Feeds

back to article Strange spoofing technique evades anti-phishing filters

A Reg reader has produced screen shots that demonstrate a powerful phishing technique that's able to spoof eBay, PayPal and other top web destinations without triggering antiphishing filters in IE 7 or Norton 360. Plenty of other PayPal users are experiencing the same ruse, according to search engine results. Matty Hall, a …

COMMENTS

This topic is closed for new posts.

Page:

Microsoft's IE will never be secure, Don't trust it, ever.

Netcraft's anti phishing tool bar is pretty good.

Added to a respectable web browser such as Firefox and running in a respectable Operating System such as Debian GNU/Linux 3.1 or 4.0 (Any good Linux will do very well) such as we use, you would have a pretty good chance of being warned as to being on a phishing site.

I've seen it work.

Of course it is very advisable to look at the whole URL and being sure of were you are.

The best tool is your own intelligence, and knowledge.

But if you are just depending on tools to warn you... at least use good ones.

Your description of your system does not impress me with its "safety".

0
0

Netcraft toolbar

I wasn't even aware of this issue and I normally check URLs and certificates quite thoroughly. That's because even though I use XP, I only use Firefox. Some sites only load in IE? No problem, I use the IE rendering engine under Firefox (such as with the IETabs extension). However, having the latest version helps a lot with these issues but Netcraft's toolbar isn't compatible with the latest version of Firefox...

0
0

It might not be a dll

I'm speculating that the strange wording is meant to throw off the phishing filter's recognition system so it "looks" like a legitimate page to the filters.

0
0

mucking around with science teaching ?

When the gap between nerds and everyone else finally closes, this type of vulnerability might disappear, along with some of the infuriating comments.

Until then, it might be more helpful if the holier than thou's amongst us came down off their lofty platters once in a while and descended into the valley along with the rest of us. Particularly when folks are trying to resolve a serious issue. Rather than trotting out that tired old line, "it never happens to me".

I don't know which is sadder, those who get ripped off through their lack of technical knonwledge or those who never leave their monitors.

Yes, "running a respectable Operating System" is part of the solution, but we also need an operating system that everyone can use without requiring a team of petrol heads to get it going and to make sure that it hasn't slipped into promiscuous mode because the user clicked on something or went to a popular web site.

Cyfaill's smugness won't last forever, and then maybe I'll laugh, or not.

By the way Cyfaill, I've been using Windoze Orrible Systems for a number (17) of years, and (touching the wood of my head) I haven't succumbed to any invasion yet, though I have witnessed numerous malicious attempts.

Luckily todays end users are becoming more observant, well maybe the non Linux people anyways.

regards Alf

0
0

Sad

Its too bad the only solution, time and time again, to being certain about web browsing security is using a less commonly used web browser (like firefox), and less commonly used OS like Linux. Wouldn't phishers target strange fishing techniques to these environments if they were more popular?

0
0
Silver badge

They can spoof to their heart's content

I will never be taken by such spoofing, for I have a method that is unbeatable as far as security is concerned : I don't use IE, I don't have a Paypal account, and I know that banks NEVER, EVER ask people to log on and input their password with a friendly link.

Personally, if my bank deems there is a problem with my online account, I expect them to block it immediately, and send me a snail mail describing the problem and the steps to go back to a functional state. If my bank doesn't do that, and actually sends me a mail, I'll be on the market for a new bank the next day.

What is it with people who think everything can be solved with a URL ? Can't they pick up a phone from time to time ?

0
0

Strange things can happen ...... Enron/Worldcom/etc etc.

It could also be IE free-lancing/going mercenary .... with stealth. Especially if you consider that we are a Connected Village run from a Central Call Centre/Despatch Office.

0
0

Malware

This looks suspiciously like malware, Torpig for example displays that exact page for hsbc...

0
0

Netcraft Toolbar

Jason,

The Netcraft Toolbar is compatible with the latest version of Firefox. It has been since FF2 was officially released.

0
0

ie tab

Following on from Jason Togneri's post it would be interesting to see if the same fault occurred using Firefox with the IE tab.

Oh by the way is your login at the bottom supposed to ask for my credit card details?

0
0
Anonymous Coward

Slow news day?

"Dodgy website found on internet!" Shock horror.

