With all the talk about hackers launching attacks from legitimate Websites, you'd think that the major security vendors' sites, at least, would be vulnerability-free.
Not so, according to a report issued yesterday by a security watchdog site. The site, XSSed, states that it has verified some 30 cross-site scripting vulnerabilities spread across the Websites of three of the industry's best-known security vendors: McAfee, Symantec, and VeriSign. The vulnerabilities could make it possible for attackers to launch phishing campaigns from these sites or even distribute malware to the companies' customers, according to XSSed.
By Tim Wilson
Recent studies have shown that Web-based attacks are increasingly being launched from trusted, legitimate sites, rather than from hastily created sites and servers built by the attackers. By exploiting vulnerabilities in legitimate sites, the attacker gains credibility for phishing or malware links and bypass security tools that blacklist known phishing sites. (See 68% of Malware Now Found on Legitimate Sites and 'Hack-and-Pier' Phishing on the Rise.)
The new XSSed report shows that the big security vendors' sites are no exception to this trend, said Kevin Fernandez, one of the founders of XSSed. "It shows that any company can be infected with XSS," he says. In fact, some attackers have specifically targeted their vulnerability searches on sites such as McAfee, Symantec, and VeriSign, looking on them as a particular challenge, Fernandez says.
"It is unfortunate that many Websites tend to suffer from relatively simple vulnerabilities. It’s worse, though, that the same security vendors who preach security are the ones who often need just as much help as everyone else," says Robert Hansen (aka RSnake), CEO of SecTheory, a security consulting firm. "It just lends credence to the belief that knowledge of the problems doesn’t make you immune to them, which is why education doesn’t appear to be working."
This isn't the first time that XSS vulnerabilities have been exposed on sites such as McAfee's and Symantec's, notes Jeremiah Grossman, CTO of WhiteHat Security. Back in January, XSSed reported that some 60 sites that had received the "hacker safe" label from McAfee's ScanAlert service were vulnerable to XSS attacks. (See Many 'Hacker Safe' Websites Found Vulnerable.)
At the time, Joseph Pierini, director of enterprise services for the ScanAlert "Hacker Safe" program, maintained that XSS vulnerabilities couldn't be used to hack a server. "You may be able to do other things with it," he said. "You may be able to do things that affect the end-user or the client. But the customer data protected with the server, in the database, is not going to be compromised by a cross-site scripting attack, not directly."
"XSS vulnerabilities do present a serious risk; however to date their real-world use has been limited," said Oliver Friedrichs, director of Symantec Security Response, following the XSSed report in January. "XSS vulnerabilities can result in the theft of session cookies, Web site login credentials, and exploitation of trust. XSS vulnerabilities are site-specific, and therefore their lifecycle is limited; they become extinct once they are discovered and repaired by the Website owners."
But both Fernandez and Grossman noted that there have been a number of recent attacks that exploited XSS vulnerabilities in major Websites, including MySpace, Paypal, and major Italian banks.
"Should we be worried? About XSS, yes, but not because these particular security vendors have XSS on their Websites," Grossman says. "Symantec and McAfee really don't specialize in Web application security -- they focus more attention on anti-virus and anti-malware.
"The main worry should be around the more popular and e-commerce driven Websites, like banks, credit unions, social networks, and storefronts," Grossman says. "That is where businesses and users have the most to lose -- and where the real bad guys are focusing their attention."
Showing posts with label others. Show all posts
Showing posts with label others. Show all posts
Wednesday, June 11, 2008
Sunday, June 8, 2008
Stuff's guide to internet scams - Stuff.com - 07 Jun 2008
The internet can be a scary place if you're not careful. We spend so much time protecting ourselves against hackers and viruses, sometimes we let our guard down when we're dealing with real people.
But people can be dangerous too. Just like the real world, the internet has its share of baddies out to steal your cash (not to mention your pride) by using technology combined with age-old confidence tricks. You don't have to be constantly on guard, but a little caution and know-how will make you a lot safer.
Here are some of the scams to watch out for, and some tips for staying safe.
SOME OF THE SCAMS YOU'LL ENCOUNTER
419 scamsNamed after the section of the Nigerian criminal code they violate, 419 scams are emails that claim to be from various dodgy organisations, like European lotteries that you never entered or African banks that claim you're the last living relative of a Moroccan billionaire. They'll ask you to get in touch to claim a reward, usually something ludicrous like $100 million, almost always typed out afterward ("ONE HUNDRED MILLION US DOLLARS").
