Cyber threat - Internet threat

What is Email Security?
On one level, email security is ensuring that your emails are secure: that is, it involves the maintenance of the basic information security concepts:

Integrity - ensuring that your message has not had unauthorized alteration
Confidentiality - ensuring that no unauthorized person (or process) has viewed the content
Accountability - being able to prove who wrote the email
Availability - ensuring that the email can be sent/received
Non-repudiability - being able to prove that the recipient really did receive it

But more than the email itself is involved in email security. It also involves:

Ensuring that you neither receive nor send malware hidden within the email or any attachments
Minimizing the receipt of spam, scams, phishing expeditions and illegal content
Ensuring that staff neither accidentally nor with malicious intent allow or send confidential, sensitive or illegal content within or outside of the company

Why do I need Email Security?
You need email security simply because failure to do so has both commercial and legal ramifications. An example that can illustrate both aspects would be infection with a highly destructive and virulent virus. Let us assume that your own systems are infected, and the virus payload is delayed but destructive: that is, you manage to infect, say, a competitor before this virus destroys your system.

The commercial implication is obvious: loss of your systems, data, records etcetera will be severely damaging if not fatal. But on the legal side, many lawyers believe that you could be held liable for any loss suffered by a third party that you infect, whether intentionally or even knowingly or not. If that third party were a competitor, then it would have little incentive not to sue the elbow off you.

And the history of internet litigation is already strewn with examples of both staff and competitors suing companies that have allowed compromising information to circulate within, or worse, to escape from, the company network.

It would be much safer to ensure your email is secure rather than risk the potential problems of insecure emails.

What do I need in Email Security?
Since so much is involved in email security, it is not surprising that you will be lucky to find everything you need in a single product (although the current drive towards single-product unified threat management - UTM - appliances) may change this. Just on the basis of the above discussion, you will need:

Anti-virus software (to ward off viruses and worms)
Anti-spyware software (to ward off trojans, adware and spyware)
Anti-spam, -phishing, -scam software (to cut down on wasted staff time)
Content security software (to make sure confidential, sensitive or illegal content is neither circulated within nor leaked from the company)
A company email usage policy (to reduce staff misuse of the email, and give you some redress for when they do misuse it)
And last but not least, a secure email (as opposed to email security) capability

The secure email system is possibly the hardest of all. The problem is that it inevitably involves encryption - and the only form of encryption that does not create administrative problems between the sender and the receiver is a public key infrastructure (PKI). But PKI is expensive to run and administer - and gets you involved with even more requirements. For example, if you operate a PKI, then you need to consider identity management software and provisioning software. Nevertheless, if you are a large company with lots of sensitive data, then PKI is the obvious route.

In particular, PKI can demonstrably provide four of the five security basics we noted at the outset of this article: integrity, confidentiality, accountability, availability, non-repudiability (availability is the one not specifically provided by PKI).

If you are a small company with lots of sensitive data, then you should consider a secure email system based on PGP.

If you are a very small company with just the occasional sensitive email, then you should look for a web-hosted secure email solution.

[ITSecurity]

Threat alert!

2009-02-09T13:27:00.005+07:00

Take a quick view of current threat alerts and it's level considered by well-known security research centre: McAfee and Symantec

Pharming (an online fraud)

2009-01-31T23:26:00.000+07:00

What is Pharming?

Pharming (pronounced “farming”) is another form of online fraud, very similar to its cousin phishing. Pharmers rely upon the same bogus Web sites and theft of confidential information to perpetrate online scams, but are more difficult to detect in many ways because they are not reliant upon the victim accepting a “bait” message. Instead of relying completely on users clicking on an enticing link in fake email messages, pharming instead re-directs victims to the bogus Web site even if they type the right Web address of their bank or other online service into their Web browser.

Pharmers re-direct their victims using one of several ploys. The first method – the one that earned pharming its name – is actually an old attack called DNS cache poisoning. DNS cache poisoning is an attack on the Internet naming system that allows users to enter in meaningful names for Web sites (www.mybank.com) rather than a difficult to remember series of numbers (192.168.1.1). The naming system relies upon DNS servers to handle the conversion of the letter-based Web site names, which are easily recalled by people, into the machine-understandable digits that whisk users to the Web site of their choice. When a pharmer mounts a successful DNS cache poisoning attack, they are effectively changing the rules of how traffic flows for an entire section of the Internet! The potential widespread impact of pharmers routing a vast number of unsuspecting victims to a series of bogus, hostile Web sites is how these fraudsters earned their namesake. Phishers drop a couple lines in the water and wait to see who will take the bait. Pharmers are more like cybercriminals harvesting the Internet at a scale larger than anything seen before.

Pharming example

One of the first known pharming attacks was conducted in early 2005. Instead of taking advantage of a software flaw, the attacker appears to have duped the personnel at an Internet Service Provider into entering the transfer of location from one place to another. Once the original address was moved to the new address, the attacker had effectively “hijacked” the Web site and made the genuine site impossible to reach, embarrassing the victim company and impacting its business. A pharming attack that took place weeks after this incident had more ominous consequences. Using a software flaw as their foothold, pharmers swapped out hundreds of legitimate domain names for those of hostile, bogus Web sites. There were three waves of attacks, two of which attempted to load spyware and adware onto victim machines and the third that appeared to be an attempt to drive users to a Web site selling pills that are often sold through spam email.

[Symantec]

Trojans & Spyware

2009-01-31T23:14:00.004+07:00

In the cyberworld, there are numerous methods available to commit identity theft and other cybercrimes. Learn more about trojan horses and spyware—two of the most popular methods used by cybercrimals.

What is a Trojan Horse?

This term "Trojan Horse" comes from a Greek fable, in which the Greeks presented a giant wooden horse to the Trojans as a peace offering. However, a nasty surprise awaited the Trojans as Greek soldiers sprung out of the hollow horse and captured Troy. Similarly, a Trojan horse program presents itself as a useful computer program, while it actually causes havoc and damage to your computer.

Increasingly, Trojans are the first stage of an attack and their primary purpose is to stay hidden while downloading and installing a stronger threat such as a bot. Unlike viruses and worms, Trojan horses cannot spread by themselves. They are often delivered to a victim through an email message where it masquerades as an image or joke, or by a malicious website, which installs the Trojan horse on a computer through vulnerabilities in web browser software such as Microsoft Internet Explorer.

After it is installed, the Trojan horse lurks silently on the infected machine, invisibly carrying out its misdeeds, such as downloading spyware, while the victim continues on with their normal activities.

What is Spyware?

Spyware is a general term used for programs that covertly monitor your activity on your computer, gathering personal information, such as usernames, passwords, account numbers, files, and even driver’s license or social security numbers. Some spyware focuses on monitoring a person’s Internet behavior; this type of spyware often tracks the places you visit and things you do on the web, the emails you write and receive, as well as your Instant Messaging (IM) conversations. After gathering this information, the spyware then transmits that information to another computer, usually for advertising purposes.

Spyware is similar to a Trojan horse in that users unknowingly install the product when they install something else. However, while this software is almost always unwelcome, it can be used in some instances for monitoring in conjunction with an investigation and in accordance with organizational policy.

Spyware is installed in many ways:

Most often spyware is installed unknowingly with some other software that you intentionally install. For example, if you install a "free" music or file sharing service or download a screensaver, it may also install spyware. Some Web pages will attempt to install spyware when you visit their page.
A person who wants to monitor your online activities may also manually install spyware. Depending on how this is done, this might be acceptable surveillance of an individual or an unwelcome, even illegal, invasion of privacy.

Trojans, Spyware & Crime

Trojans and spyware are crimeware—two of the essential tools a cybercriminal might use to obtain unauthorized access and steal information from a victim as part of an attack. The creation and distribution of these programs is on the rise—they are now 37% of all of the thousands of malware Symantec processes on a weekly basis.

Trojans and spyware are developed by professionals. Trojans and spyware are often created by professional crimeware authors who sell their software on the black market for use in online fraud and other illegal activities.

How Can I Avoid Getting Infected

Symantec has performed in-depth research on how and when crimeware programs are created in order to gain a deeper understanding of the problem. Our analysis reveals that Trojans and spyware are developed as a full-time job during what might be considered a normal workday. These findings suggest that crimeware authors are creating their Trojans as a full-time profession.

Fortunately, there are several ways you can help protect your computer against Trojans and spyware. Visit our Cybercrime Prevention page for more details.

