Security/Privacy

SpoofStick helps users defend against IDN vulnerability

Posted Wed, 2005-02-16 15:11 by geekwisdom

CoreStreet recently released an updated version of their SpoofStick product which helps to address the recently discovered IDN vulnerability in today's major browsers.

SpoofStick is freely available for both Microsoft's Internet Explorer on Windows 2000 or XP and Mozilla's Firefox browser on all platforms.

Countermeasures for Identity Theft from Frank W. Abagnale

Posted Mon, 2005-02-07 11:23 by geekwisdom

An article by Frank W. Abagnale, the lecturer and consultant, entitled 14 tips to avoid identity theft details some good advice for protecting your identity.

Abagnale's tips:

1. Guard your Social Security number. It is the key to your credit report and banking accounts and is the prime target of criminals.

2. Monitor your credit report. It contains your SSN, present and prior employers, a listing of all account numbers, including those that have been closed, and your overall credit score. After applying for a loan, credit card, rental or anything else that requires a credit report, request that your SSN on the application be truncated or completely obliterated and your original credit report be shredded before your eyes or returned to you once a decision has been made. A lender or rental manager needs to retain only your name and credit score to justify a decision.<!-- break -->

Password management

Posted Tue, 2005-02-01 12:26 by geekwisdom

Many people need to create accounts for different things. Accounts for buying things, accounts for viewing things, accounts for participating in things. Then there are all the accounts they need for things like e-mail, terminal logins, etc.

I've heard of people who use the same password for everything. While it would be easy to remember this password it is also easy to compromise a single password. This risk increases if it is ever sent over a network or the Internet in plain-text. If someone could intercept the password while it passed over the network they would have access to every account protected by that password. This is dangerous.

Assessing Internet Explorer Use in Light of Vulnerabilities

Posted Thu, 2004-07-01 10:05 by geekwisdom
I think some of the wrong conclusions are being drawn about the latest exploits for some known vulnerabilities in Internet Explorer (IE). First of all there is NO production level patch for Windows that will protect you from this exploit. SP2 RC2 is a release candidate, thus RC2. Microsoft says, "Customers who are already following our safe browsing guidance significantly reduce their risk from this type of attack." Reduce the risk, not eliminate it.
http://www.microsoft.com/security/incident/download_ject.mspx

Dump Internet Exploder! Get another browser!

Posted Mon, 2004-06-28 10:40 by geekwisdom
Look, it's simple, Internet Explorer (IE) and Outlook Express (OE) are the "targets of choice" for most virus and worm writers. Add to the security argument the fact that Microsoft has made no innovative steps and continues to ingore (even thwart) internet standards and the choice should be simple. Just switch to Mozilla, Opera, Netscape, or Safari. Every one of them is more secure and standards complient than IE. They all are more innovative. Why not pull one down and give it a whirl.

Top Ten Tips to Make Attacker&#146;s Lives Hell

Posted Thu, 2004-03-25 21:37 by geekwisdom
Top Ten Tips to Make Attacker’s Lives Hell - Chris McNab breaks down his top ten tips all network administrators should follow to protect their networks from opportunistic threats and make it hard for the more determined attackers to get anywhere. Chris is the author of the recently released Network Security Assessment. [O'Reilly Network Articles]

Assessing Email Harvester Countermeasures

Posted Fri, 2004-03-12 11:34 by geekwisdom

It should be understood that every solution has trade-offs. Some solutions have such negative trade-offs that they remove themselves from contention.

Think of it like this:

Step 1: What assets are you trying to protect?

  • The e-mail inboxes of people in my community

Step 2: What are the risks to these assets?

  • Spam in the inboxes.

Methods spammers use to gather addresses:

  1. Harvesting e-mail addresses from web pages
  2. Harvesting from search engines
  3. Harvesting from whois databases
  4. Harvesting from newsgroups and bulletin boards
  5. Web forms (like formmail.cgi)
  6. LDAP siphoning
  7. List purchasing from unscrupulous web sites
  8. Lists of leads generated from their own sites
  9. Dynamically generated addresses from a dictionary or based on an organizational nomenclature
  10. etc, etc, etc.

Step 3: How well does the coutermeasure mitigate the risks to the assets?