according to the San Diego-based Identity Theft Resource Center. And more than 162 million such records were compromised globally, more than three times 2006 levels, according to Attrition.org.

Windows Firewall

Joe — Sat, 09 Feb 2008 05:31:11 +0000