Secunia (a cyber security firm) reports of a new cross-browser vulnerability that allows hackers (usuallly phishers) to hijack a pop-up window that was legitimately opened by you on a site that you usually would trust.

The vulnerability can be exploited by a malicious web site to “hi-jack”
a named browser window, regardless of which web site is the true
“owner” of the window.

The vulnerability is described by Secunia, and they even provide a nice graph of how it works. Finally, you can test whether your browser is affected by this vulnerability. This has the possibility to take the phishing attacks to a whole new level. Because of the high percentage of browsers affected and because the pop-up that is hijacked comes from a trusted site, many users are likely to be affected and tricked into entering personal information.

Not much can be done other than patch your browser, and be on the lookout for suspicious pop-up windows that may change their contents during page load.

Microsoft and its chairman are apparently trying to steer the security focus in a different direction - the passwords. Bill Gates has recently argued that weak passwords are one of the main security threats and that biometric or smart-card authentication should be adopted more and more widely.

Moving to biometric and smart cards is a wave that is coming, and we see our leading customers doing this,” Gates told attendees at the IT Forum in Denmark last month. “In time, we will completely replace passwords.

While Gates is probably on the right track [again] as it comes to vision, I am not sure that at this day of extreme server and client application insecurity, we need to shift our focus elsewhere. I believe that while we should seek and adopt alternative ways to authenticate users, especially the ones who use ‘password’ as their password, but I believe the focus should still be on creating harder to penetrate operating systems, routers, and server applications. Although passwords are a very weak link in the chain of security, they are arguably not the weakest.

In a rare criminal charge under the Digital Millenium Copyright Act, Yahoo News reports that federal authorities have raided a video game store and arrested two people for modifying video game consoles to play pirated video games. It appears that they modified an Xbox console with a bigger harddrive so that users can copy (or cache) their games on it.

The charges are conspiracy to commit copyright infringement and conspiracy to traffic in a device that circumvents technological protection measures. Both charges are under the DMCA.

Former CIA director George Tenet has made what some would say a pretty dramatic statement. Tenet said during an information security conference in Washington, DC that access to the Internet should be limited to those who cannot properly secure their infrastructure and thus provide a backdoor for cybercriminals, terrorists, spies, you name it. Arguing that the Internet is United States’ Achilles’ heel, Tenet said,

I know that these actions will be controversial in this age when we
still think the Internet is a free and open society with no control or
accountability but ultimately the Wild West must give way to
governance and control.

Tenet also argued that one of the major problems was the way the Internet was built. The idea of open and free network has been one of the driving forces behind the growth of the Internet as we know it today. But at some point there must be balance between the freedom and openness of use and the threat to security to everybody who is connected and relies on the network. It is ironic that modernization and improvement of major technologies actually leads to increased reliance on the network in some aspect, which in turn makes the new technologies more vulnerable and less reliable.

While advocating security awareness among users and the technology industry is one way to start addressing the security problems of the Internet, the better and harder way is to start replacing and building infrastructure which, while keeping access as open as possible, limits the possibility of misuse. This would involve a tough act of balancing between the need of free and open medium of communication with the need of closed and secure method of communication.

Via Slashdot.

This is what a new Ohio law provides for some of the worst spammers who operate in the state. [Yahoo News story] The newly passed bill by Ohio Senate and House is awaiting to be signed into law by Ohio’s governor. The bill provides very harsh measures for people who sent out deceptive or misleading ads and junk email. The harshest penaly is set to 6 months in prison and fines for up to $25,000; on the other hand, a spam email could cost the violators between $2 and $8.

By what is called one of the toughest anti-spam measures in the country, Ohio joins Virginia, Maryland, and North Carolina who have tough anti-spam laws. It it interesting to note that one year after CAN-SPAM went into effect, there is no noticeable decrease in spam, and states are trying to pass legislation to deal with this problem while tring to stay out of conflict with the federal law. It would be interesting to see when and if Ohio’s law enforcement would use the new legislation to prosecute spammers.

Among the seemingly predominant news of ever increasing intensity and sophistication of online fraud and phishing, there is a piece of good news. A new website (https://www.annualcreditreport.com/), run by the three major credit reporting agencies, Experian, Equifax, and TransUnion, was launched recently which would allow users to access their credit report online for free (as opposed to paying the $15 or so fee.) This site was prompted by a law that was passed last year, The Fair and Accurate Credit Transactions Act, which mandates the three agencies to provide one free credit report per year per person.

 Next entries »