Security experts are warning Adobe customers to be extra vigilant following the discovery of an attack that attempts to exploit vulnerability in Adobe’s Reader and Acrobat products. Security researchers for Symantec said that the attack comes as a Trojan hidden in a PDF file attachment in junk emails. The attack attempts to lure email recipients into opening the attachment. When the file is opened, a malicious file disables the Windows firewall and downloads software. Adobe has since confirmed it is investigating the “reports of vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions” and will issue a fix as soon as it has more information.
Source of Information : Computer Active Issue 310 January 7 2010
Showing posts with label Security Alert. Show all posts
Showing posts with label Security Alert. Show all posts
Friday, February 12, 2010
Friday, January 8, 2010
Are Flash Cookies Devouring Your Privacy?
Small Flash files can track your online movements, and they don’t vanish when you delete normal tracking cookies.
EVEN IF YOU delete normal tracking cookies regularly to evade tracking by snooping sites and eager advertisers, little-known Flash cookies may be making an end run around your attempts to preserve your privacy. Flash cookies (also known as local shared objects or LSOs) can save certain Adobe Flash–related settings—storing preferences for watching Flash video on a certain site, for example, or caching a music file for better playback. But Flash cookies can also store unique identifiers that track the sites you visit, much as regular tracking cookies do. Deleting the regular cookies on your machine via a standard browser option such as Clear Private Data¨Cookies (in Firefox) or Tools¨ Delete Browsing History¨Delete cookies... (in Internet Explorer) doesn’t affect Flash cookies, which are stored elsewhere on your PC.
Flash Cookie Research
A recent study (find.pcworld.com/63930) of Flash cookies and their use reports that even the private browsing modes in the latest browsers won’t hamper LSOs. Students and researchers at the University of California, Berkeley, and at other universities found that a number of sneaky online actors use Flash cookies to re-create regular tracking cookies that users delete. According to the study, more than half of the top 100 Web sites used Flash cookies, and third-party advertisers tended to be behind the underhanded cookie re-creation effort. If you don’t want your privacy preferences to be ignored, you can try a couple of options. If you use Firefox, you can install an add-on called Better Privacy (find.pcworld.com/63931) that displays a summary of your current LSOs and lets you arrange to delete Flash and regular cookies automatically whenever you stop or start the browser. It works well for me.
Flash Player Settings Box
If you don’t use Firefox, you’ll have to dig into the settings box at fi nd.pcworld.com/63932, which lets you change settings for the Flash Player on your system. If you want your computer to prompt you for permission to proceed whenever a site wishes to store a Flash cookie on the PC, move the Global Storage Settings slider bar all the way to the left (from ‘100KB’ to ‘None’). To disable LSOs, check the Never Ask Again box (doing so is likely to prevent many sites that use Flash content from working correctly). Likewise, unchecking the ‘Allow thirdparty Flash content...’ option could prevent advertisers from storing Flash cookies on your PC, but it may also prevent Flash video from working correctly on some sites (including 9 out of the 100 sites in the research report). To delete all existing Flash cookies— good or bad—click the Website Storage Settings tab at the far left of the Flash settings interface, and click the Delete all sites button at the tab’s base. To delete them individually, highlight an entry and click Delete website. Altering these settings once will cover any browser on that PC, according to Adobe. Longer term, the company is looking into allowing Flash cookie controls from the browser menu itself.
Source of Information : PC World December 2009
EVEN IF YOU delete normal tracking cookies regularly to evade tracking by snooping sites and eager advertisers, little-known Flash cookies may be making an end run around your attempts to preserve your privacy. Flash cookies (also known as local shared objects or LSOs) can save certain Adobe Flash–related settings—storing preferences for watching Flash video on a certain site, for example, or caching a music file for better playback. But Flash cookies can also store unique identifiers that track the sites you visit, much as regular tracking cookies do. Deleting the regular cookies on your machine via a standard browser option such as Clear Private Data¨Cookies (in Firefox) or Tools¨ Delete Browsing History¨Delete cookies... (in Internet Explorer) doesn’t affect Flash cookies, which are stored elsewhere on your PC.