Personally I don't much care how many nightclubs this person owns, or how well up on computers he thinks he is. I would, however be interested to read some actual technical details about this.

What did the URLs show as? The certificates? How did this person come across this page? Was it a standard phishing message via e-mail that he should've known better than to click on? Am I reading The Register, or my local free paper?

0
0

Hmm, not helping

The whoe 'use linux because its perfect' argument is a lil bit dated now, both are as bad as eachother.

Part of me would be inclinded to ditch norton and use something else, that would probobly help. Curious to see if a copy of DansGuardian inline might also pick it up.

0
0

Malware

This sounds like the m.o. of one of the Haxdoor family, aka Torpig, A311Death etc. Its an html injector and a clever one at that. The victim has obviously loaded one specialising in IE, but there are versions in the wild that are perfectly effective against Firefox, Opera and a few other browsers. Unfortunataly even up to date AV may miss this family as it is quite sneaky and also possesses rootkit functionality so even new AV signatures loaded subsequent to the malware's installation may miss it. Use an anti-rootkit tool as well as anti-spyware to discover and remove.

On a wider note I am concerned that non-Windows users are creating a psychological barrier for themselves by denying that anything bad can happen to their OS which may leave them severely exposed if/when an attack does come their way. And it will. As soon as Firefox climbed above 10% of the browser market we began seeing intensive development of attacks directed against it, and now such exploits are a standard part of many malware packages. Please don't be complacent, its your money that is at risk, not just your pride.

0
0
Bronze badge

What an odd thing to say

The only person who used the phrase "It only happens to me" was you, David/Alf. Cyfail didn't even imply it, all he said was using a much more secure setup will mean you have "a pretty good chance" of being warned. That's hardly smug.

Time for someone to invent a flame filter...:)

0
0

No one is impeccable

Bravo David, Bravo.

I have (probally as does most of the reg readership) some geek in me, and fortunatly I have never been hit by a pish/virus either (Vista, Firefox, no virus killer), however a guy I used to work with was a hardcore geek (hacking PHP till 2am on his linux box) and managed to get himself hit hard by a virus (which hit his windows machine, not the linux box), and another (again, java programmer, *nix geek) got pished. It just goes to show that even the hardcore geeks get hit sometimes, all it takes is one moment browsing with your gaurd down, and clicking that flashing link...ooo free screen saver.

0
0

It's not as if MS weren't warned

Whilst apparently not directly relevant to this attack (which, at first glance, could also have been carried out by hijacking the local machine's DNS resolver), let's not forget that MS were warned in advance by the security community that some of their planned browser techologies were major secuirty risks. They went ahead regardless, citing "user convenience" as the major justification.

And here we are today..........

This is why some of us prefer FOSS, not for religious reasons. MS have historically been utterly cavalier in their attitude towards security, and if it hasn't been considered properly in the original design decisions, it's impossible to fix retroatively. Impossible.

0
0

Windoze security

Mr Urmston - Why criticise people for saying "It never happens to me" and then 4 paragraphs later say essentially the same thing?

Anyway, the whole windows vs Linux debate is getting rather old now. The only real difference between modern Linux and Modern Windows is not in capability - both are capable of being equally secure - it's just that on the whole Linux comes secure out of the box, and people have to learn to 'relax' it, whereas Windows comes with all the bells and whistles enabled, all the doors open and no security, and it takes the user time to learn how to tighten it up to make it safe.

The real underlying problem is that the whole industry has become obsessed with "chrome". 99.9% of the PC owning public use their computer for a small number of tasks - surfing the web, reading email, chatting on AOL, violating copyright law and downloading porn. You don't need bleeding edge technology to do that.

I once dreamed that Linux would be as easy to use as Windows - now that dream has come true, because I no longer have the time to understand the 1001 subsystems that have been bolted on to windows!!

0
0
Ash

The quirks of the English language foil scammers!

Cyfail - "Of course it is very advisable to look at the whole URL and being sure of were you are."

That's the point; the URL is correct with this attack. That's why it's so serious!

The crux of the matter is that while Firefox is (mostly) more secure, Johnny eBayuser is more intrested in being able to see the funky flash animation than reading Certificate revocation details. IE has the biggest exposure, therefore IE is what major sites are coded for.

