There are many vulnerabilities out there, hackers, phishers – you name it.  It certainly doesn’t help that browsers are the key to get at your data.  But there are simple steps you can take NOW to protect yourself.

Step #1 – Stop Phishing

Keep passwords private – don’t reveal them!  Not even to family or close friends. Of course you trust your family and friends but once revealed you can never be sure that they will not unwittingly reveal your password to someone else. There may be occasions, due to sickness or accident for example, when you have to allow family or close friends to access some on-line accounts. Following such occasions you should change your passwords as soon as practically possible.

Step #2 – Stop Phishing

Use secure passwords. Never use a password such as your middle name, your pet’s name, your birthday etc. These may be easy to guess. Nor should you use any word that exists in the dictionary. A good password uses a combination of letters and numbers and symbols. It’s possible to create such passwords in an easy to remember format. For example, the password A$4A10c looks quite random but may be remembered as “A dollar for a dime”.

Step #3 – Stop Phishing

Use good security software (anti-virus, anti-spyware, anti-spam, firewall) and don’t forget to keep it updated.

Step #4 – Stop Phishing

Alway, always, ALWAYS use the most current versions of Internet browsers. Most of the current versions contain their own anti-phishing filters and blacklists to help keep you safe.

Step #5  – Stop Phishing

Never click a link in an email that looks suspicious. This is a classic phishing trick. They name the link to their phishing website with a real one so the link looks like one for your bank or credit card company. Instead of clicking open your Internet browser and type in the website address shown in the email.

Credit card companies, YOUR BANK, banks you’ve never dealt with will NEVER, EVER send you a personal e-mail asking for information.  Check with your financial institutions e-mail policy, but most are quite standard in the banking industry.

Step #6 -  – Stop Phishing

Regularly check your on-line accounts. Log on to your account and investigate any action that you don’t recognize. It may just be that the details of a retailer transaction are not easily recognizable so investigate before you take action.

This is VERY important.  You should be checking your accounts regularly.  Credit card companies do a one up on this, they have very sophisticated software that tracks purchases and can almost assign a “biometric fingerprint” to how you make your purchases.

For example, recently I filled my car with gas and used a credit card to pay for the purchase.  I realized I needed something else, so went into the store and the clerk cancelled the gas purchase so I could make the addition purchase.  He then recharged my card, but immediately my credit card company put my card on hold.  Within 1 hour of the incident they called me on my cell phone to confirm whether it was me that made the purchase and if I was aware of the subsequent credit and re-purchase.  They’re good.  Damn good!

Technorati Tags: hacking, identity theft, phishing, protecting your identity

The browser wars are all but over, and though there may be a blurry winner one thing is for certain — many of the older browser versions contained bugs.  Lots of bugs.  Especially important are the security bugs.  You know the ones, they can allow hackers to gain access to your PC or other nefarious things.  So what’s a guy to do?  Simple.  Upgrade.  You should always be running the latest versions of your favourite browser PLUS ensure that you’ve got all the security fixes and patches.

There are dozens upon dozens of browser vulnerabilities.  I did a quick google search on vulnerabilities by browser and found a few resources.  This is by no means exhaustive, but useful.  What I was really searching for was a table that would show me the different versions of Microsoft Internet Explorer, FireFox and all the other browsers out there along with the version number(s) of the browsers, counts of browser vulnerabilities  and worst type of browser vulnerability.  Couldn’t find something exactly like that…

• http://blogs.technet.com/security/attachment/2594822.ashx
• http://www.sans.org/top20/

Sans.org had this to say about client side browser vulnerabilities:

Client-side Browser Vulnerabilities in:

C1. Web Browsers

C1.1 Description

Microsoft Internet Explorer is the world’s most popular web browser and is installed by default on every Microsoft Windows system. Unpatched or older versions of Internet Explorer contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. The most critical issues are the ones that lead to remote code execution without any user interaction when a user visits a malicious web page or reads a malicious email. Exploit code for many of these critical Internet Explorer flaws is publicly available. In addition, Internet Explorer has been leveraged to exploit vulnerabilities in other core Windows components such as HTML Help and the Graphics Rendering Engine. During the past year, hundreds of vulnerabilities in ActiveX controls installed by Microsoft and other software vendors have been discovered. These are also being exploited via Internet Explorer.

Mozilla Firefox is the second most popular web browser after Internet Explorer. It also has a fair share of vulnerabilities. In 2007, it has released several updates to address publicly disclosed vulnerabilities. Similarly to Internet Explorer, unpatched or older versions of Firefox contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. The web sites exploiting the browser vulnerabilities typically host a several exploits, and even launch the appropriate exploit(s) based on which browser the potential victim is using.

With the explosion of rich content in web sites, a parallel increase has been seen in the number of Browser Helper Object and third-party plug-ins used to access various MIME file types such as multimedia and documents. These plug-ins often support client-side web scripting languages such as Macromedia Flash or Shockwave. Many of these plug-ins are installed (semi-)transparently by a website. Users may thus not be aware that an at-risk helper object or plug-in is installed on his/her system. These additional plug-ins introduce more avenues for hackers to exploit to compromise computers of users visiting malicious web sites.

In October 2007, for example, systems running Windows XP and Windows Server 2003 with Windows Internet Explorer 7 were found not to handle specially crafted Uniform Resource Identifiers (URIs) properly. By creating a specially crafted URI in a PDF document attackers were able to execute arbitrary commands on vulnerable systems.

So how does this impact you?  Well, if I need to tell you this then you’re loooong gone. 

Seriously though, now PayPal is getting into the fray.  They’ve recently announced that they will cease support for older browsers and Safari – meaning that they will block access to PayPal for users that still use these browsers.

Under PayPal’s plan, Apple Inc.’s Safari would be banned completely, while only older versions of its rivals Microsoft Corp.’s Internet Explorer and Mozilla Corp.’s Firefox would be barred.

…

PayPal did not specify a timetable when it would switch on its browser blocking, and did not reply to request for one on Friday. Apple also did not respond to an e-mail asking for comment.

Most recently I’ve read that, now instead of using the word “blocks” they are now saying that are “considering blocking” — a big change.

I was expecting to see something on their blog, but alas nothing was posted there – but there was a post by their CIO – http://www.thepaypalblog.com/weblog/2008/04/a-practical-app.html.

The announcement was made in a PDF paper for the RSA Conference.

Enjoy the read!

Mohamed

Technorati Tags: browser vulnerability, hacking, internet explorer, paypal, phishing, safari