After a nice review of the new Netscape 8 browser, and one day after its release, AOL has issued a critical patch plugging some of the holes that were discovered recently in Firefox 1.0.2. I wonder, why AOL didn’t patch Netscape 8 before its release since the release of patched Firefox 1.0.3 was before the release of Netscape 8? Had AOL done this, they could’ve saved the embarassment of patching their browser after only one day on the market.
"We had been misinformed by an external security vendor that the
Firefox security issues did not affect us," Netscape spokesman Andrew
Weinstein said Friday. "Within hours of discovering that the vendor was
not accurate, we had addressed those issues and posted an updated
version of the browser."
This excuse sounds ok, but stil…
[Via CNET News.com -]
Is it time to tweak the CAN-SPAM Act of 2003? Slashdot discusses a recent proposal by the FTC for changes in the anti-spam legislation that sparked (and continues to fuel) controversy over whether it is sufficient to deter spammers.
[Via Slashdot -]
People are clicking on those phish links, after all, despite increased education and security efforts by the financial and IT industry.
The study of phishing scams hosted on cracked web servers from The Honeynet Project
documented two recent attacks that attracted hundreds of click-throughs
from unknowing users. A UK site mimicking a major US bank received 256 visits in 4 days, while a compromised German server redirected 721 users in just 36 hours to a PayPal phishing site hosted in Chinat.
[Via Netcraft, UK -]
Interesting editorial by Jon Oltsik about the renewed interest in enterprise access control systems. Jon’s point is well taken - if you do business with suppliers, contractors, offshore workers, and customers, you should have in place a system allowing access to electronic resources based on the user’s needs. No longer is a single username and password giving access to the whole resource acceptable.
If you want to let outsiders–that is, customers, offshore developers,
suppliers and so on–use applications to boost productivity, you had
better know who they are, define what they can do and watch every move
[Via CNET News.com -]
MA Attorney General, using information obtained by Microsoft, recently filed suit against an Internet spam ring operating near Boston touting everything from miracle drugs to get-rich-quick schemes.
The lawsuits target seven individuals and two companies and sent "hundreds of millions" email messages worldwide through domains registered in Monaco, Australia, and France.
Another lawsuit against spammers, and yet the level of spam worldwide has barely bulged. Are these lawsuits effective, other than for generating favorable publicity for the sponsoring Attorney General and cooperating ISP company?
[Via CNET News.com -]
Put your spyware on my machine and I will seize your BMW. Or at least the FTC will.
U.S. Sen. George Allen (R-Va.) wants the federal government to seize the profits of companies and individuals secretly installing spyware on computers. He’s also seeking significantly higher civil and criminal penalties for those trafficking spyware. Sen. Allen’s bill seeks to reinforce the authority of the FTC to go after spyware providers by giving them broader authority over this type of cyber crime.
"Federal officials believe that they already have adequate authority under existing statutes to prosecute spyware purveyors," Allen said. "Law enforcement is not stymied by the lack of federal jurisdiction, but rather from the lack of overall resources."
According to Allen, the FTC Act and the Computer Fraud and Abuse Act already provide enough legal "bite," what is needed is adequate resources and penalties to allow the FTC to effectively combat the problem.
Browser wars anyone? With AOL releasing a promising version of Netscape 8, Microsoft getting ready to release IE 7, and Firefox continuing to "eat" from IE’s market share and its IBM endorsement, are we in for another round of the browser wars?
Phishing gets more sophisticated. News.com reports of a new targeted phishing attack which uses stolen personal data to trick users into following the phish trail and enter additional personal information. The mass-targeting approach that phishers used is now target to many security and ISPcompanies’ prevention efforts. On the other hand, a targeted phish attack which provides a piece of a user’s personal information as a lure is likely to have a much higher response rate.
According to Cyota, the phishing e-mails arrive at bank customers’ in-boxes featuring accurate account information, including the customer’s name, e-mail address and full account number. The messages are crafted to appear as if they have been sent by the banks in order to verify other account information, such as an ATM personal-identification number or a credit card CVD code, a series of digits printed on the back of most cards as an extra form of identification.
"The attacks take advantage of poor technological defenses and
continued consumer vulnerability, and evidence the work of an organized
group with real research-and-development resources," Orad [Cyota co-founder] said. "So
far, the success rates that we’ve seen are amazing. People are
expecting to see a crude attack that tries to steal their information;
they’re not expecting to see this much real information as part of the
The war continues. In the meantime, if you see your credit card number in an email in your inbox - think twice before you enter your expiration date on a linked website.
Can Microsoft pull it this time? Not long after pulling the plug on its Passport digital ID system which promised single ID for all users, Microsoft is in another digital ID project. Although there is not much detail at this point, the new digital ID plan is not about creating an infrastructure to hold separate IDs, similar to Passport, instead it will try to create a single meta directory which will allow interface and compatibility between various other systems.
The resulting improvements in cyberspace would benefit everyone,
making the Internet a safer place with the potential to boost
e-commerce, combat phishing, and solve other digital identity
Essentially, Microsoft will try to standardize the interfaces to many
other digital ID systems, thus allowing communication to an
authentication system using standardized protocol. Nice idea, but for
proper implementation Microsoft will need to secure cooperation of the
major ID providers.
[Via eWeek, MA -]
US Senator Stevens (R-Alaska) after his staff was asked to steal his identity online.
"I regret to say they were successful," the senator reported at a hearing he held last week on data theft.
His staff, Stevens reported, had come back not just with digital bread crumbs on the
senator, but also with insights on his daughter’s rental property and
some of the comings and goings of his son, a student in California.
"For $65, they were told they could get my Social Security number," he
By tapping into data brokers such as Choicepoint and Lexis, almost anyone can obtain information on anyone. And competition among the data brokers drives the price of a query even lower, making if ever more accessible for criminals to ‘digitize’ their efforts and better target their activities. Senator Stevens may be on the right track, but does it take a Senator’s stolen identity to speed up personal data protection efforts?
[Via CNET News.com -]