Short URL services are becoming increasingly popular among social networks, especially on Twitter. When you have to limit your message to just 140 characters, every character becomes important, and posting links to searches on Google or news websites can rapidly fill an entire Twitter message.Of course, for every problem there is a solution, so what URL shortening services like TinyURL, Is.gd or Bit.ly are doing is to offer for free short URLs that redirect to the longer ones. Everything might seem great until the moment you start thinking about security, and several problems come to my mind.

Social engineering is made easier. The user doesn’t really see the URL of the page he’s going to, but just the shortened version, which usually doesn’t offer any clue of where the destination page is hosted. An attacker can say he’s linking to “nice pictures with bunnies”, but instead sending the user to a website hosting malicious content.

The reliability is questionable. In order to get to the final destination, it’s not only necessary for the destination’s server to be reachable, but also for the short URL service to be up and running. Reliability problems with TinyURL were what made Twitter to switch to Bit.ly recently.

Trust can be a problem. The user wants to only click on safe link, so now he does not only have to trust the person who sends him a link, but also an intermediate player: the URL shortening service.

Security concerns are being raised by these URL shortening services, and I am very glad to see the media also starting to notice them and raise the security awareness level throughout their readers: AP recently posted an article about short URL services that also touches on the security problems.

Article by: Stefan

Source: http://viruslist.com/en/weblog

A recent surge in compromised web servers has generated many interesting discussions in online forums and blogs. We thought we would join the conversation by sharing what we found to be the most popular malware sites in the last two months.

As we’ve discussed previously, we constantly scan our index for potentially dangerous sites. Our automated systems found more than 4,000 different sites that appeared to be set up for distributing malware by massively compromising popular web sites. Of these domains more than 1,400 were hosted in the .cn TLD. Several contained plays on the name of Google such as goooogleadsence.biz, etc.

The graph shows the top-10 malware sites as counted by the number of compromised web sites that referenced it. All domains on the top-10 list are suspected to have compromised more than 10,000 web sites on the Internet. The graph also contains arrows indicating when these domains where first listed via the Safe Browsing API and flagged in our search results as potentially dangerous.
R Web Security › Add New Post — WordPress
Other malware researchers reported widespread compromises pointing to the domains gumblar.cn and martuz.cn, both of which made it on our top-10 list. For gumblar, we saw about 60,000 compromised sites; Martuz peaked at slightly over 35,000 sites. Beladen.net was also reported to be part of a mass compromise, but made it only to position 124 on the list with about 3,500 compromised sites.

To help make the Internet a safer place, our Safe Browsing API is freely available and is being used by browsers such as Firefox and Chrome to protect users on the web.

Article by: Niels Provos

Source: googleonlinesecurity.blogspot.com

Many people enjoy fishing. It can be relaxing and peaceful and if you are really lucky there may actually be fish involved. If you have ever actually gone fishing you might appreciate one of the current Coca Cola radio commercials where they point out that there is a significant difference between “fishing” and “catching”. Anyone can fish, but catching takes skill.

Fishing of a different sort has become a serious security threat. Dubbed “phishing”, it involves luring unsuspecting users to take the cyber-bait much the same way fishing involves luring a fish to bite the bait.

Douglas Schweitzer, author of Incident Response, describes phishing scams like this: “Phishing attacks use “spoofed” e-mails and fraudulent websites with the attempt to trick unsuspecting Internet users into divulging confidential personal information such as credit card numbers, account usernames and passwords, social security numbers, etc. By hijacking the trusted brands of well-known institutions, phishers are able to convince a small percentage of recipients to respond to them.”

One question is whether or not phishing scams are a result of underlying security flaws in software or simply the result of poor judgment on the part of the user. Ed Skoudis, author of Counter Hack and the Hack – Counter Hack Training Course, says “Both. Users often respond to even lame attempts at phishing, which sometimes include e-mail solicitations full of typos, bad grammar, and other obvious signs that they are not legit. Beyond users, though, the technology doesn’t really support us enough in determining what is a real site. Phishers use all sorts of tricks to disguise their URLs and fool browsers. Getting a legit-looking SSL certificate is trivial. Many users blindly click “accept” when they get an SSL cert warning. Because SSL puts all trust decisions in the hands of users, it’s really easy to pull off a phishing attack that uses HTTPS. That’s because of a combo of user ignorance and technical limitations. And that’s only one example.”