For additional tips and more information on cybercrime prevention and response, please visit the Cybercrime Resource Center.

[Symantec]

Tips to Avoid Spam

2009-01-31T23:12:00.001+07:00

Listed below are a number of suggestions that can help prevent your email address from becoming a target to spammers.

Do not post your e-mail address in an unobfuscated form on the Internet. If you need to post your e-mail address, obfuscate it so it cannot be easily harvested such as “name –at- hotmail – dot- com,” Or if you need to include your e-mail address in your signature, include a small graphic image containing your e-mail address.
Check to see if your e-mail address is visible to spammers by typing it into a Web search engine such as www.google.com. If your e-mail address is posted to any Web sites or newsgroups, remove it if possible to help reduce how much spam you receive.
Lots of ISPs provide free e-mail addresses. Set up two e-mail addresses, one for personal e-mail to friends and colleagues, and use the other for subscribing to newsletters or posting on forums and other public locations. If you have a more complex e-mail address, it is less likely to receive spam than one that could be easily dictionary-attacked.
Many ISPs also offer free spam filtering. If this is available, enable it. Report missed spam to your ISP, as it helps reduce how much spam you and other members of the same ISP receive. If your ISP does not offer spam filtering, use anti-spam software to reduce the amount of spam delivered to your inbox.
When replying to newsgroup postings, do not include your e-mail address.
When filling in Web forms, check the site's privacy policy to ensure it will not be sold or passed on to other companies. There may be a checkbox to opt out of third party mailings. Consider opting out to receive less opt-in e-mail.
Never respond to spam. If you reply, even to request removing your e-mail address from the mailing list, you are confirming that your e-mail address is valid and the spam has been successfully delivered to your inbox, not filtered by a spam filter, that you opened the message, read the contents, and responded to the spammer. Lists of confirmed e-mail addresses are more valuable to spammers than unconfirmed lists, and they are frequently bought and sold by spammers.
Do not open spam messages wherever possible. Frequently spam messages include "Web beacons" enabling the spammer to determine how many, or which e-mail addresses have received and opened the message. Or use an e-mail client that does not automatically load remote graphic images, such as the most recent versions of Microsoft® Outlook® and Mozilla Thunderbird.
Do not click on the links in spam messages, including unsubscribe links. These frequently contain a code that identifies the e-mail address of the recipient, and can confirm the spam has been delivered and that you responded.
Never buy any goods from spammers. The spammers rely on very small percentages of people responding to spam and buying goods. If spamming becomes unprofitable and takes lots of effort for little return, spammers have less incentive to continue spamming. Would you risk giving your credit card details to an unknown, unreputable source?
If you have an e-mail address that receives a very large amount of spam, consider replacing it with a new address and informing your contacts of the new address. Once you are on lots of spammers' mailing lists, it is likely that the address will receive more and more spam.
Make sure that your anti-virus software is up to date. Many viruses and Trojans scan the hard disk for e-mail addresses to send spam and viruses. Avoid spamming your colleagues by keeping your anti-virus software up to date.
Use the firewall included with your operating system, or use a firewall from a reputable company, to avoid your computer being hacked or infected with a worm and used as a spam-sending zombie.
Do not respond to e-mail requests to validate or confirm any of your account details. Your bank, credit card company, eBay, Paypal, etc., already have your account details, so would not need you to validate them. If you are unsure if a request for personal information from a company is legitimate, contact the company directly or type the Web site URL directly into your browser. Do not click on the links in the e-mail, as they may be fake links to phishing Web sites.
Do not click on unusual links. Confirm the sender did send the e-mail if it looks suspicious.
Never give out your login details to anyone.
IT departments should train their users not to give out sensitive information.

[McAfee]

Top 10 Phishing Scams

2009-01-31T23:04:00.003+07:00

If you receive a similar message in your inbox you should delete it and not follow the links in the message. If you want to check your account, you should type the bank or company website directly into your web browser, or add a bookmark, rather than following links in an email. If you are unsure if an email you receive is legitimate, visit the companies website directly, phone the company, or contact their Customer Services or fraud department (usually fraud@companyname.com) to confirm that they sent the mail.

Updated Last: Jan 30, 2009

1. Wells Fargo customer service team informs you
2. Wells Fargo customer service: notification
3. Important notice
4. Wells Fargo notification
5. Wells Fargo customer service: official information
6. Wells Fargo customer service informs you
7. Automatic notification
8. official information
9. customer notification
10. Wells Fargo reminder: notification

Top Brands Exploited by Phishing Scams

The following chart shows the top brands exploited by Phishers.
Top Brands Targeted by Phishing Scams: Pie Chart

[McAfee]

Top 10 Internet Scams

2009-01-24T02:47:00.004+07:00

1) The Nigerian scam, also known as 419

Most of you have received an email from a member of a Nigerian family with wealth. It is a desperate cry for help in getting a very large sum of money out of the country. A common
variation is a woman in Africa who claimed that her husband had died, and that she wanted
to leave millions of dollars of his estate to a good business.

In every variation, the scammer is promising obscenely large payments for small unskilled
tasks. This scam, like most scams, is too good to be true. Yet people still fall for this money transfer con game.

They will use your emotions and willingness to help against you. They will promise you a large cut of their business or family fortune.

All you are asked to do is cover the endless legal and other fees that must be paid to the people that can release the scammer's money.

The more you are willing to pay, the more they will try to suck out of your wallet. You will never see any of the promised money, because there isn't any. And the worst thing is, this scam is not even new; its variant dates back to 1920s when it was known as 'The Spanish Prisoner' con.

2) Advanced fees paid for a guaranteed loan or credit card

If you are thinking about applying for a "pre-approved" loan or a credit card that charges an up-front fee, ask yourself: "why would a bank do that?". These scams are obvious to people who take time to scrutinize the offer.

Remember: reputable credit card companies do charge an annual fee but it is applied to the balance of the card, never at the sign-up. Furthermore, if you legitimately clear your credit balance each month, a legitimate bank will often wave the annual fee.

As for these incredible, pre-approved loans for a half-a-million dollar homes: use your common sense. These people do not know you or your credit situation, yet they are willing to offer massive credit limits.

Sadly, a percentage of all the recipients of their "amazing" offer will take the bait and pay the up-front fee.

If only one in every thousand people fall for this scam, the scammers still win several hundred dollars. Alas, far too many victims, pressured by financial problems, willingly step into this con man's trap.

3) Lottery scams

Most of us dream of hitting it big, quitting our jobs and retiring while still young enough to enjoy the fine things in life. Chances are you will receive at least one intriguing email from someone saying that you did indeed win a huge amount of money. The visions of a dream home, fabulous vacation, or other expensive goodies you could now afford with ease, could make you forget that you have never ever entered this lottery in the first place.

This scam will usually come in the form of a conventional email message. It will inform you that you won millions of dollars and congratulate you repeatedly. The catch: before you can collect your "winnings", you must pay the "processing" fee of several thousands of dollars.

Stop! The moment the bad guys cash your money order, you lose.

Once you realize you have been suckered into paying $3000 to a con man, they are long gone with your money. Do not fall for this lottery scam.

4) Phishing emails and phony web pages

This is the most widespread Internet and email scam today. It is a "sting" con game. "Phishing" is identity and password theft based on convincing emails and web pages. These emails and web pages resemble legitimate credit authorities like Citibank, eBay, or Paypal. They frighten or entice you into visiting a phony web page and entering your ID and password. Commonly, the guise is an urgent need to "confirm your identity". They will even offer you
a story of how your account has been attacked by hackers to lure you into entering your confidential information.

The email message will require you to click on a link. But instead of leading you to the real login https: site, they will to a fake website. The fake website is often very convincing looking.

You then innocently enter your ID and password. This information is intercepted by thescammers, who later access your account and fleece you for several hundred dollars.

This phishing con , like all cons, depends on people believing the legitimacy or their emails and web pages. Because it was born out of hacking techniques, "fishing" is stylistically spelled "phishing" by hackers.

Tip: the beginning of the link address should have https://. Phishing fakes will just have http:// (no"s" . If still in doubt, make a phone call to the financial institution to verify if the email is legit. In the meantime, never click on the link in any suspicious email.

5) Items for sale overpayment scam

This one involves an item you might have listed for sale such as a car, truck or some other expensive item. The scammer finds your ad and sends you an email offering to pay much
more than your asking price. The reason for overpayment is supposedly related to the international fees to ship the car overseas. In return, you are to send him the car and the cash for the difference.