He may know to look for "Https" at the start of the url, and he may know to look for the correct domain name before the first forward slash, and MAYBE they even know how to check certificates, but they're all CORRECT on this attack. NOTHING is amiss that all the lofty security "experts" are touting as the be-all and end-all in verification. Figuring out this is not what it seems requires common sense, not technical computer knowledge, and fortunately at least one guy on this planet still has some.

I think the scammers have shot themselves in the foot with this one. The technical prowess is there in abundance; it's the grammar that's gave them away this time.

0
0

A minor gripe

You wrote

We left messages for representatives of eBay, Symantec and Microsoft late on Thursday, but had not heard back at the time of writing.

But you were writing this early on Friday. At least give the poor PR wonk time to get in to work and finish their first coffe before assuming they have nothing to say.

0
0

I suspect NatWest are having this problem too

This message has appeared at login for a few days:

"A small number of customers have encountered a screen that asks for full PIN and password details. This screen appears when logging into their OnLine Banking service."

I thought the wording was a bit strange, not referring to bogus emails as usual.

0
0
Bronze badge

Cyfaill's Smugness

Cyfaill, your smugness is only exceeded by your inability to read an article and work out what it's really talking about.

If you'd bothered to take a moment to analyse the real issue before jumping into the pulpit to start preaching, you'd have seen that this problem almost certainly has nothing to do with a phishing site per se, and everything to do with content fudgers, injectors or similar which corrupt and rewrite the code of respectable pages in real time. This being the case, any phishing detector on any platform would report the page as genuine, because it IS genuine. (at least as far as the detector can see).

Oh and thanks for your advice to "look at the whole URL and being sure of were you are" - I'm sure there are at least 3 people on the planet who hadn't figured that out for themselves already.

And while I'm at it, I'm quite sure the people experiencing this problem don't give a rat's arse whether it "impresses you with it's safety". They've got better things to do.

</rant>

0
0

NOT mucking around with science teaching ?

Apologies for a quirk of the OS, as the title of my earlier comment has somehow been replaced with the title of a post that I made about two weeks ago.

?????

If you can fathom that one you can solve the strange phishing attempt.

regards

Alf

0
0

I can't wait until Linux becomes popular enough to be a target

Then the fanboys will really be caught out with their pants down!

0
0
Anonymous Coward

It can happen to anyone

However careful you are it can still happen. I got sent an attachment prices.xls by someone i was expecting a file of prices from. Fully patched, AV protected Windows box but this was the day the virus went wild and AV update didn't cover it until the next morning....

0
0
Anonymous Coward

sandbox the OS/browser

This is very worrying as the article suggests that the certificate was inspected and that no other common techniques were used. In fact the article goes on to say that the web feed was genuine but it maybe possible an IE component (a .dll) was injecting html into the feed.

This must mean that the PC was compromised by something like a zero day exploit as none of the security software had picked it up. You then have no choice but to completely rebuild the OS and carefully re-apply all the apps etc, from trusted sources. This is the only way to be sure that no other system functions have been compromised and will only re-introduce the malware after it has seemed to be removed. In fact you don't know what is running or going on with your PC at that point, its basically it can not be trusted.

A rebuild of this magnitude is usually beyond most regular PC users , who will try and get along with what they have, trusting that new versions of their security software will help. Therefore we need something that lets you be sure you are using a completely trusted machine for when you need to give out details that can be used by fraudsters and can be fixed and used by regular users.

Therefore I think the only way to do that is to have a VM which runs a cut down OS with just the browser. The image should be secured with something like an MD5, the VM should not run the image unless the MD5 checks out. After using the VM/OS/Browser, the image resets to the original. Therefore any malware in the VM/OS/Browser dies when finished.

There are draw backs with licensing, no stored details, etc and you still need security software running in the VM just in case you pick up something before getting to the entering of sensitive data while using the VM, but good practice by the user should reduce the chance and in any case it only effects the single session.

At the current time I can see this as the only way to prevent zero day exploits (which this sounds like) from affecting the regular user.