Marcus Ranum, author of Myth of Homeland Security and Senior Scientist at TruSecure Corporation, leans more toward the naive user as the crux of the phishing problem “It’s silly to try to solve this problem with underlying software. The bottom line is that “phishing” is just an instance of a social engineering problem. The root cause (on one side) is the criminal, and (on the other side) the gullibiltiy of the victim. “Phishers” could just as easily be phoning people at home and claiming to be the credit card company, etc., etc. Adding attempts at technological “quick fixes” isn’t going to work.”

The problem of ignorant or naive users will not be going away any time soon. Security awareness has improved due to computer hacks and malware being front page news so often, but a good percentage of the users are still relatively clueless about even basic security measures and new users start surfing the Web and using the Internet for the first time every day so it is difficult, if not impossible to stay ahead of that curve.

Dan Appleman wrote a book aimed at trying to educate teens, some of the newest members of the Internet community, about basic computer and Internet security- Always Use Protection. On the issue of phishing scams Appleman says “For the average computer user the focus should be first on the basic security precuations they should be taking – those precautions will do a good job of blocking the wide array of specific vulnerabilities as they appear. The focus next should be on education and practice.”

The latest web browsers such as Internet Explorer 7 and Firefox 2.0 contain phishing filters that can help to alert you to potential phishing scam sites. In an interview posted on the ha.ckers.org blog site, an actual “phisher” discusses some of the how’s and why’s of phishing attacks and states that Internet Explorer 7 and Firefox 2.0 are about the best defense he has yet encountered.

Article by: Tony Bradley

Source: about.com

Nobody likes receiving spam and having to spend time dealing with it. Even with sophisticated filtering and avoidance mechanisms discussed in my previous articles entitled “Use A Spam Filtering Tool To Manage Spam And Save Hours Everyday” and “7 Steps To Effectively Take Control Of Your Inbox And Reduce Spam”, these unwanted spam messages keep on appearing. By understanding how the system works, we can effectively take steps to significantly reduce the amount of spam that we receive daily.

What we have to understand is that email marketing is by far the most effective way to promote products and services on the internet today. The basis of this system it to collect as many email addresses as you can and repeatedly send email messages out to them. There is a legitimate way to do this and then there is the way spammers do it.

The legitimate way is to collect email addresses only from people who volunteer it to you on a website in return for some information that you offer. In addition to this every email sent out must include a link or instructions on how to unsubscribe. I would take it one step further and say that unsubscription must be instantaneous. Having to wait for a few days is unacceptable with the software tools available today. Following this method, you will only receive email messages that you have opted-in for and as soon as you are not getting any value out of it, you unsubscribe.

The spammers mode of operation is to collect email addresses by any and all means available. This could be by building software spiders to crawl websites 24 hours day looking for email addresses on any page. Usually they search for the HTML tag “mailto:” but as users have stopped hyperlinking in response, the spiders are getting more sophisticated and are putting together text like “john dot smith at domain dot com” into the proper valid email address “john.smith@domain.com”. Some websites list all their employees contact emails on one page and is a prime target for spam. Harvesting guestbooks where emails are displayed is also a very common practice.

Other methods are more malicious and involve virus-like or worm software being installed on your computer and feeding the names in the address book back to a spam server that collects them.

Spammers trade email addresses for money. This is why the system is out of hand – it is an income producing activity. Every email address has a value to it and no matter how little the value, putting together a list of 100,000 can provide a neat income for a spammer. Most spammers have spam lists many times larger than this.

Spammers also include the unsubscribe link at the bottom of spam emails. These links when clicked and actioned, tells the spammers that this email address actually got through to a live person and that email address is now moved onto a much higher value list and is traded for more money. Those of us who have actioned these links have found the flood of spam coming in to vastly increase within only days.

So now to the question of how to use this knowledge to reduce the spam you get?

First, understand that everytime you give out your email address to a website, that it can potentally be sold and traded. Therefore, if you are unsure about it, use an email address that is not your primary one. Webmail services like Hotmail and Yahoo Mail are perfect for this. You only get the messages when you want them and log into those services. I’ve used a Yahoo Mail address for this for years now. Everytime I log in there are more than a thousand messages but the one that I want to look at is at the top. I never have to delete these messages, Yahoo takes care of it automatically. The only requirement is that I log in to the service within a set period usually 90 or 120 days to keep the account active.

Once you are comfortable that the site concerned is legitimate, you can then change your email address to your primary one. On the other hand, if you start getting spammed, then you do nothing, let the spam emails build up and get deleted automatically by the system.

In my article entitled “7 Steps To Effectively Take Control Of Your Inbox And Reduce Spam” I discuss an elegant way to safely give out email addresses and shut them down in case they get spammed. This is by far the most effective method that I have used.

