Security

Following last Friday’s release of Safari 3.0.2 comes a brand-new Monday morning vulnerability. Researcher E. Azizov of ITdefence in Russia posted on the Bugtraq newsgroup a demonstration of a buffer overflow in the Windows XP version of Apple’s browser. Specifically, the new vulnerability affects the title buffer in Safari bookmarks. If the title of a …

A phishing scam was circulating on Friday through Yahoo Messenger that directs people to a malicious Web site where they are prompted to enter their Yahoo user name and password. The malicious instant message automatically forwards itself to the victim’s IM contacts. The IM arrives from someone in your contact list with a link to a Geocities Web page and smiley face emoticons surrounding the link. When clicked on, the link opens a page that looks like a legitimate Yahoo 360 sign-in page. Yahoo is investigating the matter and will take down the Geocities Web site if it is perpetrating a scam, a Yahoo spokeswoman said. Geocities is Yahoo’s free Web space service. Yahoo also will add filters to the Messenger system to prevent the malicious link from being propagated, she said. Phishers often use smiley faces and other emoticons to make the victim feel that the IM is safe. …

It finally happened. I fell for one of those silly phishing scams. The kind that I previously took sanctimonious pride in having avoided. The kind where you get a frantic e-mail or IM from a friend saying that a malicious link was clicked, a secret password typed in, and that they didn’t know better. I feel so ashamed, guilty, violated…stupid. In case you haven’t heard yet, an IM-based worm was spreading itself via Yahoo Messenger on Friday, propagating through people’s contacts lists and directing hapless victims to a malicious Web site. The site looks like a legitimate Yahoo 360 log-in page and prompts you for your username and password, which it then stores to be used for later nefarious deeds.

ATTACK OF THE PHISHERS You open your in-box and find e-mail from eBay or PayPal, warning that your account has been compromised by identity thieves and that you must log on immediately to verify your information. Sounds scary, right? But here’s the really terrifying part: that e-mail is a fake, and so is the Web site it’s sending you to. If you follow the instructions and provide your account info, so-called phishers will steal your identity. You may soon find that these scammers have used your data to purchase all kinds of things on eBay you’ve never heard of, and the sellers are demanding payment. Your eBay reputation and your credit rating will be in tatters. And that’s just for starters.

A couple of months ago we looked at the trend toward serious IT security breaches and organized crime’s involvement in those breaches. It’s estimated that the majority of these serious security breaches are coming about because of organized criminal activity – and yes, the Mafia is getting involved. In the original article we covered scams ranging from petty spam threats all the way to violent extortion with potential damages ranging from inconvenience up to hundreds of millions of dollars. There are a few ways to protect yourself from organized crime — the best being not to get noticed or targeted in the first place. Traditional solutions include calling in the cops or just paying up, with the latter clearly being the least attractive scenario. IT security solutions can help, but IT systems are being targeted because behind that technology is real money and real secrets and real people. And where …

Keamanan (security) merupakan masalah yang cukup penting dalam era informasi elektronik ini. Berikut ini adalah sepuluh (10) saran untuk meningkatkan keamanan di tempat anda. Gunakan password yang kuat. Paling sedikit gunakan delapan (8) karakter dan menggunakan karakter yang bukan huruf seperti contohnya: j&%9Hx. Jangan menggunakan katakata yang ada di dalam kamus atau merupakan bagian dari nama anda, nama perusahaan, dan nama-nama yang umum lainnya. Ganti password secara berkala. Disarankan untuk mengganti password dalam 90 hari. Dengan emikian jika encrypted password ada tercuri dan cracker berusaha memecahkannya maka cracker tersebut akan kecewa karena password anda sudah diganti. Gunakan anti virus dan data virus ang terbaru. Virus muncul secara berkala. Untuk itu perbaharui software anti virus anda dengan data-data yang terbaru dengan cara berlangganan (subscribe) kepadaservis anti-virus. Berhati-hati dengan mail attachment. Banyak virus, trojan horse yang dikirimkan melalui email attachment. Konfigurasi program email anda agar tidak menjalankan program secara otomatis apabila menerima …

When it comes to IT security, most enterprises really have roughly the same issues to deal with. Microsoft is no exception. We spent two years on the Risk Management and Compliance team in The Risk Management and Compliance team is charged with defining, monitoring, and correcting the risk posture of all MMS environments (for both customer-facing services and infrastructure coordination). Early on, our manager, Arjuna Shunn, recognized that we needed a technology solution that provided the desired controls and monitoring in a centralized, cohesive fashion. The technologies we’ll discuss here are a direct result of our early ideas, coupled with two years of experience using various Microsoft and third-party products in our operations. First off, we needed security technologies that would cover the three primary control types—preventive, detective, and corrective—as well as provide auditing and reporting. We saw this collection of tools breaking down into four categories: risk management dashboard, …

Last week on the free ware review, I wrote about the simplicity of packet sniffing and analyzing with Ethereal. I revealed how easy it was for anyone to tap sensitive data like login information, credit card numbers, social security number, and mission-critical emails traveling on the network. As promised, I will reveal how to actually prevent packet-sniffing software from reading your sensitive data. As I previously explained, packet analysis passively listens into a network and then extracts the important data, which is usually in plain text. The key to hampering packet analysis is encrypting that data sent on the network so that it is not read in plain text. The encrypted data that packet analyzers gather is pretty useless without an encryption key. While it is possible for crackers to obtain the key, encryption makes the process a lot longer (and sometimes nearly impossible). There are a couple common ways …

Introduction to Windows Firewall The introduction of high-speed Internet connectivity has created a powerful and extraordinary computer networking experience. This newfound burst of bandwidth has launched new innovations in information exchange, media access, and other advanced computing experiences. Unfortunately, this technology has also created a very accessible conduit to the internals of your computer. Using these open and available digital pipelines, it’s now easier than ever for hackers, worms, and viruses to attack your unprotected home and home office computers. These threats aren’t exaggerations thrown around by computer industry pundits or descriptions of theoretical worst-case scenarios. A test in my lab found that a computer added onto a previously unconnected cable-modem connection was found by automated hacker tools in three minutes, attacked by an Internet worm in eleven minutes, and it only took five hours before a hacker was running active scans against my computer in an attempt to find …