Private Browsing and the Enterprise

The rumors were right: Internet Explorer 8 will have new privacy features akin to those in Apple Safari. What role should they play in the enterprise?

InPrivate Browsing (“Private Browsing” was already taken by Apple) lets the user control whether or not IE saves potentially privacy-related data, including cookies (all cookies become session cookies), history entries, form data, search entries, passwords, stuff like that. And all temporary files are deleted when the window is closed.

Delete Browsing History is a new dialog box, analogous to Firefox’s Clear Private Data (click Ctrl-Shift-Del for it), puts the manual clearing of potentially privacy-related data into one convenient dialog box. I’ve complained in the past about how this feature works in Firefox 3, and it looks like Microsoft is planning to borrow some of the behavior I complained about. Private items like cookies won’t be deleted if they are in your Favorites and the “Preserve favorite Web site data” box is checked, but at least the configuration of this is both possible and obvious.

InPrivate Blocking let you control how sites monitor you through non-cookie methods. The browser keeps a record of such items and (if you have the InPrivate mode turned on) automatically blocks tracking scripts that have tracked you across more than 10 sites. You can manually control this behavior as well. Related to this, InPrivate Subscriptions are RSS feeds of regular expressions that describe links to block or allow.

Source:
http://www.eweek.com/c/a/Security/Private-Browsing-And-The-Enterprise/?kc=rss

Posted in Internet, Privacy, Security, Windows | No Comments

Massive iPhone Security Flaw Exposes All Private Data

You’re a smart, safety conscious iPhone user, right? You keep the phone set to require a 4-digit passcode every time it wakes up, so if you ever lose your baby, all your personal information is safe. But if you are running v2.0.2 of the iPhone operating system, you might as well not bother. A simple hack will get anybody past your PIN code with free access to all your mail, contacts and bookmarks. Ouch!

Acting on a tip from the Mac Rumors forums, Gizmodo’s Jesus Diaz whipped up a video of the exploit in action, a ridiculously easy two step process:

1. Tap emergency call.

2. Double tap the home button.

This drops you into the iPhones “favorites” section. From here you can make calls or send email, and with a few steps you can browse to the Address Book and then on to Mail, Safari or the SMS application. Jesus gives us a workaround (set the home button’s double-tap to something else, either “Home” or “iPod” and you’re safe) but this is exactly the sort of thing Apple doesn’t want to happen. It hardly inspires credibility for the iPhone as a secure business device.

We expect it’ll be fixed in v2.1, or maybe Apple will roll out a 2.0.3 update to fix it. Until then, we can add it to the long list of Apple’s iPhone 3G embarrasments.

Source:
http://blog.wired.com/gadgets/2008/08/massive-iphone.html

Posted in General BS, Hardware, Internet, Privacy, Security | No Comments

Build your own free security suite

Do-it-all suites are the name of the security game these days. Sure, you can gather free programs that cover the bases much as a suite would, but who wants to bother with finding out which apps work together and which ones might leave you pulling your hair out?

We do. And what’s more, we did–all so that you could have an easy-to-follow guide to building your own free suite.

We tested the following applications on Windows XP; not all of them work under Vista, but we’ve suggested replacements that you can consider if you’re on the newer OS. Bear in mind that these downloads are free only for home use.

Source:
http://www.networkworld.com/news/2008/082708-build-your-own-free-security.html?fsrc=rss-security

Posted in Internet, Privacy, Security, Software | No Comments

Firefox extension protects against man-in-the-middle attacks

Researchers at Carnegie Mellon University have released an extension for Firefox 3 that can protect wireless network users from so-called “man-in-the-middle” attacks.

The software, dubbed “Perspectives,” is available for download for free.

Perspectives also protects against attacks that exploit a recently exposed flaw in the DNS system, which translates Web addresses into numerical IP addresses, said Dave Andersen, a computer science professor at Carnegie Mellon who was an adviser on the Perspectives project.

In an attack on the DNS system, someone typing in a legitimate Web address could be redirected to a malicious site without knowing it. Perspectives would pop up a warning to the Web surfer that the site they are going to is suspicious.

In general, Perspectives is designed to guide Web surfers away from malicious sites. It also is designed to assure surfers when they visit sites that are safe but which Firefox warns about because the sites are not paying a third-party Certificate Authority, such as VeriSign, to authenticate the sites and instead are using “self-signed” digital certificates, also known as keys.

Signing up with a Certificate Authority can be expensive and time-consuming, so some sites prefer to do it themselves, Andersen said. If they do, Firefox penalizes them by displaying an error message that says the browser is unable to verify that the site can be trusted.

The messages leave Web surfers confused and they may either avoid a legitimately safe site or get used to automatically accepting certificates with the warning and inadvertently trust a malicious site at some point.

Source:
http://news.cnet.com/8301-1009_3-10026617-83.html?part=rss&subj=news&tag=2547-1009_3-0-20

Posted in Internet, Networking, Privacy, Security | No Comments

Phishers Bite Back with Malware Exploits Linked to Keywords

Criticize the people behind the Asprox botnet, and they take it personal—so much so that they will bombard you with malware, according to a report by SecureWorks.

The botnet, now at least 50,000-strong with bots, is sending out phishing e-mails posing as messages from banks in the United States and United Kingdom. The links inside the e-mail lead to a page with a phishing form that reacts to both incomplete forms and forms containing certain keywords, including profanity or the word “phish.” If users who filled out the form improperly click on the “confirm” button, their computers are assaulted with malware in retaliation.

Interestingly, the botnet does not seem to infect people merely for clicking on the link in the e-mail, and if the form appears to be filled out with legitimate log-in data, the victim is redirected to the main page of their banking Web site, according to SecureWorks.

Those who fill it out with illegitimate data, however, are hit with a number of exploits targeting vulnerabilities in Microsoft Windows.

“It’s kind of a self-completing cycle,” said Joe Stewart, director of malware research at SecureWorks. “When you hit that phish page, you’re visiting somebody else who got infected before you. So you’re looking at their infected computer … [and] if you do the wrong thing, you get to be part of the botnet too.”

Stewart admitted he did not know if there are other phishing pages with exploits triggered by keywords, but said this is the first he has heard of it.

It is certainly a new activity for Asprox, which made headlines earlier this year for installing a SQL injection attack tool on infected bots to attack Web sites. The attack is just another reason to be wary of links in e-mail.

“Nowadays it’s not really safe to click on anything [in e-mails,” Stewart said. “You don’t really know whose site got compromised.”

Source:
http://www.eweek.com/c/a/Security/Phishers-Bite-Back-With-Malware-Exploits/

Posted in Internet, Privacy, Security | No Comments