The catch, besides the money doesn't actually exist, is that they'll ask for some money to cover the costs of getting the money to you. A variant of this scam asks for money to cover duties for goods held by Customs.
Phishing These emails pretend to come from banks or auction sites like TradeMe or eBay. Sometimes they'll ask you to confirm your password, sometimes they'll say there's been "unauthorised activity" on your account. Either way the email will contain a link to log-in. Do not click on this link, even if it appears to be genuine, because it will lead you to a fake site that often look real but is just out to steal your info. Type your bank's address in your Web browser and log in normally instead.
Spear Phishing Like the name implies, spear phishing is a more targeted attempt to steal personal details. Typically you'll receive an email or phone call where they refer to you by name. The message may claim to be from your company's IT department or bank or even the police. They've targeted you not because you've got a reputation for being a dupe, but because your bank account is probably healthy or they want to break into your company's systems. Instead of giving out any information, get their name and then check it and what they're doing with the appropriate authorities.
Mules Have you ever received a job offer that seemed like you'd be making money just for having a New Zealand bank account? Don't be fooled. Foreign scammers need a Kiwi bank account to transfer money into because there are blocks or limits on transferring money overseas over the internet. Being a mule is illegal, and ignorance won't be much of an excuse when the police come knocking.
Love traps Dating websites aren't just for lonely hearts. There are also scammers out there pretending to be girls (and guys, but mostly girls) searching for love. Typically they will let the romance begin to bloom, then have a personal crisis and need a loan or reveal they actually live in another country and could you please send money for a plane ticket because they're really eager to see you in person.
Some clever scammers have even written a computer programme that automatically flirts with men to wheedle out their personal details.
To be safe steer clear of overseas sites (you don't need a Russian or Vietnamese bride that badly) and be extra careful talking to people on Kiwi dating websites who live outside the country. If something seems fishy, use your brains instead of other body parts to make a decision. Maybe they really are "crazy about Kiwi guys", but the smart money is they're after your wallet rather than your heart.
Scam websites Scam websites come in a few flavours. There are fake bank and auction websites that sit on web addresses which are close to the real thing (like www.mybnak.co.nz). These opportunist sites exist solely to trick people who aren't careful typists into giving up their account details. They often use the real bank's logo and images.
Sometimes the websites are even sneakier. They will automatically load the details you put in, say for your bank account, into the real bank's website, so you can't tell anything's wrong. Then when you log out, the scammers keep the connection open and transfer your money out.
Fake sites go one step further and try to hijack your PC. Called drive-by-downloads, they exploit flaws in your web browser to make you automatically download spyware or viruses.
Finally, there are scam websites pretending to be legitimate charities or businesses. After every disaster fake charities will spring up looking for donations, so stick to the official websites of the ones you know. The same is true for online shops. Don't buy unless you're sure it's legit, or you could lose your cash and your credit card details.
HOW TO SPOT A SCAM
Bad grammar and spelling - English often isn't the first language of the scammers, and if you read carefully you can spot tell-tale mistakes that a real bank wouldn't make.
The email asks you for your account details - Emails from banks or TradeMe should never ask you for any of your personal details. Email is not a secure way to communicate because it's hard to verify who exactly is on the other end and the message can be intercepted.
If it sounds too good to be true, it is - Sometimes good things happen. People really do win the lottery. But not if they haven't bought a ticket. If you could really make money doing nothing, everyone would be rich.
WHY DO PEOPLE FALL FOR SCAMS?
Sometimes they're stupid, but more often they're desperate or not paying attention. Emails from fraudsters pretending to be your bank and fake websites often disguise themselves well, using official logos and even real employee's names.
People do fall for 419 scams too, amazingly enough, usually because they desperately need the money and think the email is a godsend. If someone wants to believe something is true, they'll usually find a way to convince themselves.
Spear phishing is "social engineering". If someone called you up at work pretending to be from your company's IT department, you probably wouldn't think someone was trying to scam you.
Ads for mules can go the extra mile to appear to be genuine, using employment websites and official looking websites of their own.