0
0
Anonymous Coward

Autoresponse bots are active again

IF article contains 'Microsoft' or 'IE', THEN 'post smug response about how great Linux is (or Mac)'

Of course you Linux guys have robust web servers that never have flaws in the server or any hosted applications just because it's Linux... oh wait, what's my web server log filled to the brim with? Attacks on flaws almost exclusively php based directed mostly at Linux/Unix systems. How come I'm having to patch my Linux web server on a monthly basis? Hmm. ;-)

Oh, and what's that? A security update for Firefox? Surely not! ;-)

Oh and malware targeted at OpenOffice that even threatens Linux? Good grief!

Seriously though. I'm not a total MS fan. I use linux a fair bit for what it's good at and enjoy using it, just the same as I use Windows for what it's best at. However I'm not as blinkered as to just smugly assume I'm immune to everything just because it's Linux or non-Microsoft (as the recent example with PlusNet clearly shows with their lack of patching a PHP based mail app resulting in hackers getting in).

0
0

False security

What I think is interesting is that Norton 360 has put a green banner at the top giving the message "no fraud detected". Talk about giving a false sense of security!

Since the verification from Norton is obviously not worth much, I would have thought that it would be better not to display anything unless a definite fraud has been detected. What they are doing at present is effectively saying "switch intelligence off, we say that this site is OK!"

At the very least they should have a neutral unobtrusive banner, which should not be green. They are not saying that the site is clean, just that they can't see anything bad on it. Not the same thing at all!

0
0
Anonymous Coward

Very very worrying

"He may know to look for "Https" at the start of the url, and he may know to look for the correct domain name before the first forward slash, and MAYBE they even know how to check certificates, but they're all CORRECT on this attack. NOTHING is amiss that all the lofty security "experts" are touting as the be-all and end-all in verification."

This is why this attack is so terrifying. If they hadn't used incorrect grammar, who would have even know it was a spoof?

In fact, if the spoof page had been identical to the real Paypal page, how could anyone have possibly known it was a spoof?

This is what's so worrying, there's no practical way to tell the difference between a real and a fake page any more.

0
0
Anonymous Coward

Re: Sad (@Doug)

Doug writes: Wouldn't phishers target strange fishing techniques to these environments if they were more popular?

First of all, yes, they probably would. But their attacks will be short-lived. The great thing about Open-Source software is that projects such as firefox/thunderbird et al. are updated regularly whenever a vulnerability is found - usually within 24-48 hours. Users are also informed when an update is available so that their machines are in left a vulnerable state for as little time as possible.

Secondly, there's the underlying O/S.

Windows is a monoculture. Yes there are variations between versions of Windows, but with IE on all of them they all have similar weak spots. It could therefore be argued that with firefox on so many Linux/BSD/other *nix machines, they too should all have identical weak spots.

Not so.

To start with, there are over 200 different GNU/Linux distributions, many of which install firefox in different locations in the filesystem.

Secondly, there are many different versions of glibc in circulation, which creates yet more differences between variants of GNU/Linux.

Thirdly, although this is more and more true of MS-Windows as time passes by, browsers on a GNU/Linux machine run as the user who invokes them. The most damage a browser can do - or malware injected via a browser - is as much as the user can do. Superuser ('root' in Unix parlance) privileges are needed in order to install, for example, a keylogger so that someone else can "see" what you're typing into your bank's/eBay's/PayPal's login page. Furthermore, obtaining root privileges on a Unix system is damn near impossible unless authorized by root.

Yes, there have been other vulnerabilities that allow remote attackers to gain root privileges on a cracked box, but that happens through the insecure use of services such as SMTP, SSH, HTTP etc. and vulnerable web content management systems that shouldn't be running on Joe Sixpack's Linux box in the first place. Also, most distros come with a firewall that prevents all inbound access anyway. The only way in is through protocol injection in a user-initiated session - IOW, a web page with malware on it.

So, even if firefox and GNU/Linux do become the predominant combo, there will be fewer successfully infected machines because of the difficulty of infection in the first place and because of the natural diversity of systems all grouped under the same generic name.

0
0
Gav
Bronze badge

Has The Register Become Slashdot?

Do we really need every discussion about internet security to become a IE/Firefox Windows/Linux fanboy bore-fest?