The money order you receive looks real so you deposit it into your account. In a couple of days (or the time it takes to clear) your bank informs you the money order was fake and demands you pay that amount back immediately.

In most documented versions of this money order scam, the money order was indeed an authentic document, but it was never authorized by the bank it was stolen from.

In the case of cashier's checks, it is usually a convincing forgery. You have now lost the car, the cash you sent with the car, and you owe a hefty sum of money to your bank to cover for the bad money order or the fake cashier's check.

6) Employment scams

You have posted your resume, with at least some personal data accessible by potential employers, on a legitimate employment site. You receive a job offer to become a "financial representative" of an overseas company you have never even heard of before. The reason they want to hire you is that this company has problems accepting money from US customers and they need you to handle those payments. You will be paid 5 to 15 percent commission per transaction.

If you apply, you will provide the scammer with your personal data, such as bank account information, so you can "get paid". Instead, you will experience some, or all, of the following:

* identity theft,
* money stolen from your account, or
* may receive fake checks or money orders for payments which you deposit into your account but must send 85 â€“ 95 percent of that to your "employer".

Soon you will owe much money to your bank!

In other instance, you will receive an unsolicited e-mail message from a "multinational company" congratulating you for being selected for a specific job. The e-mail contains details about the "hiring company", the positions needed, and a very enticing compensation package.

You will be asked to send money through Western Union as processing fee or reservation fee.

7) Disaster relief scams

What do 9-11, Tsunami and Katrina have in common? These are all disasters, tragic eventswhere people die, lose their loved ones, or everything they have. In times like these, good people pull together to help the survivors in any way they can, including online donations. Scammers set up fake charity websites and steal the money donated to the victims of disasters.

If your request for donation came via email, there is a chance of it being a phishing attempt. Do not click on the link in the email and volunteer your bank account or credit card information.

Your best bet is to contact the recognized charitable organization directly by phone or their website.

8) Travel scams

These scams are most active during the summer months. You receive an email with the offer to get amazingly low fares to some exotic destination but you must book it today or the offer expires that evening. If you call, you'll find out the travel is free but the hotel rates are highly overpriced.

Some can offer you rock-bottom prices but hide certain high fees until you 'sign on the dotted line'. Others, in order to give you the 'free' something, will make you sit through a timeshare pitch at the destination. Still others can just take your money and deliver nothing.

Also, getting your refund, should you decide to cancel, is usually a lost cause, often called a nightmare or mission-impossible.

Your best strategy is to book your trip in person, through a reputable travel agency or proven legitimate online service like Travelocity or Expedia.

9) "Make Money Fast" chain emails

A classic pyramid scheme: you get an email with a list of names, you are asked to send 5 dollars (or so) by mail to the person whose name is at the top of the list, add your own name to the bottom, and forward the updated list to a number of other people.

The author of this scam letter painstakingly explains that, if more and more people join this chain, when it's your turn to receive the money, you might even become a millionaire!

Bear in mind that, most times, the list of names is manipulated to keep the top name (the creator of the scam, or his friends) on top, permanently.

As with the previously circulating snail-mail version of this chain, the email edition is just as illegal. Should you choose to participate, you risk being charged with fraud â€“ definitely not something you want on your record, or resume.

10) "Turn Your Computer Into a Money-Making Machine!"

Although not a full blown scam, this scheme works as follows: You send someone money for instructions on where to go and what to download and install on your computer to turn it into a money-making machine -- for spammers.

At sign-up, you get a unique ID and you have to give them your PayPal account information for the "big money' deposits you'll soon be receiving. The program that you are supposed to run, sometimes 24/7, opens multiple ad windows, repeatedly, thus generating per-click revenue for spammers.

In other scenario, your ID is limited to a certain number of page clicks per day. In order to make any money whatsoever from this scheme, you are pretty much forced to scam the spammers by hiding your real IP address with Internet proxy services such as "findnot", so you can make more page clicks.

I won't even go into the discussion about what this program will do to your computer's performance... it is a true tragedy if you get conned into this scam.

[poes gov ph]

Choose a good password.

2009-01-22T00:43:00.003+07:00

Your password is more than just a key to your online account. If your password falls into the wrong hands, someone can easily impersonate you while online, sign your name to online service agreements or contracts, engage in transactions, or change your account information. So, choose your password carefully and then keep it safe from others.

A password is like a toothbrush: Choose a good one and don't share it. A Yahoo! password can be any length, and can contain spaces, symbols, or numbers. With so many options, you should be able to come up with a password that's easy for you to remember but impossible for someone else to figure out. A password is a secret that only you should know.

Here are some tips for choosing a strong password — one that is difficult to guess.

Choose a password you'll remember. It should be memorable for you (so that you don't have to write it down or leave it in the open), but difficult for others to guess.
Avoid using a word. Avoid a complete word from a dictionary (English or otherwise) or a name.
Use at least 7 characters. The more characters your password contains, the harder it is for someone to guess it. A long but simple password can be safer than a short, complex one — and often easier to remember.
Use a combination of capital and lowercase letters, numbers, and standard symbols (! @ # $ % ^ & *). Your Yahoo! password is case-sensitive, which means that a capital letter A is different from a lowercase a.
Don't use personal information that someone could easily figure out. Avoid a password based on information easily obtained about you (like your birthday, your child or pet's name, phone number, license plate number, employer, school name, automobile brand, or street name). Don't use a password you already use for another account, such as your bank account PIN. And don't use your Yahoo! ID (or other user name) in any form (such as reversed, capitalized, or doubled).
Avoid the obvious. Don't make it easy for attackers by repeating a digit or letter (like "111111" or "FFFFFF") or any other common sequence of characters (like "123456"). Stay away from obvious passwords such as "test" or "password." When you change your password, change several characters; don't just append a number like "2" to the end. And make sure anyone watching you enter your password can't guess it as you type (such as a password typed using a single hand, like "qwerty").
Put a new spin on a familiar phrase. Pick a favorite phrase or lyric for your password. To shorten it, substitute letters with a number or a standard symbol or remove vowels. For example, "fredsboy" can be made into "Fr3d$boy." Shorten "two tickets to paradise" to "2Tickets2Paradiz," or combine "cat" and "dog" into "cAt!Do8."
If you use a password generator, be careful. Make sure you can identify and trust the creator of a password management or generator program. Never share any personal information unless you trust the company or person you're working with. Online password-generator programs can help you create a random password that is generally harder to crack but also more difficult to remember.

[Yahoo]

Computer security risks to home users

2009-01-18T23:14:00.008+07:00

What is at risk?

Information security is concerned with three main areas:

Confidentiality - information should be available only to those who rightfully have access to it

Integrity -- information should be modified only by those who are authorized to do so

Availability -- information should be accessible to those who need it when they need it

These concepts apply to home Internet users just as much as they would to any corporate or government network. You probably wouldn't let a stranger look through your important documents. In the same way, you may want to keep the tasks you perform on your computer confidential, whether it's tracking your investments or sending email messages to family and friends. Also, you should have some assurance that the information you enter into your computer remains intact and is available when you need it.

Some security risks arise from the possibility of intentional misuse of your computer by intruders via the Internet. Others are risks that you would face even if you weren't connected to the Internet (e.g. hard disk failures, theft, power outages). The bad news is that you probably cannot plan for every possible risk. The good news is that you can take some simple steps to reduce the chance that you'll be affected by the most common threats -- and some of those steps help with both the intentional and accidental risks you're likely to face.

Before we get to what you can do to protect your computer or home network, let’s take a closer look at some of these risks.

Intentional misuse of your computer

Trojan horse programs

Back door and remote administration programs

Denial of service

Being an intermediary for another attack

Unprotected Windows shares

Mobile code (Java, JavaScript, and ActiveX)

Cross-site scripting

Email spoofing

Email-borne viruses

Hidden file extensions

Chat clients

Packet sniffing

Trojan horse programs

Trojan horse programs are a common way for intruders to trick you (sometimes referred to as "social engineering") into installing "back door" programs. These can allow intruders easy access to your computer without your knowledge, change your system configurations, or infect your computer with a computer virus. More information about Trojan horses can be found in the following document.

http://www.cert.org/advisories/CA-1999-02.html

Back door and remote administration programs

On Windows computers, three tools commonly used by intruders to gain remote access to your computer are BackOrifice, Netbus, and SubSeven. These back door or remote administration programs, once installed, allow other people to access and control your computer.

