Archive for the ‘Web Security’ Category

McAfee has released its annual report on the “Most Dangerous Celebrities in Cyberspace”, outlining how risky the names of Hollywood stars and starlets are on the web. You may be surprised to know, for example, that searching for Barack Obama is less dangerous than celebrities such as Jessica Biel and Beyonce! I say surprised because all the hype and news reporting that surrounded the election and the economic crises focused on the riskiness of the President’s name in malware attacks.

This report looks at the searches of a celebrity figure and how many of those searches land on a website that’s tested positive for online threats such as viruses, spyware, adware, spam, phishing or other malware.

Jessica Biel was named as the Most Dangerous Celebrity in Cyberspace, with searches for “Jessica Biel”, “Jessica Biel downloads”, “Jessica Biel wallpaper”, or “Jessica Biel photos” having a one in five chance of landing on an unsafe website.

The top 10 most dangerous celebrities online are:

1. Jessica Biel
2. Beyonce (for second year)
3. Jennifer Aniston
4. Tom Brady
5. Jessica Simpson
6. Gisele Bundchen
7. Miley Cyrus
8. Megan Fox, Angelina Jolie
9. Ashley Tisdale
10. Brad Pitt

You can read details of the celebrities and why they’re risky here.

Image: Clipart

Chad Perrin of Tech Republic has put together a fantastic how-to for using Firefox’s in-built password manager. The article shows you, step-by-step, how to set up a Master Password in Firefox.

Why use a Master Password? Having unique and complicated passwords for all the various websites you use is the most secure method of accessing them. But then you’re likely to forget all those passwords. By using the password manager in Firefox, you can store all those passwords, and just remember a single unique password.

This is something you can set up either on Mac or PC following the same instructions, although on the Mac you would access the interface via Firefox > Preferences.

After you set up the password manager, you’ll be required to enter the master password whenever you start up Firefox. In order for this security to be useful for you, remember to quit Firefox whenever you leave your computer or whenever you’re traveling.

Caveat: using Firefox is not a fool-proof security method for storing your passwords. If you want an even stronger solution, consider using an external password manager such as Password Safe.

While you’re at TechRepublic, also check out the recent article about setting IT Security Policies.

Business travelers are often putting their data at risk by using public Wi-Fi access points – wireless networks freely available to connect to. When you don’t have a wired network access point, connecting to a wireless network at random may not be your best alternative. It can open you to malicious attacks and to those who track your activities – including capturing private information like passwords.

In order to avoid the risks associated with unknown Wi-Fi networks, there are two solutions you can use.

USB Internet Stick

By connecting a special USB stick to your computer, you can have access to the web in the same way you would with an internet-enabled phone – via a cellular network. Most major cellular providers have one of these options, though they go by many names – in Canada, examples are the “Rogers Rocket Stick” or the “Bell Wireless USB Modem”.

Right now, Verizon is the only company offering a USB modem that will work in 175 countries (Windows only).

The upside: it is more secure than a Wi-Fi access point
The downside: no added security benefits, most USB sticks are often country-specific, making them impractical for International business travelers.

Virtual Private Network (VPN)

A VPN supplies connectivity to support remote access to the business network. You connect to the internet with whatever means you have available – wired or wireless – and connect to the VPN. VPN technologies use tunneling to create the connection to the business network and uses encryption protocols to provide you with private access both to the company network and through it. This means you can access company data as well as access the Internet through this more secure connection.

A VPN uses various security mechanisms to protect these private / virtual connections. There are lots of vendors out there for VPNs, including the Cisco Easy VPN.

The upside: you connect to a secure network, so outsiders can’t monitor your web use

The downside: there are many technologies involved in choosing the right VPN solution for you. For some tips on choosing, visit here and here.

Breach Security has released it’s Web Hacking Incidents Database (WHID) 2009 Bi-Annual Report, indicating that social networking sites were the most targeted market for hackers so far this year.

The data, compiled from application-related security incidents that are publicly reported, indicates that 19% of the hacks in the first half of 2009 were targeting social networking sites like Twitter and Facebook. This is the first year when social networks became an attack sector. In 2008, government was the leading sector being targeted. The data also indicates a 30% increase in overall web attacks compared to the first half of 2008.

“The dramatic rise in attacks against social networking sites this year can primarily be attributed to attacks on popular new technologies like Twitter, where cross-site scripting and CSRF worms were unleashed,” said Ryan Barnett, director of application security research for Breach Security. “Looking back at 2008, a notable election year, government-related organizations were the top-ranked attack victims and have now dropped to number three. The WHID report demonstrates that hackers can be fickle, following popular culture and trends to achieve the most visible effect for their efforts, which means that companies must be vigilant in implementing web application systems and monitoring application activity.”

Download a copy of the report here.

Also making major news right now is the indictment of Albert Gonzalez on charges of hacking into the Heartland Payment Systems. Gonzalez is already awaiting trial over his involvement in the TJX hack, putting him as part of the hacking team behind two of the largest hacker-based breaches in history. Read more here.

McAfee has released the Q2 Threat Report for 2009, which indicates that spam volumes have gone up by 141% since March, making this the “longest ever streak of increasing spam volumes” on record. The Q1 threat report, discussed here, indicated that cybercriminals had taken over almost 12 million new IP addresses (zombies) since January, a 50% increase over 2008. This record has now been broken: Q2 set a new record for zombie computers levels, at nearly 14 million.