The significant part of this story, just to spell it out to those who haven't bothered actually digesting what it says, is that it is not the usual phishing technique. People who do follow proper internet security advice will get caught out. In fact, the only reason that it's been rumbled is because it tried to take it too far. If it had only asked for the usual login details it would almost certainly have got them. This is scary and should concern people.

0
0

Re: They can spoof to their heart's content

Well said Pascal (comment way back up near the top). It never ceases to amaze me just how willing people are to hand over their personal details (even when irrelevant ) to the website being visited just because it looks the part.

I appreciate that if a phishing scam *just* asked you for the exact same login details that the bank/auction site/etc typically asked you for then an attack such as this is very serious. However, it seems to me that the phishers always overplay their hand by asking for oodles of personal details, this should set alarm bells ringing!

I try to deal with people who come knocking at the door offering cheaper electricity and gas in the same way. All they need are my bank details to set up the direct debit. Legit or not, no thanks! Why hand over your details to a complete stranger 'off the cuff' as it were?

0
0

Can you get a tcpdump?

If there's no sensitive information in the URL Mr Hall is trying to access, can he download wireshark and get a tcp trace? Would be interesting to see what's going on.

0
0

The internet is broken

Forget which browser or o/s you are using. The simple and appalling fact is that the internet is irredemiably broken and really, really cannot be trusted.

I took the decision years ago to never use on-line banking of any form, and I don’t even buy stuff on-line now except as part of my job where (a) I’m behind a firewall, (b) I’m working only with trusted sites, (c) I’m using a computer that has never, ever been used to browse anything even remotely dodgy, (d) when I do buy something over the ‘net it’s from a company with whom we’ve got an account (so no credit card details ever passed), and finally (e) when (and it will be when) my computer is finally compromised, it’s not my money that goes missing: it’s the company's.

Is this a hassle for me? Of course it is, but I take the view that being ripped-off and having my bank account emptied would be worse.

0
0

Gaming Common Sense

Someday, someone who is fluent in English will make one of these - and it'll spoof an initial signup screen too (you know, when you actually DO have to give some of that sort of info out).

I'm not saying give up common sense, I'm just saying eventually a phisher who isn't a sixteen year old Latvian in his mother's basement will actually launch an attack that won't raise your God given bs detectors either.

0
0

wininet.dll being compromised?

I'm not a low-level browser geek, but I seem to remember that IE uses wininet.dll to access the web whereas FireFox uses sockets directly (probably due to its multi-platform codebase not wanting to rely on a Windows-only DLL).

So I'd start to look at who/what is hooking/replacing wininet.dll on machines that exhibit this problem with IE but not FireFox. A good starting point ace might be Fiddler ( http://www.fiddlertool.com/fiddler/ ), an MS tool for monitoring web access, which itself hooks wininet.dll (which is why it only works as a proxy when used with FireFox).

Just my 2p worth...

0
0

If you get in email, it is a spoof

How many times to people have to be told that organisations will never ask you for confidential and personal information in an email? That has been publicised too many times not to have everyone know it. I will never understand it.

I get phishing attempts regularly and just put them in the rubbish bin.

TM

0
0

This post has been deleted by its author

Newsletter

Hmm, looks like I'll have to post another newsletter to my clients.

Dillon, CISSP

0
0

Firefox not fool proof...

I setup firefox on my mums machine as I figured it was probably more

secure. However after a year or so it caught something,

which caused popups to come up when she went to Barclays site.

This was disconcerting.

I tried the usual thing of creating a new profile, but it didn't work.

I tried a complete uninstall/reinstall.

I'm sure someone with more know how could have got it working again,

but I didn't have time to play. It was updated to the latest version

at the time.

For now she's back to IE7 which is working well for her.

Firefox is good but it isn't perfect.

0
0

Except

Except that a genuine page will never, ever ask you for that kind of information, as all banks and online financial institutions make very clear.

0
0
Silver badge

Sometimes it IS the victims' fault

Being a victim does not in and of itself absolve you from blame. If you sit on a tree branch, sawing through it between the tree and yourself, then what happens next is entirely your own fault.

When you open a bank account, they tell you right there in the welcome pack, in bold print, that you will *NEVER*, *EVER* be asked for confidential information by e-mail or telephone -- and definitely not by means of an e-mail with lousy spelling and grammar and similar to several e-mails you have already received purporting to be from banks with which you do not even have accounts. If they need to contact you about something really important, they will contact you by snail mail and ask you to visit a branch.

