15 Great, Free Privacy Downloads

One of the worst privacy invaders the world has ever seen is the Internet. When you surf, Web sites can find out where you’ve been and can gather other information about you. Trojan horses and spyware can snoop on you. Key loggers can capture your keystrokes as you type. Eavesdroppers can steal your passwords.

It doesn’t have to be that way. The 15 downloads presented here can protect you. You’ll find firewalls, password protectors, rootkit killers, trace cleaners, anonymity securers, and more. So check them out, and help yourself to a safer online experience. (Note that the 15 downloads we look at here don’t include any antivirus and antispyware programs. We figured that we’ve covered those packages well enough elsewhere. So instead, we focus on tools you might not have heard about.)

Source:
http://www.pcworld.com/article/149399/2008/08/.html?tk=rss_reviews

Posted in Hardware, Internet, Linux, Networking, Privacy, Security, Software, Windows | No Comments

DNS Flaw Underscores Danger of Taking Web Security for Granted

Perhaps more than any other flaw in the last several years, the DNS protocol vulnerability discovered by security researcher Dan Kaminsky has shown that the circle of trust on the Internet can be broken more easily than we feared.

After listening to Kaminsky’s talk Aug. 6 at the Black Hat conference here, it is clear the flaw extends far beyond DNS cache poisoning. As he explained later, it is a game of dominoes—one domino could be re-directing Web traffic to malicious sites, the next could be interception of sensitive corporate email. The possibilities are numerous and problematic.

“I spent the last month terrified of large companies having all their email stolen because of a bug that I found,” Kaminsky, director of penetration testing at IOActive, told a group of journalists after his session.

Vendors worked together to coordinate a release of a patch last month. If the figures offered by Kaminsky are any indication, the number of companies now protected is significant.

But fundamentally, the flaw means the level of security we have traditionally taken for granted on the Internet may not always be there. It is possible for an attacker to be the man-in-the-middle. In total, there are 15 ways of running the attack that Kaminsky and others admitted knowing about, but the researcher added there were likely others as well.

Source:
http://www.eweek.com/c/a/Security/DNS-Flaw-Underscores-Dangers-of-Assumptions-in-Internet-Security/?kc=rss

Posted in Internet, Networking, Privacy, Security | No Comments

More Ways to Protect Yourself From Phishing

In my recent Editors’ Notes post on Consumer Reports’ recommendation that Mac users dump Safari because the Apple browser lacks the anti-phishing tools of Firefox and Opera, I focused on behavioral changes one can make that minimize the risks of phishing attempts. I didn’t, however, discuss a relatively simple configuration change you can make to your Mac that will give you a real anti-phishing tool–in Safari or any other browser you might want to use.

Consumer Reports touted Firefox or Opera over Safari because of the built-in anti-phishing tools in those first two browser; Safari has no such built-in capability. There is, however, a free service you can use that will give every browser on your Mac a full set of anti-phishing tools (and additional tools, if you choose to use them). This service is called OpenDNS, and it’s a free replacement for your Internet service provider’s (ISP) domain name servers.

So just what are domain name servers? A domain name server looks up addresses in the Domain Name System (DNS). In other words, a domain name server is the phone book for the Internet–it translates domain names (www.macworld.com, for example) into Internet protocol (IP) addresses (70.42.185.230, in the case of macworld.com). When you load a Web site, it’s this IP address that’s used to find the server, not the server’s name you typed into the URL bar. Without the DNS, you’d have to know the IP address of any Web site you wanted to use–not a very practical method for browsing the Web.

By default, you are more than likely using the DNS servers provided by your ISP. These are typically included in the setup instructions you used when setting up your Internet connection. But just as there are many companies providing telephone books, there are many different DNS servers you can use–you aren’t required to use the DNS servers provided by your ISP. OpenDNS is one such alternative “phone book,” and it’s one that comes with many features (most are optional) that you probably won’t find in your ISP’s DNS servers. One of those features is phishing protection, based on OpenDNS’ PhishTank project. Once you’ve set your Mac to use OpenDNS’ DNS servers, you get this protection automatically, in any application that uses DNS servers to resolve names.

Source:
http://www.pcworld.com/article/149509/2008/08/.html?tk=rss_news

Posted in Internet, Privacy, Security | No Comments

Malicious Botnet Stole Bank, Credit Union Credentials

The researcher who first discovered a motherlode of stolen enterprise user names and passwords in June has found that nearly 9,000 of them are bank and credit-card account credentials from around the world that were grabbed by an old but crafty botnet. And it turns out the initial 50 gigabytes’ worth of data that included 463,582 passwords on the crime server is only about one-fourth of the total number of accounts stolen by the so-called Coreflood botnet. (See Researchers Raise Alarm Over New Iteration of Coreflood Botnet and SecureWorks Finds Massive Cache of Stolen Data.)

Coreflood is an unusual botnet in that it’s closely held by its operators, who use the data themselves rather than sell it like other botnets do, and also use their own Trojan malware for the botnet. Joe Stewart, director of malware research for SecureWorks, today revealed in a new report some key details of the type and amount of data stored on the crimeware server, which has since relocated to Russia after being shut down in Wisconsin, he says.

Stewart said he has been able to discern how the command and control server was configured, as well as glean clues of the identities of the bad guys behind Coreflood: he says he believes they are directly connected to the Joe Lopez case of 2004, where Miami businessman sued his bank after his account was compromised by the Coreflood Trojan.

“Coreflood is trying to steal financial information, and has stayed under the radar pretty well. It’s not in-your-face sending out emails,” Stewart says.

Stewart says 50 gigabytes of stolen user data were left behind on the crime server he first discovered, but about four times that amount of additional stolen data had been harvested and deleted, according to some new investigation he did via scripts the bad guys left on the server. He says Coreflood stole a gigabyte or more of data each day from all the users combined and also lifted PKI certificates and cookie files.

Source:
http://www.darkreading.com/document.asp?doc_id=160991

Posted in Internet, Networking, Privacy, Security | No Comments

Massive faux-CNN spam blitz uses legit sites to deliver fake Flash

More than a thousand hacked Web sites are serving up fake Flash Player software to users duped into clicking on links in mail that’s part of a massive spam attack masquerading as CNN.com news notifications, security researchers said today.

The bogus messages, which claim to be from the CNN.com news Web site, include links to what are supposedly the day’s Top 10 news stories and Top 10 news video clips from the cable network. Clicking on any of those links, however, brings up a dialog that says an incorrect version of Flash Player has been detected, and tells users they needed to update to a newer edition, said Sam Masiello, vice president of information security at Colorado-based security company MX Logic Inc.

One distinguishing feature of the attack, Masiello added, is the endless loop it uses to frustrate victims. If user clicks “Cancel” in the dialog that prompts for an update, another pop-up appears, said Masiello, that tells the victim that they have to download it to view the video. Clicking “Cancel” there returns the user to the first dialog.

“It puts you in this perpetual loop, so your only options are to kill your browser [session] or be brow-beaten into installing it,” said Masiello.

Source:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111858&source=rss_topic17

Posted in Internet, Linux, Privacy, Security, Software, Windows | No Comments