Page 12 of 14
This is a good idea.
The built anti-phishing capability warns users when they come across Web forgeries, and offers to return the user to his or her home page. Meanwhile, microsummaries are regularly updated summaries of Web pages, small enough to fit in the space available to a bookmark label, but large enough to provide more useful information about pages than static page titles, and are regularly updated as new information becomes available.
Here’s a report of phishers defeating two-factor authentication using a man-in-the-middle attack.
The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit—a tactic used by some security-savvy people—you might be fooled. That’s because this site acts as the “man in the middle”—it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.
I predicted this last year.
According to CNN:
Besides the contact restrictions, all users—not just those 14 and 15—will have the option to make only partial profiles available to those not already on their friends list.
All users also will get an option to prevent contact from people outside their age group. Currently, they may only choose to require that a person know their e-mail or last name first; that will remain an option to those 16 and over, even as it becomes mandatory for those younger.
MySpace also will beef up its ad-targeting technology, so that it can avoid displaying gambling and other adult-themed ads on minors’ profile pages and target special public-service announcements to them.
Honestly, this all sounds a lot more like cover-your-ass security than real security: MySpace securing itself from lawsuits.
“Safety experts” seem to agree that it won’t improve security much.
New Scientist has discovered that Pentagon’s National Security Agency, which specialises in eavesdropping and code-breaking, is funding research into the mass harvesting of the information that people post about themselves on social networks. And it could harness advances in internet technology – specifically the forthcoming “semantic web” championed by the web standards organisation W3C – to combine data from social networking websites with details such as banking, retail and property records, allowing the NSA to build extensive, all-embracing personal profiles of individuals.
From CNN:
Detectives used profiles posted on the MySpace social networking Web site to identify six suspects in a rape and robbery….
[…]
She knew only their first names but their pictures were posted on MySpace.
“Primarily, we pulled up her friends list. It helped us identify some of the players,” said Bartley.
Recently there was some serious tax credit fraud in the UK. Basically, there is a tax-credit system that allows taxpayers to get a refund for some of their taxes if they meet certain criteria. Politically, this was a major objective of the Labour Party. So the Inland Revenue (the UK version of the IRS) made it as easy as possible to apply for this refund. One of the ways taxpayers could apply was via a Web portal.
Unfortunately, the only details necessary when applying were the applicant’s National Insurance number (the UK version of the Social Security number) and mother’s maiden name. The refund was then paid directly into any bank account specified on the application form. Anyone who knows anything about security can guess what happened. Estimates are that fifteen millions pounds has been stolen by criminal syndicates.
The press has been treating this as an issue of identity theft, talking about how criminals went Dumpster diving to get National Insurance numbers and so forth. I have seen very little about how the authentication scheme failed. The system tried—using semi-secret information like NI number and mother’s maiden name—to authenticate the person. Instead, the system should have tried to authenticate the transaction. Even a simple verification step—does the name on the account match the name of the person who should receive the refund—would have gone a long way to preventing this type of fraud.
Interesting paper:
Zooko’s Triangle argues that names cannot be global, secure, and memorable, all at the same time. Domain names are an example: they are global, and memorable, but as the rapid rise of phishing demonstrates, they are not secure.
Though no single name can have all three properties, the petname system does indeed embody all three properties. Informal experiments with petname-like systems suggest that petnames can be both intuitive and effective. Experimental implementations already exist for simple extensions to existing browsers that could alleviate (possibly dramatically) the problems with phishing. As phishers gain sophistication, it seems compelling to experiment with petname systems as part of the solution.
Although I think I’ve seen the trick before:
Phishing schemes are all about deception, and recently some clever phishers have added a new layer of subterfuge called the secure phish. It uses the padlock icon indicating that your browser has established a secure connection to a Web site to lull you into a false sense of security. According to Internet security company SurfControl, phishers have begun to outfit their counterfeit sites with self-generated Secure Sockets Layer certificates. To distinguish an imposter from the genuine article, you should carefully scan the security certificate prompt for a reference to either “a self-issued certificate” or “an unknown certificate authority.”
Yeah, like anyone is going to do that.
Do you own shares of a Janus mutual fund? Can you vote your shares through a website called vote.proxy-direct.com? If so, you can vote the shares of others.
If you have a valid proxy number, you can add 1300 to the number to get another valid proxy number. Once entered, you get another person’s name, address, and account number at Janus! You could then vote their shares too.
It’s easy.
Probably illegal.
Definitely a great resource for identity thieves.
Certainly pathetic.
I regularly get anonymous e-mail from people exposing software vulnerabilities. This one looks interesting.
Beta testers have discovered a serious security flaw that exposes a site created using Net Objects Fusion 9 (NOF9) that has the potential to expose an entire site to hacking, including passwords and log in info for that site. The vulnerability exists for any website published using versioning (that is, all sites using nPower).
The vulnerability is easy to exploit. In your browser enter:
http://domain.com/_versioning_repository_/rollbacklog.xmlNow enter:
http://domain.com/_versioning_repository_/n.zip, where n is the number you got from rollback.xml.Then, open Fusion and create a new site from the d/l’ed template. Edit and republish.
This means that anyone can edit a NOF9 site and get any usernames and passwords involved in it. Every site using versioning in NOF9 is exposing their site.
Website Pros has refused to fix the hole. The only concession that they have made is to put a warning in the publishing dialog box telling the user to “Please make sure your profiles repository are [sic] stored in a secure area of your remote server.”
I don’t use NOF9, and I haven’t tested this vulnerability. Can someone do so and get back to me? And if it is a real problem, spread the word. I don’t know yet if Website Pros prefers to pay lawyers to suppress information rather than pay developers to fix software vulnerabilities.
Sidebar photo of Bruce Schneier by Joe MacInnis.