Denial of service

Another form of attack is called a denial-of-service (DoS) attack. This type of attack causes your computer to crash or to become so busy processing data that you are unable to use it. In most cases, the latest patches will prevent the attack. The following documents describe denial-of-service attacks in greater detail.

http://www.cert.org/advisories/CA-2000-01.html

http://www.cert.org/archive/pdf/DoS_trends.pdf

It is important to note that in addition to being the target of a DoS attack, it is possible for your computer to be used as a participant in a denial-of-service attack on another system.

Being an intermediary for another attack

Intruders will frequently use compromised computers as launching pads for attacking other systems. An example of this is how distributed denial-of-service (DDoS) tools are used. The intruders install an "agent" (frequently through a Trojan horse program) that runs on the compromised computer awaiting further instructions. Then, when a number of agents are running on different computers, a single "handler" can instruct all of them to launch a denial-of-service attack on another system. Thus, the end target of the attack is not your own computer, but someone else’s -- your computer is just a convenient tool in a larger attack.

Unprotected Windows shares

Unprotected Windows networking shares can be exploited by intruders in an automated way to place tools on large numbers of Windows-based computers attached to the Internet. Because site security on the Internet is interdependent, a compromised computer not only creates problems for the computer's owner, but it is also a threat to other sites on the Internet. The greater immediate risk to the Internet community is the potentially large number of computers attached to the Internet with unprotected Windows networking shares combined with distributed attack tools such as those described in

http://www.cert.org/incident_notes/IN-2000-01.html

Another threat includes malicious and destructive code, such as viruses or worms, which leverage unprotected Windows networking shares to propagate. One such example is the 911 worm described in

http://www.cert.org/incident_notes/IN-2000-03.html

There is great potential for the emergence of other intruder tools that leverage unprotected Windows networking shares on a widespread basis.

Mobile code (Java/JavaScript/ActiveX)

There have been reports of problems with "mobile code" (e.g. Java, JavaScript, and ActiveX). These are programming languages that let web developers write code that is executed by your web browser. Although the code is generally useful, it can be used by intruders to gather information (such as which web sites you visit) or to run malicious code on your computer. It is possible to disable Java, JavaScript, and ActiveX in your web browser. We recommend that you do so if you are browsing web sites that you are not familiar with or do not trust.

Also be aware of the risks involved in the use of mobile code within email programs. Many email programs use the same code as web browsers to display HTML. Thus, vulnerabilities that affect Java, JavaScript, and ActiveX are often applicable to email as well as web pages.

More information on malicious code is available in http://www.cert.org/tech_tips/malicious_code_FAQ.html

More information on ActiveX security is available in http://www.cert.org/archive/pdf/activeX_report.pdf

Cross-site scripting

A malicious web developer may attach a script to something sent to a web site, such as a URL, an element in a form, or a database inquiry. Later, when the web site responds to you, the malicious script is transferred to your browser.

You can potentially expose your web browser to malicious scripts by

following links in web pages, email messages, or newsgroup postings without knowing what they link to

using interactive forms on an untrustworthy site

viewing online discussion groups, forums, or other dynamically generated pages where users can post text containing HTML tags

More information regarding the risks posed by malicious code in web links can be found in CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests.

Email spoofing

Email “spoofing” is when an email message appears to have originated from one source when it actually was sent from another source. Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords).

Spoofed email can range from harmless pranks to social engineering ploys. Examples of the latter include

email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not comply

email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information

Note that while service providers may occasionally request that you change your password, they usually will not specify what you should change it to. Also, most legitimate service providers would never ask you to send them any password information via email. If you suspect that you may have received a spoofed email from someone with malicious intent, you should contact your service provider's support personnel immediately.

Email borne viruses

Viruses and other types of malicious code are often spread as attachments to email messages. Before opening any attachments, be sure you know the source of the attachment. It is not enough that the mail originated from an address you recognize. The Melissa virus spread precisely because it originated from a familiar address. Also, malicious code might be distributed in amusing or enticing programs.

Many recent viruses use these social engineering techniques to spread. Examples include

W32/Sircam -- http://www.cert.org/advisories/CA-2001-22.html

W32/Goner -- http://www.cert.org/incident_notes/IN-2001-15.html

Never run a program unless you know it to be authored by a person or company that you trust. Also, don't send programs of unknown origin to your friends or coworkers simply because they are amusing -- they might contain a Trojan horse program.

Hidden file extensions

Windows operating systems contain an option to "Hide file extensions for known file types". The option is enabled by default, but a user may choose to disable this option in order to have file extensions displayed by Windows. Multiple email-borne viruses are known to exploit hidden file extensions. The first major attack that took advantage of a hidden file extension was the VBS/LoveLetter worm which contained an email attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs". Other malicious programs have since incorporated similar naming schemes. Examples include

Downloader (MySis.avi.exe or QuickFlick.mpg.exe)

VBS/Timofonica (TIMOFONICA.TXT.vbs)

VBS/CoolNote (COOL_NOTEPAD_DEMO.TXT.vbs)

VBS/OnTheFly (AnnaKournikova.jpg.vbs)

The files attached to the email messages sent by these viruses may appear to be harmless text (.txt), MPEG (.mpg), AVI (.avi) or other file types when in fact the file is a malicious script or executable (.vbs or .exe, for example). For further information about these and other viruses, please visit the sites listed on our Computer Virus Resource page:

http://www.cert.org/other_sources/viruses.html

Chat clients

Internet chat applications, such as instant messaging applications and Internet Relay Chat (IRC) networks, provide a mechanism for information to be transmitted bi-directionally between computers on the Internet. Chat clients provide groups of individuals with the means to exchange dialog, web URLs, and in many cases, files of any type.

Because many chat clients allow for the exchange of executable code, they present risks similar to those of email clients. As with email clients, care should be taken to limit the chat client’s ability to execute downloaded files. As always, you should be wary of exchanging files with unknown parties.

Packet sniffing

A packet sniffer is a program that captures data from information packets as they travel over the network. That data may include user names, passwords, and proprietary information that travels over the network in clear text. With perhaps hundreds or thousands of passwords captured by the packet sniffer, intruders can launch widespread attacks on systems. Installing a packet sniffer does not necessarily require administrator-level access.

Relative to DSL and traditional dial-up users, cable modem users have a higher risk of exposure to packet sniffers since entire neighborhoods of cable modem users are effectively part of the same LAN. A packet sniffer installed on any cable modem user's computer in a neighborhood may be able to capture data transmitted by any other cable modem in the same neighborhood.

Accidents and other risks

In addition to the risks associated with connecting your computer to the Internet, there are a number of risks that apply even if the computer has no network connections at all. Most of these risks are well-known, so we won’t go into much detail in this document, but it is important to note that the common practices associated with reducing these risks may also help reduce susceptibility to the network-based risks discussed above.

Disk failure

Recall that availability is one of the three key elements of information security. Although all stored data can become unavailable -- if the media it’s stored on is physically damaged, destroyed, or lost -- data stored on hard disks is at higher risk due to the mechanical nature of the device. Hard disk crashes are a common cause of data loss on personal computers. Regular system backups are the only effective remedy.

Power failure and surges

Power problems (surges, blackouts, and brown-outs) can cause physical damage to a computer, inducing a hard disk crash or otherwise harming the electronic components of the computer. Common mitigation methods include using surge suppressors and uninterruptible power supplies (UPS).

Physical Theft

Physical theft of a computer, of course, results in the loss of confidentiality and availability, and (assuming the computer is ever recovered) makes the integrity of the data stored on the disk suspect. Regular system backups (with the backups stored somewhere away from the computer) allow for recovery of the data, but backups alone cannot address confidentiality. Cryptographic tools are available that can encrypt data stored on a computer’s hard disk. The CERT/CC encourages the use of these tools if the computer contains sensitive data or is at high risk of theft (e.g. laptops or other portable computers).

What is at risk?

Information security is concerned with three main areas:

Confidentiality - information should be available only to those who rightfully have access to it

Integrity -- information should be modified only by those who are authorized to do so

Availability -- information should be accessible to those who need it when they need it

Before we get to what you can do to protect your computer or home network, let’s take a closer look at some of these risks.