In addition to spam volumes, the Q2 report looks at some new trends and threats, as well as continued trends of cybercrime as a service and cybercriminals targeting social networks. Indeed, a major attack was led against Twitter and Facebook just this week.

Key Findings from this Threat Report:

• > 14 million computers have been enslaved by cybercriminal botnets (16% increase over Q1)
• Spam has risen 80% in this quarter, over Q1, with June beating the highest ever recorded spam level
• Spam comprised 92% of all mail, also setting a new record high
• Over a 30-day period, AutoRun malware troubled more than 27 million files, making it one of the most prevalent pieces of malware in the world (with a detection rate greater than Conficker was)
• There were nearly 14 million new zombies in Q2, also a new record. Computers in the U.S., China and Brazil lead for zombie figures.

Download the Q2 Report here [PDF].

After reading a very good article recently about the importance of strong passwords, I thought I’d put together a simple post to ask – have you checked the security of your passwords lately? Are they strong enough?

The easiest way to check your password strength is to use Microsoft’s Password Checker, which will tell you if your password is strong enough. It doesn’t guarantee that your password won’t be hacked, but knowing your password is as strong as it can be is one simple step you can take to protect your personal information.

Here’s me checking one of my passwords:

If you don’t hit the ‘best’ level in the password strength meter, consider changing your password. You can follow the tips Microsoft lays out here, or read more in the article referenced above on Windows Secrets.

A guest author at InformIT has put together a list of 12 tips to consider when securing your small business wireless network. The list was put together by Eric Geier, author of WiFi Hotspots: Setting Up Public Wireless Internet Access, a book released as part of the Networking Technology Series from Cisco Press.

The recommended 12 steps to a secure small business wi-fi network are:

1. Use WPA Encryption — preferably WPA2
2. Use the Enterprise version of WPA/WPA2
3. Secure Ethernet Ports
4. Use Extra Encryption (VPNs)
5. Don’t Connect to Other Networks
6. Separate Traffic with VLANs
7. Secure Shared Folders and NAS Devices
8. Verify Firewalls
9. Use MAC Address Filtering
10. Disable SSID Broadcasting
11. Keep Hardware Updated
12. Keep Wi-Fi Signals Contained

Learn more about these 12 steps here

Last month, Canada’s Privacy Commissioner released a statement about Facebook and its compliance with Canadian privacy laws. The statement is the result of a study into allegations by the Canadian Internet Policy and Public Interest Clinic that Facebook was not complying with 24 aspects of Canada’s Personal Information Protection and Electronic Documents Act. These aspects included default privacy settings, collection and use of personal information, and disclosure of personal information to third parties. Some of the findings concluded that the allegations were not well-founded, while others were supported.

As a result of the report, Canada has released its Report of Findings and its request that Facebook strengthen its privacy protections. The press briefing included some praise for Facebook’s current privacy measures, though many areas were identified for improvement.

Areas of requested improvement include:

• Improving information about privacy practices (example: information on deactivating vs deleting an account)
• Improving safeguards that restrict outside developers from accessing unnecessary profile information
• Deleting personal information after it is no longer necessary to meet appropriate needs (to comply with Canadian law)

Facebook made some improvements to their privacy measures when provided with an interim report; they now have 30 days (from July 16) to respond to the full report.

Facebook has agreed to adopt many of the recommendations stemming from the Privacy Commissioner’s investigation or, in some cases, has proposed reasonable alternatives to the measures recommended. However, there remain a number of recommendations that Facebook has not yet agreed to implement.

The Privacy Commissioner is empowered to go to Federal Court to seek that the recommendations be enforced. So, it may be that Canada’s report helps to strengthen Facebook privacy standards for all Facebook users!

Via internet evolution

Sophos has released its mid-year Security Threat Report for 2009, which looks at cybercrime for the first half of this year. The report indicates that cybercriminals have increased the focus of their attacks on social networking sites and that hackers are increasingly using scare tactics to solicit users to pay for rogue anti-virus software.

The report indicates that cybercriminals are both exploiting social networks to identify potential victims and then using these networks to attack them. The report encourages Web 2.0 companies to defend their existing users, rather than focusing on growing their userbase at the expense of security standards.

In terms of business data, the survey indicates that two thirds of businesses are worried that information shared by employees online may put their corporate infrastructure at risk. Right now, a quarter of organizations have been exposed to spam, phishing or malware via social networking sites like Facebook, Twitter and MySpace.

Read more about, and download, the report here.

According to The Times, more than 4 million British identities and more than 40 million individuals’ identities worldwide are being offered for sale on the internet. The information available for sale includes sensitive financial information (credit card / bank details, some PINs).

This information was reportedly made available online as the result of several initiatives. From what the report indicates, at least 250,000 bank / credit accounts were hacked into. Other information was the result of phishing, a process that dupes individuals to give over their details (such as log in details or credit card details). The information was intercepted over a four-year period by a British company, Lucid Intelligence, and collated into a single database, allowing these figures to be determined for the first time:

The Lucid Intelligence database contains the records of four million Britons, and 40 million people worldwide, mostly Americans. Security experts described the database as the largest of its kind in the world.

The report from The Times indicates that other sensitive information, such as corporate email access details, is being sold in online forums or hacking websites. This puts companies at risk for data breach issues.

Individuals can search the database for free, for now, to see if their information has been sold online. It will specify what information about you is known – whether it’s just your email address, your mailing address, or more high risk information such as banking details. You can learn more about the initiative here.

It’s quite an interesting venture – what do you think about it?