I don't use online banking myself anyway. There are exactly two reasons why I ever have any dealings with a bank. One: to pay cash or cheques in through the hole-in-the-wall machine; and two: to withdraw cash through the hole-in-the-wall machine. Neither of these functions are available through a PC, or ever likely to be so.

0
0

HSBC security still a joke

Just read this and out of curiosity tried logging into HSBC - it appears they have changed the text on login page, pretty sure it was shorter just a couple of days ago:

"Your security number is a 6-10 digit number, which you may already use to help identify yourself when calling us. Please don't use family phone numbers, birthdates, simple sequences, or repetitions, which are all relatively easy to guess. We never ask you to enter or tell us your security number in full."

Trouble is - it's still a joke. Using a DoB and a static NUMERIC security number that never changes as means of authentication? Which planet are you from, HSBC? Call me cynical but it lookes like it takes massive lawsuits/financial losses to get banks to change something.

Threats like this only expose the fact that many institutions that SHOULD know better still take a pee out of their customers.

0
0

Oh dear

Hehe, I love that phrase "the internet is broken" - reminds me of doing tech support at my university years ago.

No, the internet isn't broken m8 - it's just the plebs that are now allowed to use something that was originally designed for military/scientific use and has now morphed into something that any joe bloggs off the street is able to access.

You should need an internet access license just like you need a driving licence imho ^^

0
0

NatWest

As Jeff says, a message appears on the NatWest site which implies something similar is happening there. What is worrying is that this message only appears after you have logged on. It seems they are happy to tell people that they may have already given their details away, but they don't bother warning anyone beforehand so they can avoid doing so.

0
0
Gold badge

With power comes responsiblity

Unfortunately, Microsoft have provided the power but people don't use it responsibly.

Producing a web browser wasn't enough for Microsoft, they had to allow the browser to access Windows components and resources. They had to integrate the browser into the OS to kill Netscape.

IE7 doesn't seem to change anything. Will they never learn?

0
0

Gaming Common Sense

Someday, someone who is fluent in English will make one of these - and it'll spoof an initial signup screen too (you know, when you actually DO have to give some of that sort of info out).

I'm not saying give up common sense, I'm just saying eventually a phisher who isn't a sixteen year old Latvian in his mother's basement will actually launch an attack that won't raise your God given bs detectors either.

0
0

While I'm the first to agree with those that shun IE

It's important to remember there really isn't such a thing as a completely safe web browser.

I don't use Opera, but from reliable reports I've heard it is the safest available.

I have been using Firefox almost exclusively (unfortunately there are still too many archaic websites that only function correctly under IE, not to mention Microsoft's own update sites), but that has done little to stop my machine from getting infected every now and then.

I'm a fairly safe surfer, but even with the best intentions its possible to get scammed once in a while.

I think the rule of thumb is to make sure your anti-spyware software is top of the line, and I'm afraid Symantec are nowhere near the best in that field - in fact they're pretty much as bad as you can get.

Adaware is great for finding Amazon and CNN cookies, I believe it also finds malware, but it's hard to tell amongst all the useless 'look at me, I'm the best, I've found 24000 harmless cookies' results.

PC Tools make probably the best anti-spyware software, it's incredibly slow to load and a resource hog - but it's as good as it gets for finding real problems. It's also the only product I know of that actively prevents key loggers from infecting your PC (as long as they're in the definition database, no software is perfect in that regard) and is significantly better than Microsoft at warning you when IE goes to a bad site.

I can't tell you the number of times Spyware Doctor has found trojans or reg hacks after Norton AV has given my PC a clean bill of health.

Obviously there are other good products too - but the moral of the story is just because you don't use IE don't think you're safe from malware or phishing scams.

0
0

Title

"Barklays" Barklays??? Have you people been reading too many scammers' pages?

0
0
Anonymous Coward

Online buying stuff ... and security

Here's an anecdote from a couple of years ago. ( about 8 years ago )

System affected : a multi million dollar Sun server ...

The culprit : me (using a windows 95 machine on the network).