Intentional misuse of your computer

Trojan horse programs

Back door and remote administration programs

Denial of service

Being an intermediary for another attack

Unprotected Windows shares

Mobile code (Java, JavaScript, and ActiveX)

Cross-site scripting

Email spoofing

Email-borne viruses

Hidden file extensions

Chat clients

Packet sniffing

Trojan horse programs

http://www.cert.org/advisories/CA-1999-02.html

Back door and remote administration programs

Denial of service

http://www.cert.org/advisories/CA-2000-01.html

http://www.cert.org/archive/pdf/DoS_trends.pdf

It is important to note that in addition to being the target of a DoS attack, it is possible for your computer to be used as a participant in a denial-of-service attack on another system.

Being an intermediary for another attack

Unprotected Windows shares

http://www.cert.org/incident_notes/IN-2000-01.html

Another threat includes malicious and destructive code, such as viruses or worms, which leverage unprotected Windows networking shares to propagate. One such example is the 911 worm described in

http://www.cert.org/incident_notes/IN-2000-03.html

There is great potential for the emergence of other intruder tools that leverage unprotected Windows networking shares on a widespread basis.

Mobile code (Java/JavaScript/ActiveX)

More information on malicious code is available in http://www.cert.org/tech_tips/malicious_code_FAQ.html

More information on ActiveX security is available in http://www.cert.org/archive/pdf/activeX_report.pdf

Cross-site scripting

You can potentially expose your web browser to malicious scripts by

following links in web pages, email messages, or newsgroup postings without knowing what they link to

using interactive forms on an untrustworthy site

viewing online discussion groups, forums, or other dynamically generated pages where users can post text containing HTML tags

More information regarding the risks posed by malicious code in web links can be found in CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests.

Email spoofing

Spoofed email can range from harmless pranks to social engineering ploys. Examples of the latter include

email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not comply

email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information

Email borne viruses

Many recent viruses use these social engineering techniques to spread. Examples include

W32/Sircam -- http://www.cert.org/advisories/CA-2001-22.html

W32/Goner -- http://www.cert.org/incident_notes/IN-2001-15.html

Hidden file extensions

Downloader (MySis.avi.exe or QuickFlick.mpg.exe)

VBS/Timofonica (TIMOFONICA.TXT.vbs)

VBS/CoolNote (COOL_NOTEPAD_DEMO.TXT.vbs)

VBS/OnTheFly (AnnaKournikova.jpg.vbs)

http://www.cert.org/other_sources/viruses.html

Chat clients

Packet sniffing

Accidents and other risks

Disk failure

Power failure and surges

Physical Theft

[CERT ORG]

Securing your Apple Safari web browser

2009-01-18T22:31:00.006+07:00

The Safari web browser supports many of the same features as Mozilla Firefox. The following are some steps to disable various features in Safari on Mac OS X. The options for Safari for Microsoft Windows may differ slightly. Also note that some menu options may change over time, and you should adapt the steps below as appropriate.

In order to change settings for Safari, select Safari then Preferences…

Note that on the Safari menu, you can also select the option “Block Pop-up Windows”. This option will prevent sites from opening another window through the use of scripting or active content. Be aware that while Pop-up Windows are often associated with advertisements, some sites may attempt to display relevant content in a new window. Therefore, setting this option may disable the functionality of some sites.

Once you select the Preferences menu, the window below will open. The first tab to look at is the General tab. On this tab you can set up many options such as Save downloaded files to: and Open “safe” files after downloading. We recommend that you download files to a folder that you create for that purpose. We also recommend that you deselect the Open “safe” files after downloading option.

The next section of interest is the AutoFill tab. On this tab, you can select what types of forms your browser will fill in automatically. In general, we recommend against using AutoFill features. If someone can gain access to your machine, or the AutoFill data files, then the AutoFill feature may allow them to use the stored credentials to access to other sites that they would not otherwise have the ability to access. However, if used with appropriate protective measures, it may be acceptable to enable AutoFill. We recommend using filesystem encryption software such as OS X FileVault along with the Use secure virtual memory option to provide additional security for files that reside in a user's home directory.

The Security tab provides several options. The Web Content section permits you to enable or disable various forms of scripting and active content. We recommend disabling the first three options in this section, and only enabling them based on site-specific cases. We recommend selecting the Block Pop-up Windows option. Remember that this option will prevent sites from opening another window through the use of scripting, or active content. Again, be aware that while Pop-up Windows are often associated with advertisements, some sites may attempt to display relevant content in a new window. Therefore, setting this option may disable the functionality of some sites.

It is safer to use Safari without plug-ins and Java, so we recommend disabling the options Enable plug-ins and Enable Java. It is also safer to disable JavaScript. However, many web sites require JavaScript for proper operation.

In this dialog you can disable cookies and also view or remove cookies that have been set. In general we recommend disabling cookies, and enabling them only when you visit a site that requires their use. At this point, you should determine if the site is trustworthy and whether you want to enable cookies to view the site’s content. After you are finished visiting the site, we recommend disabling cookies until needed again. You can choose to only accept cookies from the sites that visit by selecting the Only from sites you navigate to option. This will permit sites that you visit to set cookies, but not third-party sites. Finally, we recommend selecting the Ask before sending a non-secure form to a secure website option. This will prompt you before sending unencrypted form data when viewing an HTTPS-secured web site.

[US-CERT]

Securing your Mozila Firefox web browser

2009-01-18T22:29:00.004+07:00

Mozilla Firefox supports many features of the same features as Internet Explorer, with the exception of ActiveX and the Security Zone model. Mozilla Firefox does have the underlying support for configurable security policies (CAPS), which is similar to Internet Explorer's Security Zone model, however there is no graphical user interface for setting these options. We recommend looking in the Help, For Internet Explorer Users menu to help users understand how terminology differs between the two applications.

The following are some steps to disable various features in Mozilla Firefox. Note that some menu options may change between versions or may appear in different locations depending on the host operating system. You should adapt the steps below as appropriate.

To edit the settings for Mozilla Firefox, select Tools, then Options.

You will then see an Options window that has a Category row at the top and the features for that category below. The first category of interest is the General category. Under this section, you can set Firefox as your default browser. Also select the option Always ask me where to save files. This will make it more obvious when a web page attempts to save a file to your computer.

Under the Privacy category, you will find options for browser History and Cookies. In the History section, disable the option to Remember what I enter in forms and the search bar. If the browser remembers these options, it can be a privacy violation, especially if the browser is used in a shared environment. Visited page and download history can be disabled here too.

In the Cookie section, select ask me every time. This will help make it clear when a web site is attempting to set a cookie.

When the user is prompted, the contents of the cookie can be viewed and the user can select whether to Deny, Allow for Session, or Allow the cookie. This gives the user more information about what sites are using cookies and also gives more granular control of cookies as opposed to globally enabling them. Select Use my choice for all cookies from this site to have the browser remember your decision so that you will not be prompted each time you return to the site. Clicking the Allow for Session button will cause the cookie to be cleared when the browser is restarted. If prompting for each cookie is too excessive, the user may wish to select the Keep until: I close Firefox option. This will prevent web sites from being able to set persistent cookies.

Many web browsers will offer the ability to store login information. In general, we recommend against using such features. Should you decide to use the feature, ensure that you use the measures available to protect the password data on your computer. Under the Security category, the Passwords section contains various options to manage stored passwords, and a Master Password feature to encrypt the data on your system. We encourage you to use this option if you decide to let Mozilla Firefox manage your passwords.

The Warn me when sites try to install add-ons option will display a warning bar at the top of the browser when a web site attempts to take such an action.

The Content category contains an option to Enable Java. Java is a programming language that permits web site designers to run applications on your computer. We recommend disabling this feature unless required by the trusted site you wish to visit. Again, you should determine if this site is trustworthy and whether you want to enable Java to view the site’s content. After you are finished visiting the site, we recommend disabling Java until needed again.

Press the Advanced button to disable specific JavaScript features. We recommend disabling all of the options displayed in this dialog.

The Content section has an option to modify actions taken when files are downloaded. Any time a file type is configured to automatically open with an associated application, this can make the browser more dangerous to use. Vulnerabilities in these associated applications can be exploited more easily when they are configured to automatically open. Click the Manage button to view the current download settings and modify them if necessary.

The Download Actions dialog will show the file types and the currently configured actions to take when the browser encounters such a file. For all listed file types, either select Remove Action or Change Action... to modify the action to save the file to the computer. This increases the amount of user action required to launch the associated applications, and will therefore help prevent automated exploitation of vulnerabilities that may exist in these applications.

