 |
 |
Whether you just regained access to Gmail, or you want to make sure your account is secure, take a minute to complete our Gmail security checklist to make sure your mail security measures are up to date.
Source:
https://mail.google.com/support/bin/static.py?page=checklist.cs&tab=29488
Research by Stanford University to investigate the privacy of the “private browsing” feature of many Web browsers suggests that the tools aren’t all that private after all, and that many kinds of information can be leaked by browsers when using the mode.
The paper is due to be presented next week at the USENIX security conference.
“InPrivate Browsing” in Internet Explorer, “Incognito mode” in Chrome, and “Private Browsing” in Firefox and Safari all strive to do the same two things: make it impossible for users of the same computer to figure out which sites the browser has been used to visit, and make it impossible for sites to know whether or not a particular user has previously visited them.
To keep browsing private from other users of the same machine, browsers must discard (or avoid creating) any history entries, cached items, cookies, and so on. To prevent sites from being able to track visitors, the browsers must ensure that they don’t send any cookies or other identifiable information from non-private sessions when in private mode.
The researchers found that the browsers’ protections were imperfect. Browsers did not properly isolate their private sessions from non-private ones, with the result that suitably crafted sites could trace visitors between private and non-private sessions. Sites could also leave persistent indications that they had been visited, allowing visits to be detected by local users.
Source:
http://www.malwarecity.com/news/private-browsing-its-not-so-private-883.html
This feature has been around for a while but I wanted to make sure everybody knows that if you are an OpenDNS customer you have a nice option in your Control Panel to help protect against DNS Rebinding attacks. This feature is turned off by default but you can enable it in the Settings > Security area for your particular network:
You can read more about DNS Rebinding attacks here:
https://secure.wikimedia.org/wikipedia/en/wiki/DNS_rebinding
The good news about SSL-based websites: Most are running strong encryption. The bad news: More than 60 percent aren’t properly configured.
Researcher Ivan Ristic, who is director of engineering, Web application firewall, and SSL at Qualys, revealed findings here yesterday from a study he conducted of some 120 million registered domain names. Ristic found that 20 million of them support SSL, but only 720,000 of these have potentially valid SSL certificates. “That’s a very small percentage, but it doesn’t really mean anything apart from that a fraction of sites use SSL, which we’ve known,” Ristic say.
Of the more telling findings was that of all the SSL sites, half use SSLv2, an older version of SSL, which is known to be insecure. Only 38 percent of all SSL sites are actually configured well, Ristic says, and 32 percent contain a previously exposed renegotiation vulnerability in the protocol.
Meanwhile, researchers Robert “RSnake” Hansen and Josh Sokol here yesterday detailed some 24 exploitation techniques possible against HTTPS/SSL for browsers that leverage man-in-the-middle (MITM) attacks. Among them: cookie poisoning and injecting malicious content into browser tabs. The researchers warned that HTTPS can’t guarantee confidentiality and integrity in the browser.
Turns out that Facebook has a directory where you can get a list of all searchable FB users:
https://www.facebook.com/directory
These are now scraped and the torrent file is available for download for anybody who wants it.
More info:
http://www.skullsecurity.org/blog/?p=887
