Arun Marballi

Last month, we touched upon the need for corporate accountability when it comes to protecting consumers� data. Corporate responsibility, however, is not limited to protecting data. It also includes a corporation�s liability, particularly one that sells software, to provide safe-to-use products (software) and to do so without pointing fingers at another company�s product (software).

Case in point, recently, it was discovered that when a computer had Microsoft�s Internet Explorer and Mozilla�s Firefox Internet browsers installed at the same time, that computer was exposed to a vulnerability caused by the way the Internet Explorer validated an input data stream. The problem was that both Microsoft and Mozilla kept pointing fingers at each other and neither was willing to own up to the problem and provide a fix. Eventually, Mozilla blinked and agreed, but without admitting any culpability, to provide fixes for the Firefox browser, ostensibly for the benefit of Firefox users.

Browsers such as the Internet Explorer, Safari, Opera and Firefox enable us to view the many Web sites. However, the power on the Internet is unleashed by the powerful search engines that �crawl� the Web sites and create search indexes and keywords that enable Web-surfers in finding what they are looking for.

However, not all search results are safe. A recent survey carried out by McAfee, a seller of Security Software, concluded that about 4 percent of search results send users to risky Web sites. The survey further states that AOL�s search results are the safest while Yahoo�s are the riskiest. Among the products included in the McAfee Security Software offering is one called Site Advisor. I have found this product to be effective in forewarning the safety of a website right on the search engine results page.

One of the risks that we get exposed to on the Web is what we have identified as phishing Web sites. These are Web sites that essentially impersonate online banking or credit card Web sites and lure unwary visitors with the intention of eliciting sensitive information such as usernames and passwords from the victims. In the past, setting up a phishing Web site has involved extensive set up work to make the spurious Web site look like the original one and include as many details and files as possible to simulate the real experience.

Unfortunately, the crooks are reported to have created a �plug and play� phishing kit. Much like a software install package, this kit comprises a single file that makes it possible for even the technically illiterate to create phishing Web sites on a compromised server computer practically within the blink of an eye (two seconds to be more exact). With this ease of setting up phishing Web sites, one would expect an increase in phishing attempts in the days to come.

Speaking of passwords and usernames, financial institutions are attempting to neutralize the phishing attempts by implementing two-way authentication, wherein the institution and the customer mutually authenticate each other before initiating any transactions. To further solidify the authentication process, a new technology has surfaced. Called BioPassword, it involves creating a pattern signature based on the rhythm of a user typing in the username and password. The underlying idea behind this technology is that each user has a unique rhythm with which they type in the username and password.

At logon time, if the rhythm pattern does not lie within the initially established rhythm range, the user is not permitted access even if the username and password are correct. To offset potential issues related to this technology�s ability to accommodate changes in a person�s typing rhythm over time or due to the effect of medication or injury, the proponents are considering incorporating adjustment to the rhythm over time based on gradual changes in the users keystroke rhythm. If all else fails, there is always that set of familiar security questions that can reset the customer�s access.

The topic of new technology invariably leads to a discussion of the much-hyped iPhone. It appears that this new device is attracting attention from more than the �I�ve got to have the latest gadget out there� crowd. As expected, the hype is drawing in the cyber-criminals as well. Using a botnet comprising more than 7,500 zombie computers, these folks are re-directing potential customers looking for an iPhone to phishing Web sites set up for the purpose. Once a customer has landed on such a site and carries out a �purchase,� the customer has possibly given away the farm. Infected computers also display banner ads and pop-up windows with alluring deals on iPhones to bait customers. As always, the way to steer clear of this problem is to not click on those links!

The innocuous mouse click is perhaps one fraught with maximum possibilities to lead a computer user astray. Who hasn�t encountered the informative (or uninformative) windows message box that expects a User to click on the OK button? And what does one do when such a message box is presented? Click on the OK button, right? Sometimes, users will click on the OK button even without reading what the message indicates. It is perhaps the easiest way for a cyber criminal to get a user to click in an expected way. The word to the wary is to be careful when clicking the mouse.

Now life in the cyber world is not all about gloom and doom. There are a few nuggets of gold and one such nugget came to my attention recently. We have seen keylogging software being used for spying on unsuspecting users for financial gain. However, a wary mother in U.K. used this software to warn police of a U.S.-based predator who was grooming her 15-year-old son for child abuse. The 26-year-old upstate New Yorker was arrested as he boarded a plane en route to meet the teenager in England. It is not clear how this watchful U.K. mum obtained the keylogging software.

Arun Marballi has worked in the Information Technology arena for more than 20 years with extensive experience in software development, process design and network/workstation management. For comments, questions, tips or suggestions, e-mail [email protected].

Home