Flash Cookie Research
A recent study (find.pcworld.com/63930) of Flash cookies and their use reports that even the private browsing modes in the latest browsers won’t hamper LSOs. Students and researchers at the University of California, Berkeley, and at other universities found that a number of sneaky online actors use Flash cookies to re-create regular tracking cookies that users delete. According to the study, more than half of the top 100 Web sites used Flash cookies, and third-party advertisers tended to be behind the underhanded cookie re-creation effort. If you don’t want your privacy preferences to be ignored, you can try a couple of options. If you use Firefox, you can install an add-on called Better Privacy (find.pcworld.com/63931) that displays a summary of your current LSOs and lets you arrange to delete Flash and regular cookies automatically whenever you stop or start the browser. It works well for me.
Flash Player Settings Box
If you don’t use Firefox, you’ll have to dig into the settings box at fi nd.pcworld.com/63932, which lets you change settings for the Flash Player on your system. If you want your computer to prompt you for permission to proceed whenever a site wishes to store a Flash cookie on the PC, move the Global Storage Settings slider bar all the way to the left (from ‘100KB’ to ‘None’). To disable LSOs, check the Never Ask Again box (doing so is likely to prevent many sites that use Flash content from working correctly). Likewise, unchecking the ‘Allow thirdparty Flash content...’ option could prevent advertisers from storing Flash cookies on your PC, but it may also prevent Flash video from working correctly on some sites (including 9 out of the 100 sites in the research report). To delete all existing Flash cookies— good or bad—click the Website Storage Settings tab at the far left of the Flash settings interface, and click the Delete all sites button at the tab’s base. To delete them individually, highlight an entry and click Delete website. Altering these settings once will cover any browser on that PC, according to Adobe. Longer term, the company is looking into allowing Flash cookie controls from the browser menu itself.
Source of Information : PC World December 2009
Thursday, January 7, 2010
Banking Trojan Horse Hides Its Money Mules
TROJAN HORSES SUCH as Zeus and Clampi have been emptying bank ac - counts for years, but a devious new program tries to deceive investigators about where the money is going. First uncovered by Finjan Soft ware, the URLzone Trojan horse rewrites bank pages so that victims don’t know their accounts have been emptied. Its sophisticated command-and-control interface lets the bad guys preset the percentage of the account balance to remove. RSA Security researchers say that URLzone uses several techniques to spot machines run by crime investigators. Researchers typically create programs that mimic the behavior of real Trojan horses. When URL zone identifies one of these, it sends it bogus information, says Aviv Raff , RSA Security’s Fraud- Action research lab manager. Security experts have long published research on the inner workings of malicious computer programs such as URLzone, according to Raff . “Now the other side knows that they are being watched, and they’re acting,” he says. When URLzone spots a researcher’s program, rather than just disconnecting from the researcher’s computer, the server instructs it to transfer money— but not to one of the mules recruited to move cash overseas. Instead, it chooses an innocent victim—typically someone who has received legitimate money transfers from other hacked computers on the network, Raff says. So far, more than 400 legitimate accounts have been exploited in this way, according to RSA. The idea is to confuse researchers and to prevent discovery of the criminal’s real money mules. According to Finjan, the URLzone Trojan horse infected about 6400 computer users last September, clearing about $17,500 a day during that month.
Source of Information : PC World December 2009
Source of Information : PC World December 2009
Wednesday, January 6, 2010
Stymie Malicious Media, Network Attacks
Fix media-file flaws on PCs and Macs, and block Vista network attacks.
ESSENTIAL OS fixes are big this month. And fans of free software need to update their Firefox and OpenOffice copies. Apple’s QuickTime 7.6.4 update revises the program’s handling of .fpx, .mov, and .mp4 files on Windows XP, Vista, or 7, or Mac OS X (not Snow Leopard). In QuickTime, click Help¨Update Existing Software to ensure that you have version 7.6.4 (for details, see find.pcworld.com/63917). Microsoft’s patch plugs a security hole in the way Windows 2000, XP, Server 2003, Vista, and Server 2008 (but not Windows 7) process .asf or .mp3 media files. Microsoft’s bulletin (find.pcworld.com/ 63918) lists many vulnerable combinations of Windows Media Format Runtime and OS versions; run Windows Update to confirm you have the fix.