Firefox 1.5 and later include a feature to Clear Private Data. This option will remove potentially sensitive information from the web browser. Select Clear Private Data... from the Tools menu to use this privacy feature.

Because Firefox does not have easily-configured security zones like Internet Explorer, it can be difficult to configure the web browser options on a per-site basis. For example, a user may wish to enable JavaScript for a specific, trusted site, but have it disabled for all other sites. This functionality can be added to Firefox with an add-on, such as NoScript.

With NoScript installed, JavaScript will be disabled for sites by default. The user can allow scripts for a web site by using the NoScript icon menu. Scripts can be allowed for a site on a temporary or a more permanent basis. If Temporarily allow is selected, then scripts are enabled for that site until the browser is closed.

Because many web browser vulnerabilities require scripting, configuring the browser to have scripting disabled by default greatly reduces the chances of exploitation. To extend this protection even further, NoScript can be configured to also block Java, Flash, and other plug-ins by default. This can help to mitigate any vulnerabilities in these plug-in technologies. NoScript will replace these elements with a placeholder icon, which can be clicked to enable the element. Click the NoScript icon and then click Options... to get to the NoScript configuration screen.

On the Plugins tab, select the options as follows:

Aside from visiting web sites that are inherently malicious, users can also be put at risk when a legitimate, trusted site is compromised. For this reason, we recommend enabling the option to Apply these restrictions to trusted sites too. If this option is too intrusive, it can be turned off at the cost of increased risk.

[US-CERT]

Securing your Microsoft Internet Explorer web browser

2009-01-18T22:28:00.005+07:00

Microsoft Internet Explorer (IE) is a web browser integrated into the Microsoft Windows operating system. Removal of this application is not practical.

In addition to supporting Java, scripting and other forms of active content, Internet Explorer implements ActiveX technology. While any application is potentially vulnerable to attack, it is possible to mitigate a number of serious vulnerabilities by using a web browser that does not support ActiveX controls. However, using an alternate browser may affect the functionality of some sites that require the use of ActiveX controls. Note that using a different web browser will not remove IE, or other Windows components from the system. Other software, such as email clients, may use IE, the WebBrowser ActiveX control (WebOC), or the IE HTML rendering engine (MSHTML). Results from the CERT/CC ActiveX workshop in 2000 are available at http://www.cert.org/reports/activeX_report.pdf.

Here are steps to disable various features in Internet Explorer 7. Note that menu options may vary between versions of IE, so you should adapt the steps below as appropriate.

In order to change settings for Internet Explorer, select Tools then Internet Options…

Select the Security tab. On this tab you will find a section at the top that lists the various security zones that Internet Explorer uses. More information about Internet Explorer security zones is available in the Microsoft document Setting Up Security Zones. For each of these zones, you can select a Custom Level of protection. By clicking the Custom Level button, you will see a second window open that permits you to select various security settings for that zone. The Internet zone is where all sites initially start out. The security settings for this zone apply to all the web sites that are not listed in the other security zones. We recommend the High security setting be applied for this zone. By selecting the High security setting, several features including ActiveX, Active scripting, and Java will be disabled. With these features disabled, the browser will be more secure. Click the Default Level button and then drag the slider control up to High.

For a more fine-grained control over what features are allowed in the zone, click the Custom Level button. Here you can control the specific security options that apply to the current zone. For example ActiveX can be disabled by selecting Disable for Run ActiveX controls and plug-ins. Default values for the High security setting can be selected by choosing High and clicking the Reset button to apply the changes.

The Trusted sites zone is a security zone for sites that you think are safe to visit. You believe that the site is designed with security in mind and that it can be trusted not to contain malicious content. To add or remove sites from this zone, you can click the Sites… button. This will open a secondary window listing the sites that you trust and permitting you to add or remove them. You may also require that only verified sites (HTTPS) can be included in this zone. This gives you greater assurance that the site you are visiting is the site that it claims to be.

We recommend setting the security level for the Trusted sites zone to Medium-high (or Medium for Internet Explorer 6 and earlier). When the Internet Zone is set to High, you may encounter web sites that do not function properly due to one or more of the associated security settings. This is where the Trusted sites zone can help. If you trust that the site will not contain malicious content, you can add it to the list of sites in the Trusted sites zone. Once a site is added to this zone, features such as ActiveX and Active scripting will be enabled for the site. The benefit of this type of configuration is that IE will be more secure by default, and sites can be “whitelisted” in the Trusted sites zone to gain extra functionality.

The Privacy tab contains settings for cookies. Cookies are text files placed on your computer by various sites that you visit either directly (first-party) or indirectly (third-party) through ad banners, for example. A cookie can contain any data that a site wishes to store. It is often used to track your computer as you move through a web site and store information such as preferences or credentials. We recommend that you select the Advanced button and select Override automatic cookie handling. Then select Prompt for both first and third-party cookies. This will prompt you each time a site tries to place a cookie on your machine. If the number of cookie prompts is too excessive, the option to Always allow session cookies can be enabled. This will allow non-persistent cookies to be accepted without user interaction. Session cookies have less risk than persistent cookies.

You can then evaluate the originating site, whether you wish to accept or deny the cookie, and what action to take (allow or block, with the option to remember the decision for all future cookies from that web site). For example, if visiting a web site causes a cookie prompt from a web domain that is associated with advertising, you may wish to click Block Cookie to prevent that domain from being able to set cookies on your computer, for privacy reasons.

By selecting the Sites... button, you can manage the cookie settings for specific sites. You can add or remove sites, and you can change the current settings for existing sites. The bottom section of this window will specify the domain of the site and the action to take when that site wants to place a cookie on your machine. You can use the upper section of this window to change these settings.

Alternatively, if you do not wish to receive warning dialogs when a site attempts to set a cookie, you can use Internet Explorer's pre-set privacy rules. Click the Default button and then drag the slider up to High. Note that some web sites may fail to function properly with the High setting. In such cases, you may add the site to the list of sites for which cookies are allowed, as described above.

The Advanced tab contains settings that apply to all of the security zones. We recommend that you disable the Enable third-party browser extensions option. This option includes tool bars and Browser Helper Objects (BHOs). While some add-ons can be useful, they also have the ability to violate your privacy. For example, a browser add-on may monitor your web browsing habits, or even change the contents of web pages in an attempt to gather personal information.

Internationalized Domain Names (IDN) can be abused to allow spoofing of web page addresses. This can allow phishing attacks to be more convincing. More details about IDN spoofing can be found in Vulnerability Note VU#273262. To protect against IDN spoofing in Internet Explorer, enable the Always show encoded addresses option. This will cause IDN addresses to be displayed in an encoded form in the Internet Explorer address bar and status bar, which will remove the visual similarity to the spoofing target address.

We also recommend that you disable the Play sounds in webpages option. Sounds in web pages are rarely integral to web page content, and may also introduce security risks by having the browser process additional untrusted data. This option is for Internet Explorer's ability to natively handle sounds. It will not interfere with other software, such as Adobe Flash or Apple QuickTime.

Under the Programs tab, you can specify your default applications for viewing web sites, email messages and various other network related tasks. You can also disable Internet Explorer from asking you if you would like it to be your default web browser here.

[US-CERT]

Threat in javascript and VBscript

2009-01-18T22:26:00.004+07:00

JavaScript, also known as ECMAScript, is a scripting language that is used to make web sites more interactive. There are specifications in the JavaScript standard that restrict certain features such as accessing local files.

VBScript is another scripting language that is unique to Microsoft Windows Internet Explorer. VBScript is similar to JavaScript, but it is not as widely used in web sites because of limited compatibility with other browsers.

The ability to run a scripting language such as JavaScript or VBScript allows web page authors to add a significant amount of features and interactivity to a web page. However, this same capability can be abused by attackers. The default configuration for most web browsers enables scripting support, which can introduce multiple vulnerabilities, such as the following:

Cross-Site Scripting

Cross-Site Scripting, often referred to as XSS, is a vulnerability in a web site that permits an attacker to leverage the trust relationship that you have with that site. For a high-level description of XSS attacks, please see the whitepaper published at http://www.cert.org/archive/pdf/cross_site_scripting.pdf. Note that Cross-Site Scripting is not usually caused by a failure in the web browser. You can search the Vulnerability Notes Database for Cross-Site Scripting vulnerabilities at http://www.kb.cert.org/vuls/byid?searchview&query=cross-site+scripting.
Cross-Zone and Cross-Domain Vulnerabilities

Most web browsers employ security models to prevent script in a web site from accessing data in a different domain. These security models are primarily based on the Netscape Same Origin Policy: http://www.mozilla.org/projects/security/components/same-origin.html. Internet Explorer also has a policy to enforce security zone separation: http://www.microsoft.com/windows/ie/ie6/using/howto/security/setup.mspx.