Other things to watch out for?

Spammers are facing tougher times and they are finding it harder to get new email addresses. While this is a good sign that means the general public are getting more educated, it does mean that we have to be careful of where our email addresses are shown or advertised. For example, magazines and newspapers often are great places for a spammer to collect email addresses. This is a much slower method but if we think about it, these email addresses are of much higher value because somebody has paid money to advertise and so it is bound to be a real address. This means that we have to think laterally in order to stay ahead of the spam game.

Last but not least, we can surely help significantly reduce the problem by not responding to any spam email message whether it is by clicking on a link, replying to the email or unsubscribing using a supplied link. If you really must look at the site, just type in the domain name part of it into your browser and leave out everything after the domain name. This will take you to the site without the spammers tracking identification code.

Together we can surely put a dent in this system by understanding it and staying one or a few steps ahead of spammers.

Article by: Balraj Dhaliwal

Source: www.computerandinternetsecurityblog.com

A few days back, most of the Google applications were down for several hours in several parts of the globe. Google had officially issued clarification about it.

But such incidences, although rare in frequency, raise an important issue of Backup.

Google is the undisputed DON of the web today. Leave aside Google search engine, but Gmail also is one of the most used email clients the world over. Have you ever imagined a situation when Gmail crashes and you are unable to reach your mail account.

Sounds scary. Although there are remote chances of it, but still who knows. When so much is dependent upon Gmail and Google Accounts, can you afford to take a risk.

And remember, Gmail crashes are not something like a distant dream. Specially when it is a  known fact that Gmail is still in its BETA version after passing of so many years.

See what O’Reilly says here. http://www.oreillynet.com/xml/blog/2006/12/gmail_disaster_google_confirme.html

And ArsTechnica also reports here. http://arstechnica.com/news.ars/post/20061230-8524.html

And that’s why services like Gmail Backup have been developed.

Gmail Backup is a freeware application, which allows you to download all your email in your Gmail Account right their in your PC for offline use. All these emails, with their attachments etc. are downloaded in Microsoft Outlook compliant .eml format, and thus can easily be used by any desktop email client for offline use.

Sounds great. Yes, it does the job perfectly.

But I have some serious reservations in the use of services like Gmail Backup.

Gmail Backup requires you to give your Google Account username and password to the applications. It is expected also, otherwise, how can such a program fetch your emails. But, in an era, when your Google Account is almost a key to your online personality, when it stores so much of the information about you, your search habits, your preferences and many times it is your last backup password, can you afford to share it with a third party?

It is a serious issue to be pondered with, before using a service like Gmail Backup.

And when you can have a similar functionality of backing up all your Gmail emails with Thunderbird or Microsoft Outlook, would you still care for trusting a third party like Gmail Backup.

Agreed that you do not get the facility to restore your emails to a new Gmail account with Thunderbird or Outlook, but still, sharing of your Google Account with somebody else is too much of asking for a small facility.

No, I am not a taker of this service. Are you?

Source: webtoolsandtips.com

How DNS Server Works

As you enter an URL, for example, www.yahoo.com through your browser, the URL asks the DNS server which IP address will be resolved by using this name. In the above example, the IP address is 206.190.60.37: if this IP address is directly entered into the browser, the DNS name will not be necessary.

If you can find the way of changing the DNS server address (the service, used for the name-to-IP address translation) to a MALWARE ONE, you will be able to do whatever you please. For instance, you’ll be able to resolve the DNS name microsoft.com to Google’s PI address Google. Sounds quite odd, isn’t it? And how to keep this behaviour between the windows restarting / reinstalling ???

Actually, it’s quite simple.

To pull the trick off, the Trojan sets the values of the Connection Network Settings DNS Servers to its own ones and/or changes the settings on your modem or router.

How Router Settings Are Changed by Trojans:

As far as the routers and modems are concerned, 90% of the market was occupied by 4-5 major brands. All those brands provide an html access panel for the management of the router. Default passwords are universally known and they depend on the router vendor.

For example, D-Link has the admin-admin default login-password pair. A trojan contains the functionality for log in automatically to the console of your router and setting up the MALWARE DNS SERVERS addresses instead of the providers’ ones (I REPEAT THOSE SETTINGS ARE MODIFIED ON ROUTER).

After this simple procedure is performed, every time you start your PC (even after the Windows is reinstalled), your adapter will automatically retrieve the internet settings with the address of a malware dns server and save these settings to your PC’s Network Connection Settings.