Network Flaws
Windows Vista and Server 2008 are vulnerable to several network-based security flaws. One, an SMBv2 file-sharing hole could let a remote attacker take over a machine. Microsoft hasn’t yet released a patch, but at find.pcworld.com/63919 the company has posted a “Fix It” for disabling SMBv2. File sharing should work, but it may be slow.
Microsoft did patch a flaw that malicious TCP/IP packets sent across a network might exploit. On Vista and Server 2008, that could mean a full takeover; on Windows 2000, Server 2003, and XP, a system crash is likelier. Microsoft won’t release a patch for Windows 2000 (see find. pcworld.com/63920) or XP (which by de - fault doesn’t accept the perilous packets). A network problem in the Wireless LAN AutoConfig Service (find.pcworld.com/63921) could let remote attackers “own” vulnerable Vista or Server 2008 systems. PCs that lack wireless cards or run other Windows versions are safe. A firewall will help block such Web-based assaults. Two more Microsoft patches correct critical flaws that might let code hidden on a Web page run commands on a vulnerable PC. One, in the JScript Scripting Engine (find.pcworld.com/63922), affects Windows 2000, XP, Server 2003, Vista, and Server 2008. The other involves the DHTML Editing Component ActiveX control (find.pcworld.com/63923), and is critical for Windows XP and 2000 only. Windows Update has both fixes, as usual.
Fixes for Free Software
If you use the OpenOffice productivity suite, update to version 3.1.1 or later to avoid a critical problem in how OpenOffice handles Microsoft Word documents. If you open a tainted .doc file, an attacker could take over your PC. Click Help¨Check for Updates to see whether you have the latest version (read more at find.pcworld.com/63924). Firefox versions 3.5.3 and 3.0.14 correct three critical flaws. Click Help¨Check for Updates, and see Mozilla’s Firefox 3.0 (find.pcworld.com/63925) and 3.5 (find. pcworld.com/63926) security advisories. Firefox 3.0 and 3.5 include a security feature that warns you to update Flash if your version is vulnerable; they also provide a link to the Flash download site. If you use Mac OS X versions 10.4 through 10.5.8, fire up Software Update to pick up Security Update 2009-005, which fixes image file, PDF file, or Web site holes (see find.pcworld.com/63929).
Source of Information : PC World December 2009
ESSENTIAL OS fixes are big this month. And fans of free software need to update their Firefox and OpenOffice copies. Apple’s QuickTime 7.6.4 update revises the program’s handling of .fpx, .mov, and .mp4 files on Windows XP, Vista, or 7, or Mac OS X (not Snow Leopard). In QuickTime, click Help¨Update Existing Software to ensure that you have version 7.6.4 (for details, see find.pcworld.com/63917). Microsoft’s patch plugs a security hole in the way Windows 2000, XP, Server 2003, Vista, and Server 2008 (but not Windows 7) process .asf or .mp3 media files. Microsoft’s bulletin (find.pcworld.com/ 63918) lists many vulnerable combinations of Windows Media Format Runtime and OS versions; run Windows Update to confirm you have the fix.
Network Flaws
Windows Vista and Server 2008 are vulnerable to several network-based security flaws. One, an SMBv2 file-sharing hole could let a remote attacker take over a machine. Microsoft hasn’t yet released a patch, but at find.pcworld.com/63919 the company has posted a “Fix It” for disabling SMBv2. File sharing should work, but it may be slow.