Vulnerabilities that violate these security models can be used to perform actions that a site could not normally perform. The impact can be similar to a cross-site scripting vulnerability. However, if a vulnerability allows for an attacker to cross into the local machine zone or other protected areas, the attacker may be able to execute arbitrary commands on the vulnerable system. You can search the Vulnerability Notes Database for cross-zone and cross-domain vulnerabilities at http://www.kb.cert.org/vuls/byid?searchview&query=cross-domain.
Detection evasion

Anti-virus, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) generally work by looking for specific patterns in content. If a “known bad” pattern is detected, then the appropriate actions can take place to protect the user. But because of the dynamic nature of programming languages, scripting in web pages can be used to evade such protective systems.

[US-Cert]

How do you choose a good password?

2009-01-11T16:04:00.004+07:00

Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to guess or "crack" them. Consider a four-digit PIN number. Is yours a combination of the month, day, or year of your birthday? Or the last four digits of your social security number? Or your address or phone number? Think about how easily it is to find this information out about somebody. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to "dictionary" attacks, which attempt to guess passwords based on words in the dictionary.

Although intentionally misspelling a word ("daytt" instead of "date") may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password "hoops," use "IlTpbb" for "[I] [l]ike [T]o [p]lay [b]asket[b]all." Using both lowercase and capital letters adds another layer of obscurity. Your best defense, though, is to use a combination of numbers, special characters, and both lowercase and capital letters. Change the same example we used above to "Il!2pBb." and see how much more complicated it has become just by adding numbers and special characters.

Don't assume that now that you've developed a strong password you should use it for every system or program you log into. If an attacker does guess it, he would have access to all of your accounts. You should use these techniques to develop unique passwords for each of your accounts.

Here is a review of tactics to use when choosing a password:

Don't use passwords that are based on personal information that can be easily accessed or guessed

Don't use words that can be found in any dictionary of any language

Develop a mnemonic for remembering complex passwords

Use both lowercase and capital letters

Use a combination of letters, numbers, and special characters

Use different passwords on different systems

[US-CERT]

Keeping Laptops From Getting Lost or Stolen

2009-01-11T14:01:00.002+07:00

A laptop computer defines convenience and mobility. It enables you to work from home, a hotel room, a conference hall, or a coffee shop.

Maybe you've taken steps to secure the data on your laptop: You've installed a firewall. You update your antivirus software. You protect your information with a strong password. You encrypt your data, and you're too smart to fall for those emails that ask for your personal information. But what about the laptop itself? A minor distraction is all it takes for your laptop to vanish. If it does, you may lose more than an expensive piece of hardware. The fact is, if your data protections aren't up to par, that sensitive and valuable information in your laptop may be a magnet for an identity thief.

Chances are you've heard stories about stolen laptops on the news or from friends and colleagues. No one thinks their laptop will be stolen– at least not until they find the trunk of their car broken into, notice that their laptop isn't waiting at the other side of airport security, or get a refill at the local java joint only to turn around and find their laptop gone.

OnGuardOnline suggests keeping these tips in mind when you take your laptop out and about:

Treat your laptop like cash. If you had a wad of money sitting out in a public place, would you turn your back on it – even for just a minute? Would you put it in checked luggage? Leave it on the backseat of your car? Of course not. Keep a careful eye on your laptop just as you would a pile of cash.
Keep it locked. Whether you're using your laptop in the office, a hotel, or some other public place, a security device can make it more difficult for someone to steal it. Use a laptop security cable: attach it to something immovable or to a heavy piece of furniture that's difficult to move – say, a table or a desk.
Keep it off the floor. No matter where you are in public – at a conference, a coffee shop, or a registration desk – avoid putting your laptop on the floor. If you must put it down, place it between your feet or at least up against your leg, so that you're aware of it.
Keep your passwords elsewhere. Remembering strong passwords or access numbers can be difficult. However, leaving either in a laptop carrying case or on your laptop is like leaving the keys in your car. There's no reason to make it easy for a thief to get to your personal or corporate information.
Mind the bag. When you take your laptop on the road, carrying it in a computer case may advertise what's inside. Consider using a suitcase, a padded briefcase or a backpack instead.
Get it out of the car. Don't leave your laptop in the car – not on the seat, not in the trunk. Parked cars are a favorite target of laptop thieves; don't help them by leaving your laptop unattended. That said, if you must leave your laptop behind, keep it out of sight.
Don't leave it "for just a minute." Your conference colleagues seem trustworthy, so you're comfortable leaving your laptop while you network during a break. The people at the coffee shop seem nice, so you ask them to keep an eye while you use the restroom. Don't leave your laptop unguarded – even for a minute. Take it with you if you can, or at least use a cable to secure it to something heavy.
Pay attention in airports. Keep your eye on your laptop as you go through security. Hold onto it until the person in front of you has gone through the metal detector – and keep an eye out when it emerges on the other side of the screener. The confusion and shuffle of security checkpoints can be fertile ground for theft.
Be vigilant in hotels. If you stay in hotels, a security cable may not be enough. Try not to leave your laptop out in your room. Rather, use the safe in your room if there is one. If you're using a security cable to lock down your laptop, consider hanging the "do not disturb" sign on your door.
Use bells and whistles. Depending on your security needs, an alarm can be a useful tool. Some laptop alarms sound when there's unexpected motion, or when the computer moves outside a specified range around you. Or consider a kind of "lo-jack" for your laptop: a program that reports the location of your stolen laptop once it's connected to the Internet.
Where to turn for help. If your laptop is stolen, report it immediately to the local authorities. If it's your business laptop that's missing, also immediately notify your employer. You may also wish to review the FTC's information for businesses about data breaches. If it's your personal laptop and you fear that your information may be misused by an identity thief, visit the FTC's Identity Theft page for more instructions.

If Your Business Laptop Has Been Lost

Notify the local police and immediately report it to your employer. You and your employer should review the FTC's information on data breaches.

[Onguard Online]

Don't let spyware control your computer use

2009-01-10T21:07:00.004+07:00

Spyware is software installed on your computer without your consent to monitor or control your computer use. Clues that spyware is on a computer may include a barrage of pop-ups, a browser that takes you to sites you don't want, unexpected toolbars or icons on your computer screen, keys that don't work, random error messages, and sluggish performance when opening programs or saving files. In some cases, there may be no symptoms at all.

To lower your risk of spyware infections:

Update your operating system and Web browser software, and set your browser security high enough to detect unauthorized downloads.
Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly.
Download free software only from sites you know and trust. Enticing free software downloads frequently bundle other software, including spyware.
Don't click on links inside pop-ups.
Don't click on links in spam or pop-ups that claim to offer anti-spyware software; you may unintentionally be installing spyware.

Just when you thought you were Web savvy, one more privacy, security, and functionality issue crops up — spyware. Installed on your computer without your consent, spyware software monitors or controls your computer use. It may be used to send you pop-up ads, redirect your computer to websites, monitor your Internet surfing, or record your keystrokes, which, in turn, could lead to identity theft.

Many experienced Web users have learned how to recognize spyware, avoid it, and delete it. According to OnGuard Online, all computer users should take preventive steps to avoid spyware, get wise to the signs that it has been installed on their machines, and then take the appropriate steps to delete it.

The clues that spyware is on a computer include:

Barrage of pop-ups
Hijacked browser — that is, a browser that takes you to sites other than those you type into the address box
A sudden or repeated change in your computer's Internet home page
New and unexpected toolbars
New and unexpected icons on the system tray at the bottom of your computer screen or on your desktop
Keys that don't work (for example, the "Tab" key that might not work when you try to move to the next field in a Web form)
Random error messages
Sluggish or downright slow performance when opening programs or saving files

The good news is that consumers can take steps to lower their risk of spyware infections. Indeed, OnGuard Online suggests that you:

Update your operating system and Web browser software. Your operating system (like Windows or Linux) may offer free software "patches" to close holes in the system that spyware could exploit. Set your operating system and security software to update automatically to be sure you have the latest protections.

