FireFox Saved Me!

PhishingBlocker

Early in 2007, I finally managed to file for my first credit report since they passed the law allowing for one free credit report per year. Out of the number of institutions available for filing my credit report, I chose to go with Equifax. I was pretty impressed with how fast it took for them to process my information. Once they were finished, I was able to see my credit report online. And, in case you were wondering, my credit score is around seven or eight hundred which I hear is pretty good.

This year, I have yet to file for my credit report but I received a piece of email the other day from Equifax telling me that I was required to fill out a particular form they had sent me.

equifaxemail

Well, I wasn’t in a hurry to open up any emails from them but when I finally did, here is what I saw.

Equifax Scamjob

Looks convincing doesn’t it? Well, after thinking about it for awhile, I decided to click the link to see what it was all about. The result? The first image you see in this post. This is the first time I’ve ever seen this notification which took me by surprise. After receiving the update, I did a Google search on the scam and yep, this was an Equifax phishing email.

So not only did I want to warn others, but I wanted to give a big thank you to the built in Phishing filter in FireFox. You saved me bro!

2008 Top Ten Security Threats Maybe

WebsenseLogo

Websense has released a list of what they think will be the top ten security threats of 2008. This is a list of predictions so take them with a grain of salt.

1. Olympics – new cyber attacks, phishing and fraud
Event-based attacks and scams are popular, and with the whole world watching, the 2008 Olympics may fuel a surge in cyberattacks. As the Olympic torch burns, Websense researchers predict the possibility of large scale denial-of-service (DoS) attacks on Beijing Olympic-related sites as political statements and fraud attempts through email and the Web surrounding the Olympics. Additionally, Websense predicts compromises of popular Olympic news or other sports sites -attacks designed to install malicious code on end-users’ machines and steal personal or confidential business information.

2. Malicious SPAM invades blogs, search engines, forums and Web sites
Websense predicts that hackers will increasingly use Web spam to post URLs to malicious sites within forums, blogs, in the commentary or “talk-back” sections of news sites and on compromised Web sites. This activity not only drives traffic to the infected Web sites but also assists in the purveyor’s site sitting higher on search engine rankings, increasing the risk that users will visit the site.

3. Attackers use Web’s ‘weakest links’ to launch attacks
The Web is an entanglement of links and content. The advent of Web 2.0 additions such as Google Adsense, mash-ups, widgets, and social networks along with the massive amounts of Web advertisements linked to Web pages have increased the likelihood of ‘weak links’-or Web sites and content that are vulnerable to compromises. Websense predicts that attackers will increasingly exploit the weakest links within the Web infrastructure in order to target the greatest number of Internet users. Most vulnerable to these attacks are search engines and large user networks such as MySpace, Facebook or other social networking sites.

4. Number of compromised Web sites will surpass number of created malicious sites
The Web as an attack vector has been steadily increasing for the last five years and now attackers are using compromised sites as their launching platforms-even more than their own created sites. Compromising sites-particularly, sites well-visited by end-users, such as the Dolphin Stadium attack that occurred a few days prior to the 2007 Super Bowl XLI in Miami., provides attackers with built-in Web traffic and minimizes the need for lures through email, instant messaging or Web posts.

5. Cross-platform Web attacks – Mac, iPhone popularity spurs increase
With the brand popularity and growing use of iPhones and Macintosh computers, Websense researchers predict attackers will increasingly launch cross-platform Web attacks that detect the operating system in use and serve up code specifically targeting that operating system instead of attacks based on just the Web browser. Operating systems that are targeted now include Mac OSX, iPhone, and Windows.

6. Rise in targeted Web 2.0 special interest attacks-hackers targeting specific groups of people based on interests and profile
Web 2.0 has spawned a proliferation of Web users that visit chat rooms, social networking sites, and special interest Web sites such as travel sites, automotive, and more. These sites provide attackers with potential victims that fall within a certain age group, wealth bracket, or people with particular purchasing habits. In 2008, Websense researchers predict targeted attacks will rise toward specific social networking or special interest sites that have a higher probability of delivering a payoff.

7. Morphing JavaScript to evade anti-virus scanners
Hackers are upping the ante with evasion techniques that use poly-morphic JavaScript (Polyscript) – which means that a uniquely-coded Web page is served up for each visit by a user to a malicious Web site. By changing the code every visit, signature-based security scanning technologies have difficulty detecting Web pages as malicious and hackers can extend the length of time their malicious site evades detection.

8. Data concealment methods increase in sophistication
Websense predicts an increased use of crypto-virology and sophistication in data concealment including the use of stenography, embedding data within standard protocols, and potentially within media files. Toolkits widely available on the Web will be used to embed proprietary information and steal data.

