Thursday, March 22, 2012

Password Policies and DNS Changer

When people were originally concerned about buying products on line, there was already a technology in place called SSL to ensure secure transmission of credit card and personal information. It basically is a third party source that hands out something called security certificates. This means that a certificate was purchased by the online store, from one a a few trusted providers, to ensure a secure transmission of credit card information.
This was used by most online web stores and any site that was built well, and requested your private information. Web browsers enhanced their functionality by showing a pad lock open or closed, as well as showing at the address bar a special color for secure sites.
These certificates are maintained by something called a trust. Recently due to rough times, one such trust authority had lost control of their business and allowed a company to make 155 certificates that had untrustworthy intentions. Without getting any more technical, something happened in security that was never supposed to happen. A certificate authority (CA) was hijacked.
In response to this, various people have tried to explain how to tell if a security certificate is real or not.
Righard Zwienenberg wrote a great blog post at the eset security blog called "Password management for non-obvious accounts"

Firefox has an addon Certificate Patrol that will check certificate quality FOR YOU, or if the certificates you are using are actually real or fake.

Mixed with this threat is a recent problem that seems to be flying under the security software RADAR called DNSChanger, responsible for redirecting your computer web surfing to sites that are not correct. This is coming from a Trojan that can infect a computer in one second and hijack it for the purposes of SPAM distribution, to infect other machines and steal your personal information. Symantec has a walk through to repair this. Also it was written about in another security government blog, US-CERT. explaining that federal authorities are actually shutting down ISP's that have not fixed this problem.

Thursday, March 15, 2012

Cookies - It only takes one site to cause problems

This is the first frame of the video produced by Stephen Cobb. Please visit the blog post directly by clicking below, on his blog post title.

As marketing firms figure out more ways to use cookies to learn about how web surfing habits and possibly make it difficult for you to get any work done during the day, it is highly recommended to consider ways to block or remove cookies regularly.
There are settings in every browser that let you block different types of cookies and remove all cookies upon closing the browser. Unfortunately, these settings have to be adjusted manually.
A great example of how cookies jump on your machine is in the video at the eset security blog post by Stephen Cobb called "Cookie stuffing, cookie jackers, rip-off Victoria's Secret giftcard seekers"

His blog post also describes the modern jargon of what some of these cookie terms mean:

Cookie stuffing is an abuse of affiliate marketing cookies intended to mark a visit to a website that an affiliate has initiated, and for which that affiliate will get paid if the consumer performs pre-defined tasks, like requesting more information. The cookie stuffer acts as an affiliate and places cookies on a consumer's computer even if the consumer has not been brought to the site by the stuffer, later getting paid for consumer actions.
Click-jacking can be narrowly defined as deceiving a user into clicking on things they did not intend to click on, or clicks which lead to pages or actions other than those the user expected when clicking. This is part of the broader category of fraud known as click-fraud.

Stephen put together this great 4 minute video to show how using the Internet (in this example Google Image search) for researching free giftcards and coupons can lead the unsuspected shopper to a web site that will quickly fill a machine with web cookies. These cookies will monitor and track your web surfing habits.  If you adjust your browser to remove all cookies when you close your browser, this can help. But it may be the most prudent policy to not look at websites that you do not know, have never heard about or can't recognize, regardless of the supposed deal behind the 'research', like a housing auction that offers $100 homes.

Note: this is NOT the fault of Google. In fact, Google tries to recognize and shut down these sites as much as possible, but they are created at a very fast rate with always newer methods to avoid Google's detection. Making Google completely responsible for this is like blaming on a Road Commission for allowing convicts with a car to use a road once they robbed a bank.

Thursday, March 1, 2012


Mozilla Firefox has a wonderful plugin or Addon gallery that allows anyone to have additionally functionality to surfing the web. Often this is used for notifiers for Twitter, Blog Subscriptions, Yahoo! Answers, Yahoo! Mail or GMail Inbox

There are security specific Addon's for Firefox that help protect people from exposing their login information when logging into bank sites, social media or webmail like https-everywhere (see more details here).
Google's Chrome browser also has something called Extensions that do the same thing as Mozilla Addons, but for Chrome.

Internet Explorer has been trying to offer these technologies in their newer browsers, but have been lacking in their overall security features. Recently Microsoft introduced InPrivate Filtering which is a type of protection against known bad websites. It allows you to build your own lists of sites that you want to block or allow when using Internet Explorer. This was a great leap in security for Microsoft browsers and as of today, if you use Internet Explorer 7 or 8, you can download pre-built lists (like the one offered by John Delizo) tthat can be imported directly into the browser under Tools -  Manage Addons.
Microsoft recently released Internet Explorer 9, and with it has changed the technology to block or allow web sites. They are trying to get closer to the design of Mozilla's famous blocking Addon called AdBlock Plus. If your machine is running windows XP Professional, this does not apply. For all machines Windows Vista or Windows 7 (or Windows 8) , you can no longer use Internet Explorer 8 InPrivate filtering to import block lists, but you can use a method more similar to Firefox called TPL lists. TPL lists are well described in the website PrivacyChoice. They also include a great FAQ about their list and the overall technologies.
(Credit: thanks for lifehacker for the image!)