DOH! WHAT TO DO WHEN YOU SCREW UP
I clicked on a link in a phishing emailYou're probably ok if you didn't enter in any details. Shut down your browser (and internet connection if you can) and run a full scan for viruses and spyware.
I typed in my bank account/credit card/auction account details Call your bank immediately. The sooner you do the less likely you'll be held liable for the money the fraudsters spend on your behalf.
They've stolen my money The bad news is the criminals responsible are usually overseas, and the chances of catching them are pretty much nil. ASB and Kiwibank will reimburse losses on a case by case basis. If your computer is up to date and running security software and you tell your bank quickly what's happened, the banks will look on it pretty favourably.
Westpac will reimburse all stolen money and BNZ will fully reimburse customers who use their NetGuard system. ANZ and National offer the same guarantee as long as you're don't actively participate in the fraud, like for a mule scam.
ANZ, National, ASB, Kiwibank and BNZ offer "two-factor identification" - numbers on tokens or cards which you use as well as your password to log in. This extra security measure makes it much harder for fraudsters to get into your account, so if you can, sign up for it.
I used a computer in an internet café to check my email or bank balance Never use public computers like in libraries or internet cafes to log into anything important. If you have, change your password as soon as you can from a secure computer.
I replied to a fraud email Whether you're asking for more info or telling the scam artists they're scum, it's a bad move. You're just confirming your email address is valid and active. Expect lots more spam in future.
I think I downloaded a virus or spyware Update your security software and run a complete scan on your system. If you're really paranoid, reformat your hard drive and reinstall your operating system
But people can be dangerous too. Just like the real world, the internet has its share of baddies out to steal your cash (not to mention your pride) by using technology combined with age-old confidence tricks. You don't have to be constantly on guard, but a little caution and know-how will make you a lot safer.
Here are some of the scams to watch out for, and some tips for staying safe.
SOME OF THE SCAMS YOU'LL ENCOUNTER
419 scamsNamed after the section of the Nigerian criminal code they violate, 419 scams are emails that claim to be from various dodgy organisations, like European lotteries that you never entered or African banks that claim you're the last living relative of a Moroccan billionaire. They'll ask you to get in touch to claim a reward, usually something ludicrous like $100 million, almost always typed out afterward ("ONE HUNDRED MILLION US DOLLARS").
The catch, besides the money doesn't actually exist, is that they'll ask for some money to cover the costs of getting the money to you. A variant of this scam asks for money to cover duties for goods held by Customs.
Phishing These emails pretend to come from banks or auction sites like TradeMe or eBay. Sometimes they'll ask you to confirm your password, sometimes they'll say there's been "unauthorised activity" on your account. Either way the email will contain a link to log-in. Do not click on this link, even if it appears to be genuine, because it will lead you to a fake site that often look real but is just out to steal your info. Type your bank's address in your Web browser and log in normally instead.
Spear Phishing Like the name implies, spear phishing is a more targeted attempt to steal personal details. Typically you'll receive an email or phone call where they refer to you by name. The message may claim to be from your company's IT department or bank or even the police. They've targeted you not because you've got a reputation for being a dupe, but because your bank account is probably healthy or they want to break into your company's systems. Instead of giving out any information, get their name and then check it and what they're doing with the appropriate authorities.
Mules Have you ever received a job offer that seemed like you'd be making money just for having a New Zealand bank account? Don't be fooled. Foreign scammers need a Kiwi bank account to transfer money into because there are blocks or limits on transferring money overseas over the internet. Being a mule is illegal, and ignorance won't be much of an excuse when the police come knocking.
Love traps Dating websites aren't just for lonely hearts. There are also scammers out there pretending to be girls (and guys, but mostly girls) searching for love. Typically they will let the romance begin to bloom, then have a personal crisis and need a loan or reveal they actually live in another country and could you please send money for a plane ticket because they're really eager to see you in person.
Some clever scammers have even written a computer programme that automatically flirts with men to wheedle out their personal details.
To be safe steer clear of overseas sites (you don't need a Russian or Vietnamese bride that badly) and be extra careful talking to people on Kiwi dating websites who live outside the country. If something seems fishy, use your brains instead of other body parts to make a decision. Maybe they really are "crazy about Kiwi guys", but the smart money is they're after your wallet rather than your heart.
