By ARUN MARBALLI
Last month, we touched upon the need for corporate accountability when
it comes to protecting consumers� data. Corporate responsibility,
however, is not limited to protecting data. It also includes a
corporation�s liability, particularly one that sells software, to
provide safe-to-use products (software) and to do so without pointing
fingers at another company�s product (software). Case in point,
recently, it was discovered that when a computer had Microsoft�s
Internet Explorer and Mozilla�s Firefox Internet browsers installed at
the same time, that computer was exposed to a vulnerability caused by
the way the Internet Explorer validated an input data stream. The
problem was that both Microsoft and Mozilla kept pointing fingers at
each other and neither was willing to own up to the problem and provide
a fix. Eventually, Mozilla blinked and agreed, but without admitting
any culpability, to provide fixes for the Firefox browser, ostensibly
for the benefit of Firefox users.
Browsers such as the Internet Explorer, Safari, Opera and Firefox
enable us to view the many Web sites. However, the power on the
Internet is unleashed by the powerful search engines that �crawl� the
Web sites and create search indexes and keywords that enable
Web-surfers in finding what they are looking for. However, not all
search results are safe. A recent survey carried out by McAfee, a
seller of Security Software, concluded that about 4 percent of search
results send users to risky Web sites. The survey further states that
AOL�s search results are the safest while Yahoo�s are the riskiest.
Among the products included in the McAfee Security Software offering is
one called Site Advisor. I have found this product to be effective in
forewarning the safety of a website right on the search engine results
page.
One of the risks that we get exposed to on the Web is what we have
identified as phishing Web sites. These are Web sites that essentially
impersonate online banking or credit card Web sites and lure unwary
visitors with the intention of eliciting sensitive information such as
usernames and passwords from the victims. In the past, setting up a
phishing Web site has involved extensive set up work to make the
spurious Web site look like the original one and include as many
details and files as possible to simulate the real experience.
Unfortunately, the crooks are reported to have created a �plug and
play� phishing kit. Much like a software install package, this kit
comprises a single file that makes it possible for even the technically
illiterate to create phishing Web sites on a compromised server
computer practically within the blink of an eye (two seconds to be more
exact). With this ease of setting up phishing Web sites, one would
expect an increase in phishing attempts in the days to come.
Speaking of passwords and usernames, financial institutions are
attempting to neutralize the phishing attempts by implementing two-way
authentication, wherein the institution and the customer mutually
authenticate each other before initiating any transactions. To further
solidify the authentication process, a new technology has surfaced.
Called BioPassword, it involves creating a pattern signature based on
the rhythm of a user typing in the username and password. The
underlying idea behind this technology is that each user has a unique
rhythm with which they type in the username and password. At logon
time, if the rhythm pattern does not lie within the initially
established rhythm range, the user is not permitted access even if the
username and password are correct. To offset potential issues related
to this technology�s ability to accommodate changes in a person�s
typing rhythm over time or due to the effect of medication or injury,
the proponents are considering incorporating adjustment to the rhythm
over time based on gradual changes in the users keystroke rhythm. If
all else fails, there is always that set of familiar security questions
that can reset the customer�s access.
The topic of new technology invariably leads to a discussion of the
much-hyped iPhone. It appears that this new device is attracting
attention from more than the �I�ve got to have the latest gadget out
there� crowd. As expected, the hype is drawing in the cyber-criminals
as well. Using a botnet comprising more than 7,500 zombie computers,
these folks are re-directing potential customers looking for an iPhone
to phishing Web sites set up for the purpose. Once a customer has
landed on such a site and carries out a �purchase,� the customer has
possibly given away the farm. Infected computers also display banner
ads and pop-up windows with alluring deals on iPhones to bait
customers. As always, the way to steer clear of this problem is to not
click on those links!
The innocuous mouse click is perhaps one fraught with maximum
possibilities to lead a computer user astray. Who hasn�t encountered
the informative (or uninformative) windows message box that expects a
User to click on the OK button? And what does one do when such a
message box is presented? Click on the OK button, right? Sometimes,
users will click on the OK button even without reading what the message
indicates. It is perhaps the easiest way for a cyber criminal to get a
user to click in an expected way. The word to the wary is to be careful
when clicking the mouse.
Now life in the cyber world is not all about gloom and doom. There are
a few nuggets of gold and one such nugget came to my attention
recently. We have seen keylogging software being used for spying on
unsuspecting users for financial gain. However, a wary mother in U.K.
used this software to warn police of a U.S.-based predator who was
grooming her 15-year-old son for child abuse. The 26-year-old upstate
New Yorker was arrested as he boarded a plane en route to meet the
teenager in England. It is not clear how this watchful U.K. mum
obtained the keylogging software.
Arun Marballi has worked in the Information Technology arena for more than 20 years with extensive experience in software development, process design and network/workstation management. For comments, questions, tips or suggestions, e-mail [email protected].
|
Contact Information
Anything that appears in Khaas Baat cannot be reproduced, whether wholly or in part, without permission. Opinions expressed by Khaas Baat contributors are their own and do not reflect the publisher's opinion.
The Editor: [email protected] Advertising: [email protected] Webmaster: [email protected] Send mail to [email protected] with questions or comments about this web site. Copyright � 2004 Khaas Baat.
Khaas Baat reserves the right to edit and/or reject any advertising. Khaas Baat is not responsible for errors in advertising or for the validity of any claims made by its advertisers. Khaas Baat is published by Khaas Baat Communications.
|