This will result in the “incorrect resolution” of the dns name and when you enter google.com in the address bar of your browser, microsoft.com website will be displayed. This may also lead to the situation when antivirus / antimalware web sites will be unavailable.

Social networking is all the rage. Various web sites have sprung up for the sole purpose of providing a place for users to express themselves, share with like-minded individuals, discover new things, and communicate with others. Even I have a Myspace profile and a LinkedIn profile.

The concept is so popular that even the 400-pound gorillas of the Web have jumped on the bandwagon. MySpace was snatched up by Rupert Murdoch’s News Corp. Google has Orkut. Yahoo tried Yahoo 360, and is now beta-testing their new social network dubbed Mash. Microsoft just bought into a large stake of Facebook.

The concept of social networking has also been extended to other areas. For example, Youtube (also picked up by Google), provides users with the ability to express their creativity, network, rate their favorite video clips, etc. Some sites like Flickr, DropShots, or PhotoBucket provide users with the ability to post and share photos and family videos.

The bottom line is that social networking is hugely popular and it is big business. Unfortunately, child molesters, sexual predators, and scam artists have discovered that these sites can also be exploited to find victims.

There have been numerous instances of sexual predators and child molesters posing as children to network with young victims on MySpace.com. MySpace was also recently discovered to be compromised by attackers spreading malware on exploited profile sites. MySpace has taken steps and implemented security measures to minimize this problem, but users should still be cautious and aware.

While not directly related to a social network, Craigslist, the popular regional classified listings site, was recently used by a predator to lure a victim to her death. After listing a job opening for a babysitter / nanny, and arranging a meeting with the potential nanny, the killer then murdered the prospective nanny.

Photo sharing sites are used by thousands of families to post and share family photos. It is possible to restrict access and only let users you identify view the pictures, but many users are proud of their kids and their photographic skills and allow the general public to view the photos as well. Child molesters and sexual deviants can search through these sites and bookmark their favorite photos of young boys and girls.

Follow these steps to use social networking sites responsibly and avoid becoming a victim:

1. Be Skeptical. At least be cautious. The point of social networking is to find people who share your interests and establish a network of friends, but don’t let down your defenses too easily. Just because someone claims to like the same music as you, or share a passion for scrapbooking, doesn’t mean it is true. These new “friends” are virtual and faceless and you can’t completely trust that they are what they say they are.
2. Be Diligent. Knowing that the potential exists for scam artists or sexual predators to be lurking about, keep an eye on your profile and be diligent about who you allow to connect with your profile. For photo sharing sites like Flickr, check out the users who are marking your photos as their Favorites. If some stranger is marking all of the pictures of your 7-year old son as their Favorites, it seems a little creepy and may be cause for concern.
3. Report Suspicious Behavior. If you have reason to believe that someone is a sexual predator or scam artist, report it to the site. If you look at the profile of the user marking your son’s photos as their Favorites, you might find that they have marked hundreds of other young boy’s photos as their Favorites. Flickr, and other such sites, should take action against this sort of suspicious behavior.
4. Communicate. Parents who have children that surf the Web and frequent these social networking sites should communicate with their chidlren. Make sure your children are aware of the threat, and that they are educated about how to use the Web safely. Make sure that they understand the risks and that they know they can talk with you about suspicious or malicious activity they encounter.
5. Monitor. If you want additional peace of mind, or you don’t fully trust that your children will stay within the guidelines you have laid out, install some monitoring software to watch their online behavior. Using a product like eBlaster from SpectorSoft, you can monitor and record all activity on a given computer and keep an eye on your children.

Article written by Tony Bradley for netsecurity.about.com

John Stewart of Signify – The Secure Authentication Service – explains why two-factor authentication is better than one

Passwords are getting a bit embarrassing. Organisations are increasingly reluctant to admit that they only use weak static password protection to prevent access to their networks and resources.

A major problem is that people are forgetful. So when asked to pick a memorable combination of letters and numbers, most will opt for something simple like the name of a relative, pet, football team and the date of a birthday.

This drives IT managers crazy; but it’s not easy to change human nature. And even if users do use more complex passwords, they can easily be stolen through simple ‘shoulder surfing’ or using readily available software for password cracking, keyboard logging, or by installing a Trojan horse password piracy programme.

Once someone’s username and password have been hijacked, that person’s entire digital identity is vulnerable and the attacker instantly acquires all the access privileges of the victim.

Yet despite this, many public sector organisations and businesses – both large and small – still seem willing to take this risk.

