Archive for Privacy

Online banking is convenient, but make sure you also play it safe

Despite this being the age of identity theft and online scams, more brick-and-mortar banks are offering their customers products and services for banking on the Web.

Plus, Internet banks, which have no physical branches, are gaining popularity, since they often pass along their lower overhead costs to consumers in the form of high interest rates on deposits.

The number of Americans banking online grew to 40 million in the fourth quarter of 2005, a 27% increase over the previous year, according to comScore Networks, a research organization that studies consumer Internet behavior.
Consumers have good reason to bank online — online transactions can often save you money, and their convenience can’t be beat. But it’s wise to be extra cautious when handling your money over the Web. Follow these tips to ensure online safety:

  • When handling money online, make sure you only deal with secure Web sites. You’ll know a site is secure if you can see the padlock symbol in the bottom right corner of your Web browser. Click the padlock for security details.
  • Ensure that your computer is secure–always use the “password protect” feature to make sure only you can access the information stored there.
  • Many banks and shopping sites offer to “remember your password”–ignore those offers to prevent other computer users from accessing your information.
  • Avoid accessing your account from a public computer, but if you must, when you’re done banking clear the computer’s “history” and delete its “temporary Internet files” (usually available under “Internet options” in Internet Explorer), to prevent the next computer user from possibly seeing your sensitive data.
  • Change your passwords regularly.
  • Never send credit card or account details by e-mail. Be aware of “phishing” scams, as well: If you receive an e-mail asking you to follow a link to a Web site where you must input your information, it’s probably a scam. Banks will not ask you via e-mail to update your account information.
  • Always print your transaction receipts and file them with your bank records until you receive confirmation in your bank statement.
  • Be aware that not all virtual banks are insured by the FDIC — some may be chartered overseas. To check whether your Internet bank is insured, visit the FDIC’s Bank Find Web site.

From MarketWatch.

Tags: , , , , , , ,

Comments

Internet Explorer flaw may expose personal information via Google Desktop

A security researcher in Israel has found a way to steal information from unwitting users of Google’s desktop search tool by exploiting an unpatched flaw in Microsoft’s ubiquitous Internet Explorer.

There is a bug in the way the Web browser processes CSS rules, Matan Gillon wrote in a description of his hack posted on Wednesday. CSS, or Cascading Style Sheets, is a method for setting common styles across multiple Web pages. The Web design technique is widely used on many sites across the Internet.

The proof-of-concept method is an example of how security flaws in software can offer all kinds of access to programs on vulnerable PCs, including to Google Desktop.

This design flaw in IE allows an attacker to retrieve private user data or execute operations on the user’s behalf on remote domains” Gillon wrote in his description of the attack method. He crafted a Web page that–when viewed in IE on a computer with Google Desktop installed–uses the search tool and returns results for the query “password.

To exploit the flaw, an attacker has to lure a victim to a malicious Web page. “Thousands of Web sites can be exploited, and there isn’t a simple solution against this attack, at least until IE is fixed” Gillon wrote.

Microsoft is investigating the issue, which it described in a statement as a problem affecting the cross-domain protections in Internet Explorer. “This issue could potentially allow an attacker to access content in a separate Web site, if that Web site is in a specific configuration” Microsoft said in the statement.

Microsoft is not currently aware of malicious code that takes advantage of the flaw, but is monitoring the situation, the company said. A security update or an advisory on the problem may be coming, it said.

Google is also investigating Gillon’s findings. “We just learned of this issue and are looking into it” Sonya Boralv, a spokeswoman for the search giant, wrote in an e-mailed statement.

While Gillon in his example uses the IE flaw as a means to get to Google Desktop, this flaw and other software bugs could be used to covertly access virtually any application on a compromised computer.

It is like any other flaw within IE, but he got creative and used it to launch Google Desktop to retrieve data” security researcher Tom Ferris said. “You can bet we will see this one being used to steal users’ Quicken data, database files, etc.