Microsoft did patch a flaw that malicious TCP/IP packets sent across a network might exploit. On Vista and Server 2008, that could mean a full takeover; on Windows 2000, Server 2003, and XP, a system crash is likelier. Microsoft won’t release a patch for Windows 2000 (see find. pcworld.com/63920) or XP (which by de - fault doesn’t accept the perilous packets). A network problem in the Wireless LAN AutoConfig Service (find.pcworld.com/63921) could let remote attackers “own” vulnerable Vista or Server 2008 systems. PCs that lack wireless cards or run other Windows versions are safe. A firewall will help block such Web-based assaults. Two more Microsoft patches correct critical flaws that might let code hidden on a Web page run commands on a vulnerable PC. One, in the JScript Scripting Engine (find.pcworld.com/63922), affects Windows 2000, XP, Server 2003, Vista, and Server 2008. The other involves the DHTML Editing Component ActiveX control (find.pcworld.com/63923), and is critical for Windows XP and 2000 only. Windows Update has both fixes, as usual.
Fixes for Free Software
If you use the OpenOffice productivity suite, update to version 3.1.1 or later to avoid a critical problem in how OpenOffice handles Microsoft Word documents. If you open a tainted .doc file, an attacker could take over your PC. Click Help¨Check for Updates to see whether you have the latest version (read more at find.pcworld.com/63924). Firefox versions 3.5.3 and 3.0.14 correct three critical flaws. Click Help¨Check for Updates, and see Mozilla’s Firefox 3.0 (find.pcworld.com/63925) and 3.5 (find. pcworld.com/63926) security advisories. Firefox 3.0 and 3.5 include a security feature that warns you to update Flash if your version is vulnerable; they also provide a link to the Flash download site. If you use Mac OS X versions 10.4 through 10.5.8, fire up Software Update to pick up Security Update 2009-005, which fixes image file, PDF file, or Web site holes (see find.pcworld.com/63929).
Source of Information : PC World December 2009
Tuesday, January 5, 2010
Phishers Dangle Some Brand-New Bait
IN SEPTEMBER 2009, some unlucky visitors at the New York Times Web site clicked on an ad that attempted to install malware. The advertisement displayed a popup window informing readers that their computer might be infected with a virus; only by purchasing a new antivirus product could they be sure of having a clean system. The Times later acknowledged the scam in a posting on its Web site: “Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software.… If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser.” Phishers and scammers use this and other new tactics to deceive unsuspecting victims.
Phishing 2.0
Phishing refers to an attempt to collect usernames, passwords, and credit card data by posing as a legitimate, trusted party. Often the deception in volves using e-mail sent from a trusted address. Originally, phishing applied to the banking and payment industry only, but now it also covers theft of log-in credentials to games, and personal passwords to social networks such as Facebook and Twitter. Most people wouldn’t reveal their social security number or mother’s maiden name at a strange site. Modern browsers and security software flag such content and ask you whether you’re sure you want to send it; some block it with a red-andblack warning label. So phishers have adopted new tactics.
Fake Antivirus Software an Emerging Problem
Rogue antivirus products are among the latest phishing instruments to appear, and many are quite convincing. Bearing names like Antivirus 2009, AntiVirmin 2009, and AntiSpyware 2009, they have interfaces similar to those of real antivirus apps. Some rogue antivirus products have their own keywords on search engines and cite fake reviews recommending them (see find.pcworld.com/63915 for one that I supposedly wrote). The rogue antivirus product that showed up on the New York Times site installed malware that, if executed, would have lowered the security settings in Internet Explorer, run executable files, and altered the system Registry. Such ac tions by phishing malware are fairly common. The real security apps knew it, too: Legitimate antivirus vendors AVG, Comodo, Kaspersky, McAfee, Microsoft, Nod32, and Sophos, (among others) detected this particular piece of malware within the first few hours.
Customer-Service Fakes
Another phishing gambit is a variation on an old scam: The crooks mass-mail a seemingly personalized e-mail message, ostensibly from a bank, containing a fake online chat option. In this “chat-in-the-middle” attack, as soon as the victim enters a user name and password at the designated online site, a chat window opens up and a scammer posing as a customer service rep at the bank requests additional personal information to confirm the identity of the account holder. By providing these details, the victim gives the thief crucial data.
