Google SSL

Posted on May 24, 2010
Filed Under Improving Security | Leave a Comment

Google has made SSL available for the .com version of its search engine. It has not been rolled out to the specific country code Google versions as of yet but surely it cannot be far off.

Despite passing the search query over GET variables (i.e. the search is included in the URL so you can link directly) Google assures us that the search string is not open to snooping.

Google is making efforts to make the SSL search the default soon enough which can of course only be a good thing for privacy especially when using public terminals or open wifi hotspots.

‘Sucker’ List discovered by Financial Services Authority

Posted on May 19, 2010
Filed Under The Dangers | 1 Comment

An article on the FSA’s site shows that the scamming industry is still alive and well. 38,000 UK names have been discovered on a list used by fraudsters dealing in worthless stocks and shares.

A person (possibly having invested in legitimate stocks previously) is called out of the blue and is offered shares that are essentially worthless, don’t exist, or are subject to a ‘pump and dump‘ scam. High pressure sales tactics are common. The invested money simply disappears and when the would-be investor tries to contact the company in question they find it no longer exists.

The ‘list’ that these people find themselves on is used for repeat scams and further engineering as most likely, the list comes with pertinent information that can be used to gain trust most likely gleaned in previous conversations (even with another ‘company’).

These ‘boiler room’ scams are ever common and have, in recent years, moved more towards the internet versus cold calls but obviously from this report, the industry is alive and kicking.

WEP & WPA wireless in business

Posted on May 14, 2010
Filed Under The Dangers | 1 Comment

Most offices these days have their airspace saturated with wireless networks. It’s amazing therefore, with the ubiquity of wireless routers and hubs that there are still so many connections that are on the lowest encryption available. WEP. Possibly because the hardware in use only has that encryption available but you’d be surprised.

It’s quite trivial these days to crack a WEP password. A post in a forum I saw a couple of weeks back had a 12 second record! A fundamental flaw in the way WEP recycles its encryption key over and over means that if you collect enough packets, the key can be easily decrypted.

Read more

SPF records. The real McCoy

Posted on May 11, 2010
Filed Under Improving Security, The Dangers | 1 Comment

If you’ve never heard of SPF (Sender Policy Framework), don’t worry, you’re probably not an email administrator. SPF was designed as an addition to the email system to prevent sender spoofing. In other words, allowing someone else to send an email pretending they are you. Read more

SSL certificate ssladmin social exploit weakness

Posted on May 5, 2010
Filed Under The Dangers | Leave a Comment

This morning I received an email from Globalsign who provide some of our SSL certificates. It reminded me of a story I read a few weeks ago about a Canadian security expert testing common webmail providers to see if they allowed him to register ssladmin@ email addresses.

Read more

Password reset vulnerabilities

Posted on May 3, 2010
Filed Under Improving Security, The Dangers | Leave a Comment

Further to my post about traditional passwords I began to think about common site approaches to resetting passwords.

Many, as you would imagine, use a security question that was answered upon originally signing up or registering. Mother’s maiden name, place of birth, name of first pet, favourite colour?. How many answers do you think there are to these common questions? Read more

SSL certificate trust

Posted on May 3, 2010
Filed Under The Dangers | 1 Comment

We’ve had it drilled into us for years now. If you are buying something online, look for the visual indicator in your browser that tells you the connection is secure and encrypted. ‘The padlock icon’

In Safari it’s a padlock icon. In firefox it’s a blue bar. In Chrome it’s a yellow background. In Internet Explorer it’s a padlock icon.

The presence of a padlock icon or visual indicator should not instill ubiquitous trust however. It’s remarkably easy to obtain this visual indicator and extremely low cost. Read more

Traditional passwords and pins. A new solution?

Posted on May 2, 2010
Filed Under Improving Security | 1 Comment

At 3dpixel.net we have a customer who showed us an interesting new take on online security, more specifically in the field of user authentication.

End users today have a myriad of passwords and pin numbers to remember which each site seems to confuse. E.g. on some sites you have to use characters and numbers, some you have to put a minimum of 9 characters in etc.

pinoptic aims to solve this through the use of visual pictogram indicators that rotate each time a login is attempted. This means that effectively whilst the user still has the same password each time an attempt is made (through the use of a memorable sentence rather than a name or number), the entry field is not the same.

Social media and the dangers of revealing your location

Posted on May 2, 2010
Filed Under Social Media | Leave a Comment

We went on holiday last week. It was to Cyprus, thanks for asking, and yes we had a good time.

As many people do these days, I posted to twitter / facebook informing the social media world of my relative levels of inebriation and what I was doing that particular day.

My brother who was with us, received a phone call half way through the holiday from his neighbour informing him his house had been unfortunately burgled.

It got me thinking. Anyone who follows me on twitter would have known I was out of the country for a period of time. In fact anyone who had seen my public twitter page would have known I was away.

My address as a director of another company is easy to find via companies house.

The trend for geolocation services coupled with our public broadcasting of where we are is worrying indeed.

Forget passwords, you are the biggest threat to yourself

Posted on May 2, 2010
Filed Under The Dangers | Leave a Comment

Social Engineering, the art of obtaining details, maybe in part, from a target subject in order to impersonate or gain access to critical information facilitating fraudulent activity.

The stuff of cybercrime books and films? Think again. Let’s run through an example.

Your phone rings one evening from a ‘withheld’ or ‘unknown’ number.

Good evening Sir/Madam, this is Chris from <your electricity provider>, may I confirm your details before we proceed?

In the UK at least, the above question is fairly common if you receive a phone call from a utility or phone provider. As per the Data Protection Act the company in question needs to be sure they are talking to the correct person in order to discuss account information. Read more

• Recent Posts

  • Google SSL
  • ‘Sucker’ List discovered by Financial Services Authority
  • WEP & WPA wireless in business
  • SPF records. The real McCoy
  • SSL certificate ssladmin social exploit weakness

• Archives

  • May 2010

• Categories

  • Improving Security
  • Social Media
  • The Dangers

• Common Phrases

  boiler rooom email spoofing extended validation FSA geolocation Google SSL passwords personal details phone fraud pinoptic pump and dump social engineering Social Media SPF ssl certificates ssl padlock telephone security twitter location visual password wep cracking wireless encryption

• Links

  
  
  
  
  Blog Directory

• About

  Ever had your personal details cloned? Worried about someone else spending money on your credit card? This site will attempt to identify and protect against the dangers of fraud.

• Search

• Admin

  • Register
  • Log in
  • XHTML