The problem of identity management and authentication is further compounded by the increase in demand for 24/7 remote access to data and resources from remote and home workers along with the addition of new wireless networks.

The more you open up your infrastructure to Internet or wireless connections, the more you rely on digital identities to differentiate trusted users from the rest.

Two are better than one

A strong authentication system demands two or more distinct proofs of identity before granting access.

Known as two-factor authentication, the most common factors used are something you know such as a secret PIN or password plus something you have.

This can be a unique, physical device such as a token, smartcard or even a mobile phone or PDA.

The physical device is used to generate a One-time Passcode or OTP, so that the user presents a different passcode every time they login.

Therefore, even if a user’s session is snooped, the stolen passcode cannot be reused. Most OTPs require no special reader or input device, so the user is able to log in from any convenient PC or other Internet connected device.

Secure OTPs can be delivered to users in a variety of ways. Hardware Tokens such as RSA SecurID used in combination with a secret PIN form the most simple, secure and convenient way to generate one-time passcodes.

They are ideal for any form of corporate remote access and particularly for frequent users who usually simply attach the small token to their key rings.

But OTPs can also be delivered on-demand to a user’s registered mobile phone, PDA or email account by SMS or email.

This approach means that the user does not have another device to carry around, but requires an additional request stage.

It is therefore best suited to occasional users, contractors, part-time staff and those checking email from home for example.

It can also provide Extranet access to other departments, professionals and partners or for sensitive online services such as HR, e-commerce or access to health information.

Furthermore, having temporary, short term remote access to the corporate network is also valuable in emergency scenarios as a result of bad weather, strikes or terrorist treats, for example.

Smartcards & USBSmartkeys that require a form of reader or USB port, can be used to securely store a user’s Public Key Encryption (PKI) digital certificate to ‘digitally sign’ documents or for Single Sign-On and hot-desking applications where users will always be logging in from a corporate-controlled PC or laptop.

Finally, there is biometric authentication. Yet despite generating many column inches in the press, fingerprint, iris and other forms of biometric authentication are still mostly used for physical access security rather than as a digital ID for network and web access.

Because the user is tied to a using a computer with an appropriate scanner, most biometrics are not suitable for anywhere access applications.

Who’s doing 2FA?

Large pubic sector bodies and companies seem to be getting the 2FA message and are increasingly adopting two-factor protection in the form of tokens, one-time passcodes (OTPs) and USB devices.

Yet, despite facing exactly the same threats, many smaller departments and businesses continue to rely on weak password protection, making them vulnerable to attack.

Like most technology barriers, this probably comes down to cost, perceived complexity and fear of ongoing hassle dealing with a demanding 24/7 remote user community.

In addition, customers may be wary of the added costs and difficulty of deploying and managing the solution.

For example, with a token-based solution such as RSA SecurID, this means everything from despatching devices and rights administration to handling lost tokens or forgotten passwords.

But this needn’t put organisations off. With the emergence of Managed Security Service Providers (MSSPs), these factors are dealt with by those with specialist knowledge, infrastructure and support in order to comprehensively piece together the complexities of the security jigsaw puzzle.

It is one alternative for a quick, simple and affordable option to help alleviate the hassle and upfront capital cost of the move to two-factor authentication.

London Borough of Tower Hamlets

The London Borough of Tower Hamlets uses Signify’s managed RSA SecurID authentication service to provide secure access for all mobile users carrying wireless PCs and PDAs.

Staff can now securely access all corporate systems via LBTH or public wireless hotspots, where previously they had to return to the office to file reports and update necessary documentation.

For field workers in the Borough, secure authentication is providing increased productivity and business efficiency. Planning officers, care workers and councillors all have access to their calendar, email and relevant documentation throughout the course of their working day.

LBTH also wants to provide a more flexible working environment for staff with care and family commitments whilst reducing the amount of office space required.

Trials are taking place via ADSL connectivity with user authentication via Signify’s managed service.

And for social services and care workers Signify’s NHS approved secure authentication provides immediate benefits.

Using their RSA SecurID tokens, social workers can securely access the NHS N3 network, so the Borough can comply with mental health initiatives and the ESCR (electronics social care record).

Whether organisations choose token or token-less authentication or a mixture of both, the option of a managed authentication service makes it easy and affordable to eliminate weak passwords.

It is important that organisations realise that relying on basic passwords for network security is like putting cheap tyres on a Ferrari- it might save you money and hassle in the short term, but you will lose control in the first rainstorm!

For more information visit www.signify.net

Source: www.securitywatch.co.uk