Use anti-virus and anti-spyware software, as well as a firewall, and update them all regularly. You can download this software from ISPs or software companies or buy it in retail stores. Look for anti-virus and anti-spyware software that removes or quarantines viruses and that updates automatically on a daily basis.

Download free software only from sites you know and trust. It can be appealing to download free games, file-sharing programs, or customized toolbars. Be aware, however, that some of these free software applications bundle other software, including spyware. If you share a computer with kids, talk with them about safe computing.

Don't install any software without knowing exactly what it is. Take the time to read the end-user license agreement (EULA) before downloading any software. If the EULA is hard to find — or difficult to understand — think twice about installing the software.

Minimize "drive-by" downloads. Make sure your browser security setting is high enough to detect unauthorized downloads, for example, at least the "Medium" setting for Internet Explorer.

Don't click on any links within pop-ups. If you do, you may install spyware on your computer. Instead, close pop-up windows by clicking on the "X" icon in the title bar.

Don't click on links in spam or pop-ups that claim to offer anti-spyware software. Some software offered in spam or pop-ups actually installs spyware. In fact, ads that claim to have scanned your computer and detected malware are a tactic scammers have used to spread malware, so resist the urge to respond to or click on those messages.

Install a personal firewall to stop uninvited users from accessing your computer. A firewall blocks unauthorized access to your computer and will alert you if spyware already on your computer is sending information out.

Back up your data. Whether it's text files or photos that are important to you, back up any data that you'd want to keep in case of a computer crash. Do this as regularly as you update your security software.

If you think your computer might have spyware on it, immediately stop shopping, banking, or doing any other online activity that involves user names, passwords, or other sensitive information. Confirm that your security software is active and current and run it to scan your computer for viruses and spyware, deleting anything the program identifies as a problem.

How to Report if You Have Been a Victim of Spyware

If you believe your computer has spyware, the FTC wants to know. File a complaint with the FTC.

[Onguard Online]

Periodically check your credit report

2009-01-10T20:58:00.002+07:00

Get a copy of your credit report from each of the three major credit bureaus every year. (Federal law gives you the right to one free credit report from the three credit bureaus: Equifax, Experian, and TransUnion — http://www.ftc.gov/bcp/conline/pubs/credit/freereports.htm.) Check the reports to make sure everything is accurate. Consider staggering the requests and obtain one report every four months. That way, you can watch for signs of identity theft (i.e. inquiries that were not generated by you, accounts you didn't open).

[SANS Institute]

Stay safe when buying or selling online

2009-01-10T20:56:00.002+07:00

Internet auction sites and online stores make shopping a breeze during the holiday season. But buying or selling merchandise online can have risks. Visit the following sites to learn more about keeping your online accounts and personal information secure and how to guard against fraud.

Amazon.com safety and security Tips: http://www.amazon.com/gp/help/customer/display.html/103-1940593-1335831?ie=UTF8&nodeId=10412241
eBay Security & Resolution Center: http://pages.ebay.com/securitycenter/?ssPageName=CMDV:AB
PayPal Identity Protection: https://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/securitycenter/buy/Privacy-outside

[SANS Institute]

If you access the Internet from a shared computer, make sure you don't leave anything behind

2009-01-10T20:41:00.004+07:00

Being able to access the Internet from different locations — the library, a computer lab at school, an Internet cafe — is a great convenience, but it can also pose a security risk to personal information. If you do access the Internet from a shared computer, here are a few things you need to remember.

Don't check the "remember my password" box.
When you're done, make sure you log off completely by clicking the "log off" button before you walk away.
If possible, clear the browser cache and history.
Never leave the computer unattended while you're logged in.
Trash all documents you used, and empty the recycle bin.

[SANS Institute]

Do not give your password over the phone to anyone claiming to be from the HelpDesk or Tech Support

2009-01-10T20:38:00.003+07:00

Be careful of this kind of social engineering hacker.

No one from the Help Desk or Tech Support will ever ask you for your password. If we need to access your account for some reason, and cannot contact you in time, we will reset the password and notify you by voicemail. Anyone calling and asking you for your password is most likely trying to gain unauthorized access to our network. If you receive such a call, notify your supervisor immediately.

[SANS Institute]

Never leave your own computer logged in when you are away

2009-01-10T20:22:00.009+07:00

Always log off your own computer. Do not let anyone else offer to do it for you

One of our branch supervisors was offering to log her staff off for them, so they didn't have to wait, and could get on with their evenings away from work. She wouldn't really log them off, though, but would just turn off their computer monitors. Once the staff had left for the evening, she would go back to the computers to see who was still signed in to the banking software. If she found someone still signed in, the supervisor would then defraud the bank, using her staff's IDs to cover her tracks.

In practice, never leave your computer logged in when you walk away, not even for a minute. Make it a habit to log off your workstation whenever you get up. Remember to always leave your Windows computer by pressing the keyboard shortcut combination of the Windows logo key and the letter "L" on a Microsoft natural keyboard. Get it? Leave Windows by pressing the Windows logo + L keys together to lock it up (or pressing CTRL + ALT + DELETE and hitting "Enter").

Above tips are for the cases that you leave the computer for a short period. At the end of working day, log off the computer is not enough to protect your information yet. There are some software and USB thumb drive can bypass the Windows authentication to login into the system if the PC is on standby mode. Shutdown computer before leaving office at evening is the safest way to protect information.

[Reference: SANS Institute]

Investment Schemes

2009-01-10T20:16:00.001+07:00

The Bait: Emails touting "investments" that promise high rates of return with little or no risk. One version seeks investors to help form an offshore bank. Others are vague about the nature of the investment, but stress the rates of return. Promoters hype their high-level financial connections; the fact that they're privy to inside information; that they'll guarantee the investment; or that they'll buy it back. To close the deal, they often serve up phony statistics, misrepresent the significance of a current event, or stress the unique quality of their offering. And they'll almost always try to rush you into a decision.

The Catch: Many unsolicited schemes are a good investment for the promoters, but not for participants. Promoters of fraudulent investments operate a particular scam for a short time, close down before they can be detected, and quickly spend the money they take in. Often, they reopen under another name, selling another investment scam.

Your Safety Net: Take your time in evaluating the legitimacy of an offer: The higher the promised return, the higher the risk. Don't let a promoter pressure you into committing to an investment before you are certain it's legitimate. Hire your own attorney or an accountant to take a look at any investment offer, too.

Forward spam with investment-related schemes to spam@uce.gov.

[Onguard Online]

Debt Relief

2009-01-10T20:11:00.003+07:00

The Bait: Emails touting a way you can consolidate your bills into one monthly payment without borrowing; stop credit harassment, foreclosures, repossessions, tax levies and garnishments; or wipe out your debts.

The Catch: These offers often involve bankruptcy proceedings, but they rarely say so. While bankruptcy is one way to deal with serious financial problems, it's generally considered the option of last resort. The reason: it has a long-term negative impact on your credit worthiness. A bankruptcy stays on your credit report for 10 years, and can hurt your ability to get credit, a job, insurance, or even a place to live. To top it off, you will likely be responsible for attorneys' fees for bankruptcy proceedings.

Your Safety Net: Read between the lines when looking at these emails. Before resorting to bankruptcy, talk with your creditors about arranging a modified payment plan, contact a credit counseling service to help you develop a debt repayment plan, or carefully consider a second mortgage or home equity line of credit. One caution: While a home loan may allow you to consolidate your debt, it also requires your home as collateral. If you can't make the payments, you could lose your home.

Forward debt relief offers to spam@uce.gov.

[Onguard Online]

Pay-in-Advance Credit Offers

2009-01-10T20:07:00.003+07:00

The Bait: News that you've been "pre-qualified" to get a low-interest loan or credit card, or repair your bad credit even though banks have turned you down. But to take advantage of the offer, you have to ante up a processing fee of several hundred dollars.

The Catch: A legitimate pre-qualified offer means you've been selected to apply. You still have to complete an application and you can still be turned down. If you paid a fee in advance for the promise of a loan or credit card, you've been hustled. You might get a list of lenders, but there's no loan, and the person you've paid has taken your money and run.

Your Safety Net: Don't pay for a promise. Legitimate lenders never "guarantee" a card or loan before you apply. They may require that you pay application, appraisal, or credit report fees, but these fees seldom are required before the lender is identified and the application is completed. In addition, the fees generally are paid to the lender, not to the broker or person who arranged the "guaranteed" loan.

Forward unsolicited email containing credit offers to spam@uce.gov.

[Onguard Online]