Small Potatoes
Roger Thompson, chief research officer at AVG, says rogue antivirus products are common: “The bad guys are clearly making money at it.” Besides benefiting up front by selling the rogue antivirus product, they collect credit card information for future identity fraud. Jon Miller, director of Accuvant Labs, a security consulting firm that works with Fortune 500 companies and several U.S. government contractors, says that the New York Times incident isn’t unusual. Further, he notes that he has seen an upsurge in the use of malware tailored to customers of particular banks and other financial institutions.
Protect Yourself
AVG makes a free product called Linkscanner (find.pcworld.com/63911) that blocks new phishing attacks, yet allows users to safely view any site. For phishing attacks such as fake chat sessions and fake keywords, AVG’s Thompson says, users need to develop a healthy dose of skepticism, and learn how to kill the browser using Task Manager. That won’t stop Web-based exploits, but it will give you a way to defeat social engineering attacks.
Accuvant’s Miller recommends several common-sense antiphishing strategies:
¨Use a strong browser. According to Miller, Internet Explorer is the weakest browser, while Firefox and Google Chrome are relatively strong.
¨Use a malware resistant platform such as Mac OS or Linux. Though neither is impervious to attack, each is less likely to be targeted than the mainstream Windows operating system.
¨Use antimalware software; Miller says that his program of choice is Webroot Internet Security Essentials.
¨Update your software promptly and regularly, but don’t depend on updates as the sole way to guarantee your system’s security. As Miller observes, “malware tends to be ahead of the curve.”
¨Be cautious and vigilant when using high-profile social networking sites such as Facebook and Twitter.
Source of Information : PC World December 2009
Phishing 2.0
Phishing refers to an attempt to collect usernames, passwords, and credit card data by posing as a legitimate, trusted party. Often the deception in volves using e-mail sent from a trusted address. Originally, phishing applied to the banking and payment industry only, but now it also covers theft of log-in credentials to games, and personal passwords to social networks such as Facebook and Twitter. Most people wouldn’t reveal their social security number or mother’s maiden name at a strange site. Modern browsers and security software flag such content and ask you whether you’re sure you want to send it; some block it with a red-andblack warning label. So phishers have adopted new tactics.
Fake Antivirus Software an Emerging Problem
Rogue antivirus products are among the latest phishing instruments to appear, and many are quite convincing. Bearing names like Antivirus 2009, AntiVirmin 2009, and AntiSpyware 2009, they have interfaces similar to those of real antivirus apps. Some rogue antivirus products have their own keywords on search engines and cite fake reviews recommending them (see find.pcworld.com/63915 for one that I supposedly wrote). The rogue antivirus product that showed up on the New York Times site installed malware that, if executed, would have lowered the security settings in Internet Explorer, run executable files, and altered the system Registry. Such ac tions by phishing malware are fairly common. The real security apps knew it, too: Legitimate antivirus vendors AVG, Comodo, Kaspersky, McAfee, Microsoft, Nod32, and Sophos, (among others) detected this particular piece of malware within the first few hours.
Customer-Service Fakes
Another phishing gambit is a variation on an old scam: The crooks mass-mail a seemingly personalized e-mail message, ostensibly from a bank, containing a fake online chat option. In this “chat-in-the-middle” attack, as soon as the victim enters a user name and password at the designated online site, a chat window opens up and a scammer posing as a customer service rep at the bank requests additional personal information to confirm the identity of the account holder. By providing these details, the victim gives the thief crucial data.
Small Potatoes
Roger Thompson, chief research officer at AVG, says rogue antivirus products are common: “The bad guys are clearly making money at it.” Besides benefiting up front by selling the rogue antivirus product, they collect credit card information for future identity fraud. Jon Miller, director of Accuvant Labs, a security consulting firm that works with Fortune 500 companies and several U.S. government contractors, says that the New York Times incident isn’t unusual. Further, he notes that he has seen an upsurge in the use of malware tailored to customers of particular banks and other financial institutions.
