Security Bullet In
Communiques from the security front, sir
Friday 26 January 2007, 10:44 AM
Maine rejects Real ID Act
Dissension in the ranks! Maine overwhelmingly rejected federal requirements for US national identification cards on Thursday, marking the first formal state opposition to controversial legislation scheduled to go into effect for Americans next year.
CNet News.com report here.
CNet News.com report here.
Wednesday 10 January 2007, 12:43 PM
McAfee spam advice
McAfee on Wednesday issued advice on how to minimise the amount of spam you or company employees receive:
1. Never respond to spam. If you reply, even to request removing your e-mail address from the mailing list, you are confirming that your e-mail address is valid and the spam has been successfully delivered to your inbox. Lists of confirmed e-mail addresses are more valuable to spammers than unconfirmed lists, and are frequently bought and sold by spammers.
2. Check to see if your e-mail address is visible to spammers by typing it into a web search engine. If your e-mail address is posted to any websites or newsgroups, remove it if possible to help reduce how much spam you receive.
3. Disable in-line images, or do not open spam messages. Frequently spam messages include "web beacons" enabling the spammer to determine how many, or which e-mail addresses have received and opened the message. Most current e-mail programs disable in-line images by default to prevent this from occurring.
4. Do not click on the links in spam messages, including unsubscribe links. These frequently contain a code that identifies the email address of the recipient, and can confirm the spam has been delivered and that you responded.
5. When unsubscribing from email, the main rule to follow is: if you didn’t originally opt-in to receive it, or if you don’t recognise the sender/company sending the email, then don’t unsubscribe. Trying to unsubscribe from one email can start a flood of mail from other sources, so if you are unsure, it is best not to unsubscribe and block the mail another way. When unsubscribing from mail always check that the links in the email go to the correct company website and not a phishing site.
6. When filling in web forms, check the site’s privacy policy to ensure it will not be sold or passed on to other companies. There may be a checkbox to opt out of third party mailings.
7. Do not respond to email requests to validate or confirm any of your account details. Your bank, credit card company etc. already have your account details, and would not need you to validate them. If you are unsure if a request for personal information from a company is legitimate, contact the company directly or type the website URL directly into your browser. Do not click on the links in the email, as they may be fake links to phishing Web sites.
8. If you have an email address that receives a large amount of spam, consider replacing it with a new address and informing your contacts of the new address. Once you are on lots of spammers’ mailing lists, it is likely that the address will receive more and more spam.
9. Set up two email addresses, one for personal email to friends and colleagues, and use the other for subscribing to newsletters or posting on forums and other public locations. If you have a more complex email address, it is less likely to receive spam.
1. Never respond to spam. If you reply, even to request removing your e-mail address from the mailing list, you are confirming that your e-mail address is valid and the spam has been successfully delivered to your inbox. Lists of confirmed e-mail addresses are more valuable to spammers than unconfirmed lists, and are frequently bought and sold by spammers.
2. Check to see if your e-mail address is visible to spammers by typing it into a web search engine. If your e-mail address is posted to any websites or newsgroups, remove it if possible to help reduce how much spam you receive.
3. Disable in-line images, or do not open spam messages. Frequently spam messages include "web beacons" enabling the spammer to determine how many, or which e-mail addresses have received and opened the message. Most current e-mail programs disable in-line images by default to prevent this from occurring.
4. Do not click on the links in spam messages, including unsubscribe links. These frequently contain a code that identifies the email address of the recipient, and can confirm the spam has been delivered and that you responded.
5. When unsubscribing from email, the main rule to follow is: if you didn’t originally opt-in to receive it, or if you don’t recognise the sender/company sending the email, then don’t unsubscribe. Trying to unsubscribe from one email can start a flood of mail from other sources, so if you are unsure, it is best not to unsubscribe and block the mail another way. When unsubscribing from mail always check that the links in the email go to the correct company website and not a phishing site.
6. When filling in web forms, check the site’s privacy policy to ensure it will not be sold or passed on to other companies. There may be a checkbox to opt out of third party mailings.
7. Do not respond to email requests to validate or confirm any of your account details. Your bank, credit card company etc. already have your account details, and would not need you to validate them. If you are unsure if a request for personal information from a company is legitimate, contact the company directly or type the website URL directly into your browser. Do not click on the links in the email, as they may be fake links to phishing Web sites.
8. If you have an email address that receives a large amount of spam, consider replacing it with a new address and informing your contacts of the new address. Once you are on lots of spammers’ mailing lists, it is likely that the address will receive more and more spam.
9. Set up two email addresses, one for personal email to friends and colleagues, and use the other for subscribing to newsletters or posting on forums and other public locations. If you have a more complex email address, it is less likely to receive spam.
Tuesday 9 January 2007, 5:34 PM
MI5 to send out threat level emails
According to Sky News, spooks are to start sending out emails warning if there is an increase in terrorist threat levels, once people have signed up for the service.
I have reservations about opening up yet another social engineering scam possibility. People might be more willing to click through from a link in an email purporting to be from MI5, rather than from a bank they're not a customer with. I wonder when we'll see the first spam...
Of course, if we had never followed Bush into this mess in Iraq to begin with (due to faulty intelligence??), and instead spent the money on bettering our intelligence and to engage in building better relations at home and abroad, perhaps we wouldn't now need emails warning us of terrorist threat levels...
I have reservations about opening up yet another social engineering scam possibility. People might be more willing to click through from a link in an email purporting to be from MI5, rather than from a bank they're not a customer with. I wonder when we'll see the first spam...
Of course, if we had never followed Bush into this mess in Iraq to begin with (due to faulty intelligence??), and instead spent the money on bettering our intelligence and to engage in building better relations at home and abroad, perhaps we wouldn't now need emails warning us of terrorist threat levels...
Friday 5 January 2007, 5:29 PM
Ajax scripting vulnerability
According to an article on Techworld.com, a server side based vulnerability has been identified in Ajax.
Tuesday 2 January 2007, 3:46 PM
Gmail flaw fixed?
It is still uncertain how serious a javascript flaw in Gmail is, and whether it has been fixed completely. The flaw allows spammers to harvest contact details from a user's account by launching a cross-site scripting attack.
To exploit the flaw, the hacker adds a piece of code to their website server, which in turn gives them access to the Gmail contacts of passing browsers, if users are signed in to their Gmail account.
There is some speculation about how serious a flaw this is, and whether there has been a complete fix. According to ZDNet blogger Garrett Rogers Google has partially sorted out the problem.
"The problem is only partially fixed. The vulnerability exposed through video.google.com has been patched up, but there are other subdomains where the problem still exists," said Rogers in his blog.
Google was unavailable for comment at the time of writing.
To exploit the flaw, the hacker adds a piece of code to their website server, which in turn gives them access to the Gmail contacts of passing browsers, if users are signed in to their Gmail account.
There is some speculation about how serious a flaw this is, and whether there has been a complete fix. According to ZDNet blogger Garrett Rogers Google has partially sorted out the problem.
"The problem is only partially fixed. The vulnerability exposed through video.google.com has been patched up, but there are other subdomains where the problem still exists," said Rogers in his blog.
Google was unavailable for comment at the time of writing.