Steve Manzuik, a security product manager at eEye Digital Security, agreed. “This definitely looks like a flaw in IE and not a Google bug. He is using Google Desktop as to retrieve data, but it is IE that makes it possible” he said.

While IE is vulnerable, Gillon found that Firefox and Opera are not. For protection, Internet users could use one of those browsers or disable JavaScript in IE, Gillon suggested.

It has been a busy week on the Microsoft security front. Four examples of attack code were released for flaws in the Windows operating system, and a Trojan horse is finding its way onto PCs through another yet-unpatched flaw in IE.

From an article on News.com.

Tags: , , , , , , , , , , , , ,

Comments

Keystroke logging gaining ground

Keylogger programs that record passwords and other typed-in text are increasing, according to data from iDefense.

The programs are an increasingly popular tool among identity thieves, the security company said Tuesday. Reports to iDefense, and its own research, indicate that the number of keylogger variants unleashed this year is set to rise 65 percent over last year, reaching nearly 6,200 in total, the company said in a statement on Tuesday.

Each variant could lead to anything from a few to several thousand infections, Ken Dunham, senior engineer at iDefense, said. Keylogger software typically tracks keystrokes on infected computers and is used to try to steal sensitive information such as user names and credit card data.

The biggest problem with keyloggers, which silently relay data to attackers, is that they often go undetected, easily slipping past firewalls and antivirus software, iDefense, a division of VeriSign, said.

There are so many victims because so few know the risk or the early warning signs,” Joe Payne, vice president of VeriSign iDefense Security Intelligence Services, said in a statement. “You simply can’t stop what you can’t see.”

Early warning signs can include slow performance of a PC, a spike in pop-up messages and other problems.

Computers can become infected with keyloggers in a variety of ways, such as through downloading spyware or e-mail attachments, or through a visit to a chat room or simply to the wrong Web site. The programs typically exploit flaws in Web browser software, including Microsoft’s Internet Explorer.

iDefense said keyloggers are typically spread by organized cybercrime rings, which have used them in the past to conduct large-scale money transfers to fund criminal activities. The programs have grown exponentially since 2001, when the firm detected just 275 of them.

From an article on ZDNet.

Tags: , , , , , , ,

Comments

Phishing attack targets Google

Internet security firm Websense is warning surfers to be on guard for a phishing e-mail that pretends to be from Google alerting recipients that they have won $400.

The e-mail directs users to a spoofed copy of Google’s site, where “winners” are prompted to click on another link to claim their prize money. The next page asks the visitor to enter their credit card number and shipping address.

Tags: , , , ,

Comments (1)

Securing your WLAN access point

Wireless Internet access is ever so convenient; no need for messy ethernet cables when sitting with your wifi-enabled laptop in the sofa relaxing. This convenience can come at a price though. Your wireless access point (WLAN access point, WAP) could probably do with some locking down, especially if you’ve never even visited the administration interface of it.

Most WLAN access points are NOT secure out of the box.
Consult your WAP manual and make sure you at least do the following:

  • Enable password protection/change default password for administration interface
  • Enable logging
  • Disable broadcasting of SSID
  • Enable WEP (Wired Equivalency Privacy).
    This encrypts data transmitted over the air. WEP has flaws which can be exploited, but it’s still better than no encryption at all.
  • Use MAC access control list.
    This makes sure your access point only talks to your computers. You may find a record of your computer’s MAC address in the WAP log (you did enable logging, didn’t you?)
  • Disable remote SNMP
  • Turn off your wireless access point when not in use.

For additional protection:

  • Turn off any file- and printer sharing on your computer.
  • Install a personal firewall.
  • Install anti-virus software and keep it updated.
  • Make sure you have the latest patches for your operating system.
  • Look into deploying some sort of VPN-solution between computers connected via WLAN and your gateway.

Tags: , , , , , , , , , , , , , , ,

Comments

« Previous entries ·