9. Global law enforcement will crack down on key hacker groups and individuals
In 2007, large-scale Internet-based attacks garnered the attention of law enforcement officials around the world. Websense anticipates that through the global cooperation of enforcement agencies, in 2008 the biggest crackdown and arrests of key members of a hacker group will occur.

10. Vishing and voice spam will combine and increase
The vast cell phone user population has grown into a lucrative market to exploit with spamming and “vishing” for financial gain. To date, researchers have seen an increased number of vishing attacks but not a lot of spam-or pro-active automated calling. In 2008 Websense predicts that “vishing”, or the practice of using social engineering and Voice over IP (VoIP) to gain personal and financial information and voice spam will combine and increase-users will receive automated voice calls on LAN lines with voice spam to lure them to input their credentials through the telephone.

Out of this list, 2, 3, 4, and 6 peaked my interest. Number 2 is actually a given. It doesn’t take a genius to figure that one out. Number 3 though is interesting if you think about the implications of a possible attack against MySpace or Facebook. I can only imagine what sort of payoff a hacker would receive if they managed to attack something like Facebook. I mean, imagine what kind of data the hacker would retrieve if they managed to grab a database off of one of the Facebook servers. I think that information would be quite valuable to someone.

Number 4 is also interesting in that, botnets normally rely on turning your individual PC into a zombie to do their bidding. But what if the hackers actually used something like a web botnet. This botnet would consist of web servers across the world which serve some of the most popular web pages on the net. Imagine what kind of problem we would be dealing with if a slew of stealth applications that were laying dormant on web servers were to wake up all at once and infected your machine because you loaded a web page from that server. Suddenly, the odds would tip in favor of the botnet authors and the web would be in deep crap.

In the end, looks like hackers will keep evolving their techniques and we will have to hope that the good guys (white hats) are keeping pace. Should be another interesting year for security.

FeedSmith Plugin Security Update

Feedburner.com LogoThe FeedBurner Feedsmith plugin for WordPress which consolidates all of your WordPress RSS Feeds into one, has undergone a small security update. According to Feedburner, older versions of FeedSmith, can be vulnerable to what is called a “cross-site request forgery.” This permits someone to change WordPress plugin settings on your system without you noticing during the time you are signed into your WordPress control panel.

Feedburner recommends downloading the latest version of the plugin, FeedSmith V2.3 as this version ensures that the only person who can change FeedSmith settings is the administrative account that is signed into your WordPress account.

Here are the directions to update your plugin.

  1. Download version 2.3 of the plugin.
  2. Sign in to your WordPress admin control panel.
  3. Under Plugins, locate the current FeedSmith plugin, and click “Deactivate.”
  4. Copy the plugin file, FeedBurner_FeedSmith_Plugin.php into your default WordPress plugin directory, wp-content/plugins/
  5. Reactivate the plugin by logging in to your WordPress administration area, clicking Plugins, then clicking Activate at the end of the “FeedBurner FeedSmith” row.

At the end of this process, v2.3 will be active and will use your existing feed redirection settings; there is no need to re-enter them. You will also be protected against any potential request forgery attack.

WordPress 2.2.3 Released

Wordpress.com logoWordPress version 2.2.3 has been released. The release is slated as a “security and bug-fix” release. Considering this fixes a few security issues, it is highly recommended that you upgrade your WP install to the latest version ASAP. Considering WordPress 2.3 is around the corner, this upgrade is probably not going to sit well with a few people.

Two of the fixes in the latest version of WP are rated as “high priority“. Those two are labeled as, 4704 Invalid RSS2 Comments Feed and 4720 Users without unfiltered_html capability can post arbitrary html There were also a number of files that were changed. To see a complete list of these file changes, be sure to read WordPress 2.2.3 File Changes

Download the latest version of WordPress here http://wordpress.org/download/ Pardon me, as I commence with the upgrade! If you don’t hear from me by Monday, you’ll know why.

WordPress 2.2.2 Released

WordPress LogoJust wanted to pass along that WordPress 2.2.2 was released the other day. This release includes only security and minor bug fixes so they should not cause any plugin or theme compatibility issues, so you have no good excuse not to upgrade.

 

Click here to see the list of bugs and security upgrades that took place. One of these fixes was a CROSS SITE SCRIPTING Vulnerability. These things are popping up all over the place.

Download the latest update here

FireFox 2.0.0.6 Released

FireFox LogoFireFox’s built in update checker happily notified me of the update as I browsing around today. 2.0.0.6 contains 1 critical security fix and 1 moderate security fix.

 

 

Fixed in Firefox 2.0.0.6

  • MFSA 2007-27 Unescaped URIs passed to external programs
  • MFSA 2007-26 Privilege escalation through chrome-loaded about:blank windows

That about sums up what was contained in the update. Considering one of the flaws that was fixed is rated as critical, I advise you to upgrade as soon as possible. You can download the latest version of FireFox by clicking here