Scam websites Scam websites come in a few flavours. There are fake bank and auction websites that sit on web addresses which are close to the real thing (like www.mybnak.co.nz). These opportunist sites exist solely to trick people who aren't careful typists into giving up their account details. They often use the real bank's logo and images.
Sometimes the websites are even sneakier. They will automatically load the details you put in, say for your bank account, into the real bank's website, so you can't tell anything's wrong. Then when you log out, the scammers keep the connection open and transfer your money out.
Fake sites go one step further and try to hijack your PC. Called drive-by-downloads, they exploit flaws in your web browser to make you automatically download spyware or viruses.
Finally, there are scam websites pretending to be legitimate charities or businesses. After every disaster fake charities will spring up looking for donations, so stick to the official websites of the ones you know. The same is true for online shops. Don't buy unless you're sure it's legit, or you could lose your cash and your credit card details.
HOW TO SPOT A SCAM
Bad grammar and spelling - English often isn't the first language of the scammers, and if you read carefully you can spot tell-tale mistakes that a real bank wouldn't make.
The email asks you for your account details - Emails from banks or TradeMe should never ask you for any of your personal details. Email is not a secure way to communicate because it's hard to verify who exactly is on the other end and the message can be intercepted.
If it sounds too good to be true, it is - Sometimes good things happen. People really do win the lottery. But not if they haven't bought a ticket. If you could really make money doing nothing, everyone would be rich.
WHY DO PEOPLE FALL FOR SCAMS?
Sometimes they're stupid, but more often they're desperate or not paying attention. Emails from fraudsters pretending to be your bank and fake websites often disguise themselves well, using official logos and even real employee's names.
People do fall for 419 scams too, amazingly enough, usually because they desperately need the money and think the email is a godsend. If someone wants to believe something is true, they'll usually find a way to convince themselves.
Spear phishing is "social engineering". If someone called you up at work pretending to be from your company's IT department, you probably wouldn't think someone was trying to scam you.
Ads for mules can go the extra mile to appear to be genuine, using employment websites and official looking websites of their own.
DOH! WHAT TO DO WHEN YOU SCREW UP
I clicked on a link in a phishing emailYou're probably ok if you didn't enter in any details. Shut down your browser (and internet connection if you can) and run a full scan for viruses and spyware.
I typed in my bank account/credit card/auction account details Call your bank immediately. The sooner you do the less likely you'll be held liable for the money the fraudsters spend on your behalf.
They've stolen my money The bad news is the criminals responsible are usually overseas, and the chances of catching them are pretty much nil. ASB and Kiwibank will reimburse losses on a case by case basis. If your computer is up to date and running security software and you tell your bank quickly what's happened, the banks will look on it pretty favourably.
Westpac will reimburse all stolen money and BNZ will fully reimburse customers who use their NetGuard system. ANZ and National offer the same guarantee as long as you're don't actively participate in the fraud, like for a mule scam.
ANZ, National, ASB, Kiwibank and BNZ offer "two-factor identification" - numbers on tokens or cards which you use as well as your password to log in. This extra security measure makes it much harder for fraudsters to get into your account, so if you can, sign up for it.
I used a computer in an internet café to check my email or bank balance Never use public computers like in libraries or internet cafes to log into anything important. If you have, change your password as soon as you can from a secure computer.
I replied to a fraud email Whether you're asking for more info or telling the scam artists they're scum, it's a bad move. You're just confirming your email address is valid and active. Expect lots more spam in future.
I think I downloaded a virus or spyware Update your security software and run a complete scan on your system. If you're really paranoid, reformat your hard drive and reinstall your operating system
Saturday, June 7, 2008
China denies hacking U.S. Commerce Dept. - Keyetv.com - 06 Jun 2008
BEIJING (AP) - China is denying allegations that its operatives tried to hack into Commerce Department computers using data from a U.S. government laptop. U.S. authorities say the laptop was left unattended during a visit to China by Commerce Secretary Carlos Gutierrez for trade talks last December. Officials say they are investigating whether any copying took place. Shortly afterward, three serious attempts at data break-ins at the Commerce Department were reported. A Foreign Ministry spokesman says Chinese officials knew nothing about the laptop cited in the reports. China has consistently denied targeting foreign government and military computer networks.
Subscribe to:
Posts (Atom)