Many weak web server certificates threaten online shopping

“https connections exist to help ensure that when somebody is engaged in a financial transaction over the internet they are actually connected to the correct site – such as a bank, online vendor, and so forth. However, due to an error in the OpenSSL library used by the Debian Linux distribution, weak cryptographic keys have been generated and put to use during a period of about one and a half years. If certificates using these weak keys are used, not only could criminals decode encrypted traffic, they could conceivably mimic https sites in the name of the online bank or vendor – this would typically be done in order to steal personal details such as credit card information, passwords, and so forth.

Recent studies by heise Security staff of several thousand valid certificates, none of which generated an error in a broswer, found that approximately one in 30 of these used weak keys – an alarmingly high number. Among these were online shops where people would be expected to enter their credit card details.

For a certificate to be accepted by a browser without issuing a warning, the certificate needs to be issued by a recognised certification authority (CA). All of those that we contacted said that they would revoke any weak keys and freely replace them, but it seems clear that not many certificate owners have checked and replaced their certificates.

But even revoking a certificate may not be enough. In many browsers, the default settings are such that they fail to check server certificates, and do not check the Certification Revocation Lists (CRL) that identify those certificates that have been revoked by a CA. Ideally, all browsers should check which certificates have been blocked using the Online Certificate Status Protocol (OCSP). However, Firefox only supports it in its latest version 3 and Internet Explorer 7 only on Vista. Even worse, there are some CAs that do not support OCSP. heise Security found that only about 30 per cent of the checked certificates contain OCSP URIs. Users need to make sure the correct settings are made in their browser, otherwise, even though a certificate has been blocked and put on the CRL, it could still be used by an attacker until its natural expiry date.”

Source:
http://www.heise-online.co.uk/news/Many-weak-web-server-certificates-threaten-online-shopping–/111023

Posted in Internet, Privacy, Security | No Comments

How to Safely Use Facebook and LinkedIn at Work

The virtual flood gates have been opened and social networking is rushing in from the personal lives of employees and into the workplace — bringing a host of concerns along with it.

Facebook is no longer restricted to the realm of college students, and LinkedIn is specifically designed for the professional world.

While some companies are banning these networks from the workplace outright, others are timidly wading into the fray to use the networks as a communications tool, experts say.

While providing another way to connect with employees, potential recruits, and a wider community, social networks have a downside. Information posted could fall into the wrong hands, and if those with malicious intent collect enough sensitive information about a company, it could mean big trouble.

We talked to experts about how companies and employees can stay safe when using Facebook and LinkedIn.

Read the rest of the story…

Posted in General BS, Internet, Privacy | No Comments

The Internet is the New Sweatshop

When an executive wants to sound humane during a public address to the staff, he or she will trot out the well-worn phrase, “Our most valuable assets leave the building at the end of the day.” Clichés are generally true, but this one may not be, thanks to the growth of user-generated content on the Internet. Whether they’re creating content for sites like YouTube and Wikipedia, viewer-submitted news services like CNN’s iReport or videogames like Spore and LittleBigPlanet, today’s most valuable employees will most likely never set foot inside the building—or collect a paycheck. They may be teenagers posting videos of themselves dancing like Soulja Boy, programmers messing around with Twitter’s tools to create cool new applications or aspiring game developers who want to create the next big thing. But what they all have in common is a somewhat surprising willingness to work for little more than peer recognition and a long shot at 15 seconds of fame.

Yet is it really a sweatshop if none of the workers is complaining? They’re certainly not complaining about Spore—unless it’s about how long it’s taken videogame creator Will Wright and his team to complete the universe-simulation game, which finally ships in September. Two weeks ago, Wright’s employers at Electronic Arts released Spore’s Creature Creator as a prelaunch promotion; seven days later, more than 1 million creatures had been created by users and uploaded to the “Sporepedia” for others to enjoy. “We wanted to give the players high diversity, as well as a huge universe to explore,” Wright says. “The only way we could possibly achieve this was to, in essence, ‘outsource’ the majority of our content production to the players.” Similarly, Sony’s struggling Playstation 3 console is expected to get a boost later this year with the release of LittleBigPlanet, which lets users create their own games using a powerful but playful set of tools. “YouTube doesn’t help you to make a video—it just provides a means of distribution,” says LittleBigPlanet technical director Alex Evans. “Our particular take on user-generated content focuses on making the act of creation fun.”

Read the rest of the story…

Posted in Gaming, General BS, Internet, Software | No Comments

Spybot Search & Destroy 1.6 RC1

Spybot – Search & Destroy detects and removes spyware, a relatively new kind of threat not yet covered by common anti-virus applications. Spyware silently tracks your surfing behavior to create a marketing profile for you that is transmitted without your knowledge to the compilers and sold to advertising companies. If you see new toolbars in your Internet Explorer that you haven’t intentionally installed, if your browser crashes inexplicably, or if your home page has been “hijacked” (or changed without your knowledge), your computer is most probably infected with spyware. Even if you don’t see the symptoms, your computer may be infected, because more and more spyware is emerging. Spybot-S&D is free, so there’s no harm giving it a try to see if something has invaded your computer. SpyBot-S&D allows you to exclude selected cookies, programs or extensions from being reported, allowing you to prevent false positive messages for items that you dont want to be alerted of every time. It can even scan your download directory for files that have been downloaded, but not yet installed, allowing you to detect unwanted programs before you even install them. SpyBot produces a detailed and easy to understand report before it deletes any files and allows you to deselect any item that you do not want to be processed. In addition, a recovery feature allows you to restore your settings if needed.

Download: Here

Read More…

Posted in Internet, Privacy, Security, Software | No Comments

Taming Internet Explorer Browser Plug-Ins

Security Fix has often lamented the lack of decent point-and-click software tools to help Microsoft Internet Explorer Web browser users kill insecure “ActiveX controls,” plug-ins for IE that have traditionally been among the biggest avenues of attack from spyware and adware. That’s why I’m pleased to call attention to a free new tool called “AxBan,” which helps neuter insecure ActiveX plug-ins installed by some of the most widely used third-party software applications.

ActiveX is a Microsoft creation woven into both IE and the Windows operating system. It was designed to allow Web sites to develop interactive, multimedia-rich pages. However, such powerful features rarely ever come without security trade-offs.

Poorly designed ActiveX controls can be an extremely potent weapon for cyber crooks, since most ActiveX controls distributed with third party software are marked “safe for scripting.” This means that they will run when invoked and without requiring the user’s permission. As a result, any Web page can use the control and its methods, which in many cases includes the ability to download and execute potentially hostile code.

Not only are ActiveX vulnerabilities frequently targeted by hackers, they are among the most common browser-related vulnerabilities. In its latest Internet Security Threat Report, Symantec documented some 239 new vulnerabilities in Web browser plug-ins. Plug-ins for Adobe Acrobat, Flash, Java, Mozilla Firefox, QuickTime and Windows media player made up 21 percent of those, while the rest were all ActiveX related vulnerabilities.

Taming Internet Explorer Browser Plug-Ins – Security Fix

Posted in Internet, Security, Windows | No Comments