Protect Yourself
AVG makes a free product called Linkscanner (find.pcworld.com/63911) that blocks new phishing attacks, yet allows users to safely view any site. For phishing attacks such as fake chat sessions and fake keywords, AVG’s Thompson says, users need to develop a healthy dose of skepticism, and learn how to kill the browser using Task Manager. That won’t stop Web-based exploits, but it will give you a way to defeat social engineering attacks.
Accuvant’s Miller recommends several common-sense antiphishing strategies:
¨Use a strong browser. According to Miller, Internet Explorer is the weakest browser, while Firefox and Google Chrome are relatively strong.
¨Use a malware resistant platform such as Mac OS or Linux. Though neither is impervious to attack, each is less likely to be targeted than the mainstream Windows operating system.
¨Use antimalware software; Miller says that his program of choice is Webroot Internet Security Essentials.
¨Update your software promptly and regularly, but don’t depend on updates as the sole way to guarantee your system’s security. As Miller observes, “malware tends to be ahead of the curve.”
¨Be cautious and vigilant when using high-profile social networking sites such as Facebook and Twitter.
Source of Information : PC World December 2009
Tuesday, November 24, 2009
Banking by Phone: Convenient and Safe?
WITH THE introduction of an iPhone app that lets you deposit a check by taking a picture of it, options for mobile banking are growing. And though you might think the boost in convenience comes at the expense of security, banking on your phone can be safer than using your PC if you take basic precautions. You have three options for mobile banking: downloading a program for your cell phone, using your phone’s browser to access a mobile version of your bank’s site, or simply sending an SMS message.
Downloadable programs vary, but an iPhone app from USAA is at the cutting edge. Qualified USAA customers (limited to credit-approved military personnel) can use it to make deposits by taking a picture of a paper check, which they then void and toss. But while the USAA app allows for sending money to a predefined payee, it doesn’t let you create a new payee (though you can do so on the USAA Web site). It’s a common restriction among downloadable apps, intended to prevent someone else from grabbing your phone and sending themselves your cash. Online banking via a phone’s browser generally offers all the same options as on a PC. Both downloadable apps and mobile sites typically require logging in with the same user name and password you’d use on your PC. They also encrypt communications to and from the bank. SMS messages are the least secure method, as SMS doesn’t normally use encryption. This option is also limited. Wells Fargo’s SMS service, for example, allows only for low-risk activities such as checking your balance or finding an ATM. Using any of these options on a device you might easily lose may seem inherently insecure. But any phone option is largely safe from malware, one of the biggest threats to online banking. Also, the variety of mobile operating systems and other factors mean that, for now, you have no real risk of leaving your phone open to baddies. Tom Wills, a senior analyst for Javelin Strategy and Research, says mobile banking can be safer than banking on a PC—as long as the phone’s security features are enabled. Because your phone may someday end up in the backseat of a taxi without you, those precautions go beyond the ones you’d use on a PC.
Practice Safe
Mobile Banking Using a PIN or a password to lock your phone is the first step; just knowing which bank you use can help a potential ID thief. Next are remote-wipe options that let you clean out your phone should you ever lose it. Wills says some banks offer the feature for their downloadable apps. You can wipe BlackBerrys and iPhones (if you pay for the MobileMe service), too, and some apps such as Kaspersky Mobile Security offer the feature for Symbian OS or Windows Mobile phones. Finally, SMS messages can provide security support if you instruct your bank to text you after large or potentially suspicious transactions. Considering how much personal info most people keep in their e-mail, losing your phone can be a risk even if you don’t use mobile banking. But the combination of power-on passwords and safeguards from the banks can make mobile banking just as secure as it is handy.