When enabling the network in win95 you need to provide a username and password. So jokingly, i had created an account on win95 called 'root' with the password set to 'blah'.

I plug the machine on the network and access the network disks shared out by this Sun server. I copied a couple of files to the server. Try to open them from a Unix workstation and it says permission denied. A quick ls-l shows owner as 'root'... That's odd..... this couldn't be could it ? I tried a couple more things ... I could use the win95 box to write anywhere, move directories, delete files. I had full root permission just like the legit root user.

Why ? Because stupid Samba running on hypersecure Unix negotiated in the following way :

Samba : who is logged on ?

Win95 : her it says 'root' .

Samba : did he log on correctly on your side ?

Win95 : his password matches what is stored on my side

Samba : ah, it;'s ok then: go ahead.

Security on Unix ? that hole was so big you could run a 6 lane highway through it and have room to spare for a bunch of exits , a shopping mall , a couple of casino's , hotels and a small city with a population of a couple million.

When we flagged this, the answer was : oops. well have to patch that ... in the mean time the IT department issued this statement : It is not allowed to plug win95 machines on the network since they make unix unstable. Solve the disease by killing the patient...

The morale of the story is this: It all comes down to who has the bigger hammer !

Thats exactly the case with this phishing stuff. Norton , McAfee, Windows Linux , Unix , Firefox , IE , Opera whatever ... the guy with the biggest hammer pounds the hole in the wall.

Online banking ? no thank you... My bank is just around the corner.

What we need for online buying stuff on the internet are 'one-time use' bank cards. You go to an ATM machine punch in the request for money and instead of bills it gives you a paper slip with a unique code. This is a virtual cheque that is limited to the exact amount you put in it.

You feed that number to the payment site. When it's spent, the 'account' is empty. So it can not be used a second time.

If someone phishes it : no damage done. If they try to cash it in 2 things can happen :

- it was already cashed in so they get caught because they tried cashing it in a second time .

- if it was not cashed in : they still get caught because the cashing in can only be done by having a bank account. Their identity is known. So if the legit receiver files complaint : bingo you can trace where the money went.

The technology exists. So start using it.

0
0
Silver badge

IE = Suicide

Using Internet Explorer to browse the Internet is security suicide. The only way MS could make IE "secure" is to start again from scratch, dispose entirely of ActiveX, install-on-demand, rewrite j-script (it still doesn't support JavaScript) and then give the uses PROPER control over just what the hell is going on.

IE7 is a slight step in the right direction with users at least being able to "view" the plugins that are attached to IE, it's just a shame that the interface is so awful and inexplicable even to those that are more that just familiar with computers... The "sandbox" mode in Vista is no good at all and is just an vague attempt to stop further damage from a thoroughly borked browser.

Anybody, who even pretends to be a computer professional, that uses Internet Explorer to browse the Internet should be shot.

Personally, if I'm going to browse the Internet and go to untrusted sites, I'll use my install of Mozilla... with Flash Block and NoScript plugins. Mozilla might not be the best browser on the block, but with no Flash or Java/JavaScript running it's damn secure and so far no unscrupulous website has managed to pop up windows, grab information or do anything nefarious (that've I've detected anyway). For the browsing of trusted websites I use FireFox (once again with FlashBlock plugin because I *hate* being interrupted by flash popups, sounds, etc). Internet Explorer is used solely to access Windows Update, nothing more. Ever.

Now, I'm not claiming that FireFox doesn't have or hasn't had security holes in it, but in all the time it's been going it's been considerably more secure that Internet Explorer. This is likely to be due partly due to the massively better design of it and non-commingling with the OS, but also because malware writers have been targetting the much easier and more prevalent target, Internet Explorer.

Installing and using Linux is of course even more secure, partly by a much better OS design (and even a semblance of security in the OS) but also by the further reduction in target demographics making targeting it less worthwhile (the reduction in target is made wider still with the much wider spread of Linux distributions out there).

Of course, if you're the type of user that when presented with a popup box that reads "your computer is not secure, click here to make it more secure" or "you must download this (executable) codec to watch this video" then it doesn't matter whether you use Internet Explorer, FireFox, Mozilla, Opera or any other PC browser... you're screwed anyway.

0
0

Page:

This topic is closed for new posts.