Source of Information : PC World November 2009
Downloadable programs vary, but an iPhone app from USAA is at the cutting edge. Qualified USAA customers (limited to credit-approved military personnel) can use it to make deposits by taking a picture of a paper check, which they then void and toss. But while the USAA app allows for sending money to a predefined payee, it doesn’t let you create a new payee (though you can do so on the USAA Web site). It’s a common restriction among downloadable apps, intended to prevent someone else from grabbing your phone and sending themselves your cash. Online banking via a phone’s browser generally offers all the same options as on a PC. Both downloadable apps and mobile sites typically require logging in with the same user name and password you’d use on your PC. They also encrypt communications to and from the bank. SMS messages are the least secure method, as SMS doesn’t normally use encryption. This option is also limited. Wells Fargo’s SMS service, for example, allows only for low-risk activities such as checking your balance or finding an ATM. Using any of these options on a device you might easily lose may seem inherently insecure. But any phone option is largely safe from malware, one of the biggest threats to online banking. Also, the variety of mobile operating systems and other factors mean that, for now, you have no real risk of leaving your phone open to baddies. Tom Wills, a senior analyst for Javelin Strategy and Research, says mobile banking can be safer than banking on a PC—as long as the phone’s security features are enabled. Because your phone may someday end up in the backseat of a taxi without you, those precautions go beyond the ones you’d use on a PC.
Practice Safe
Mobile Banking Using a PIN or a password to lock your phone is the first step; just knowing which bank you use can help a potential ID thief. Next are remote-wipe options that let you clean out your phone should you ever lose it. Wills says some banks offer the feature for their downloadable apps. You can wipe BlackBerrys and iPhones (if you pay for the MobileMe service), too, and some apps such as Kaspersky Mobile Security offer the feature for Symbian OS or Windows Mobile phones. Finally, SMS messages can provide security support if you instruct your bank to text you after large or potentially suspicious transactions. Considering how much personal info most people keep in their e-mail, losing your phone can be a risk even if you don’t use mobile banking. But the combination of power-on passwords and safeguards from the banks can make mobile banking just as secure as it is handy.
Source of Information : PC World November 2009
Thursday, April 10, 2008
‘Hacker Safe' Seal Under Attack Following Site Breach
MORE THAN 80,000 Web sites display a small logo proclaiming them "HackerSafe." But the company behind this security seal, ScanAlert, found itself on the defensive recently after technology retailer Geeks.com, which carries the seal, warned some customers that their personal and credit card data may have been compromised by hackers.
ScanAlert's seal is the most widely used, and can be found on dozens of marquee-brand sites, such as Sony's. Its popularity attracted McAfee, which bought ScanAlert last year.
A ScanAlert spokesperson says that "preliminary evidence" suggests the Geeks.com breach, reported to art undisclosed number of customers in January, likely occurred during one of several periods last year when Scan-Alert had withdrawn its certification from Geeks.com after discovering vulnerabilities on the Web site. Nevertheless, the incident has rekindled a debate about the value of such seals. Web site managers say that ScanAlert's automated-scanning service can sniff out some security flaws and that the logo is a valuable marketing tool. Detractors say that it can give companies and customers a false sense of security.
"[The] seals are completely ludicrous,” says David Kennedy of Secure-State. Upon a request for testing from the owners of ten Hacker Safe sites. His company was able to break into and easily access financial and customer data from nine of the ten sites.
McAfee’s Tim Dowling acknowledges that "Hacker Safe is not perfect,” but says that the service does help users defend their sites.
ScanAlert's seal is the most widely used, and can be found on dozens of marquee-brand sites, such as Sony's. Its popularity attracted McAfee, which bought ScanAlert last year.
A ScanAlert spokesperson says that "preliminary evidence" suggests the Geeks.com breach, reported to art undisclosed number of customers in January, likely occurred during one of several periods last year when Scan-Alert had withdrawn its certification from Geeks.com after discovering vulnerabilities on the Web site. Nevertheless, the incident has rekindled a debate about the value of such seals. Web site managers say that ScanAlert's automated-scanning service can sniff out some security flaws and that the logo is a valuable marketing tool. Detractors say that it can give companies and customers a false sense of security.
"[The] seals are completely ludicrous,” says David Kennedy of Secure-State. Upon a request for testing from the owners of ten Hacker Safe sites. His company was able to break into and easily access financial and customer data from nine of the ten sites.
McAfee’s Tim Dowling acknowledges that "Hacker Safe is not perfect,” but says that the service does help users defend their sites.
*.* Source of Information : April 2008 PC World
Subscribe to:
Posts (Atom)