New Google Chrome security features

Posted on 29 January 2010.

The latest release of Google Chrome has integrated five new security features that "make it easier for developers to build secure web sites," writes Adam Barth, one of the software engineers working on the project:

1. ClickJacking Protection with X-Frame-Options
X-Frame-Options lets web sites defend themselves against clickjacking attacks. To do this, the web developer includes the X-Frame-Options: deny HTTP header, which makes sure that the webpage doesn't get loaded inside a frame, making it impossible for attackers to conceal malicious links behind legitimate ones.

2. Reflective XSS Protection
This feature protects against a type of cross-site scripting attack. "The XSS filter checks whether a script that's about to run on a web page is also present in the request that fetched that web page. If the script is present in the request, that's a strong indication that the web server might have been tricked into reflecting the script," describes Barth, and says that unlike in IE8 and NoScript, this filter is "integrated into WebKit, which Google Chrome uses to render webpages".

3. CSRF Protection via Origin Header
This feature was inserted to prevent cross-site request forgery attacks, making it impossible to trick the server into carrying out an action "requested" by a malicious site.

4. Strict-Transport-Security
Enables the browser to force a secure connection. It will always use HTTPS to connect to the site and will treat all HTTPS errors as hard stops (instead of prompting the user to "click through" certificate errors). This feature strengthens the browser's defenses against attackers who control the network," says Barth. "A number of high-security web sites have already started to use the feature, including PayPal. As with all of our security improvements, we hope that every browser will adopt Strict-Transport-Security, making the web, as a whole, more secure."

5. Cross-Origin Communication with postMessage
postMessage provides a richer interaction and more secure communication between frames, and enables the creation of more secure versions of existing gadgets.

Reference url : http://www.net-security.org/secworld.php?id=8800

Credit to : http://www.net-security.org

Top 5 online privacy tips

Posted on 29 January 2010.

Increasingly sophisticated spam and an ever-changing array of new email-borne malware continue to have a huge impact on the growing levels of loss of sensitive and personal data.


Consumers are already aware of basic techniques to protect themselves from abusive email messages, such as don't give out your email address randomly, think twice before opening messages if you don't know the source and automatically send suspect mail to a spam or bulk folder. Given this increasing variety of spam, how can consumers best protect themselves in an increasingly complex environment?

Message Systems offers a few valuable tips to help thwart spam and protect your online privacy:

Be judicious with whom you share your personal data. Incidents of data loss continue to rise despite increased security measures. Check to see if a company adheres to the OTA’s data privacy and protection principles. The OTA, along with a coalition of industry and business organizations, recently developed the Data Breach and Incident Readiness Planning Guide, a framework to assist businesses and government agencies in establishing data governance and incident plans to increase consumer protection.

Keep kids safe with another layer of protection. Protecting children from offensive messages and images is always a top priority. Consider reconfiguring your email software to prevent automatic rendering of images and links when messages are opened. Parents should also consider installing PC-based software to add an extra layer of protection for their children and monitor their activity for unsafe online practices.

Install software updates. Software vendors regularly provide updates to correct discovered security issues with their applications, such as gaps that might allow cyber criminals to access your data. Keep your operating system, applications, Internet browser and spam/virus filters up to date. Set your system preferences to automatically check for updates at a certain day and time each week, and to remind you to install them. Don't forget to select a day and time that you are likely to be online; otherwise you will not receive the updates or reminders.

Secure your home network. Use a wireless network at home? Make certain that you password protect your network. Otherwise, others may access and use your network for free. If your home computers are networked together to share information, anyone accessing your network can access information on the shared computers or use your computers to send spam.

Friends don't send friends chain email. Don't send chain email. For instance, when you receive an email with a funny joke, don't forward it to everyone that you know. Chain email is a top conduit to spread viruses. If you care about your friends, don't infect their PCs. And if you are the recipient of such a message, don't open it. Delete it without reading it.

Reference Url : http://www.net-security.org/secworld.php?id=8798

Credit to : www.net-security.org

Dangerous friend requests on Facebook

Published

by

admin

on January 10, 2010

in Malware & Virus Analysing

. 4 Comments Tags: Facebook, friend request, Koobface.

While analyzing the Koobface trojan, I just made a interesting find. As mentioned in my post “Koobface – the social network trojan” from last year, Koobface uses social networks to spread itself. So let me ask you: What does a trojan need to spread itself on social networking sites? The answer is simple: A valid account. The cybercriminal has two possiblities to obtain valid accounts:

• Using some phishing tricks to steal credentials
• Creating fake accounts

There are two reasons why most cybercriminals are trying to phish the credentials from users of social networking sites instead of creating fake accounts by their own:

• Most of the time the register forms of the social networking sites are protected with a captcha
• At the moment, there is no reliable method to break captchas

As described in my post about Koobface last year, the Koobface trojan is able to “break” captchas (to be correct, the trojan isn’t able to break captchas rather then it servs the captchas to the infected bots where the captchas will be solved by the users). By using this technique, he is able to create hundreds of faked accounts on social networks (per minute!).

read more at : http://www.abuse.ch/?p=2268

Data Privacy Day is January 28, 2010!

Around the globe, people use powerful technologies and devices every day to improve their lives. Businesses develop software, build hardware and provide services designed to enhance individual productivity, communications and safety. We have come to depend on mobile communications, instant access to information, and intelligent services. We are empowered by these technologies in ways that those who have lived before us could never have imagined.

Despite all of the benefits of these technologies, doubts and worries persist about just how much personal information is collected, stored, used, and shared to provide these convenient and pervasive tools and services.

Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information. In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it – with whom are they sharing it? Most of all, individuals are asking ‘How can I protect my information from being misused?’ These are reasonable questions to ask – we should all want to know the answers.

These are not questions for consumers and citizens alone – business operators must engage in this dialogue as well. They have to question whether they are complying with laws and regulations requiring consumer privacy protections. They know that customers have to trust their technologies and services before they will use and pay for them.

Join in the dialogue among all of the stakeholders – businesses, individuals, government agencies, non-profit groups, academics, teachers and students – to look more thoroughly at how advanced technologies affect our daily lives. We encourage this dialogue and are providing this website as a service to those who care about our common future and our roles as digital citizens and consumers. And let us know what you think – and how you might be able to contribute to the discussion.

more at : http://dataprivacyday2010.org/

Digital fingerprints to identify hackers

Posted on 27 January 2010.

How can you retaliate against a cyber attacker if you don't know who he is? As we have witnessed lately, attribution of an attack is quickly becoming one of the biggest problems that the US defense and cyber security community are facing at the moment.

According to Wired, DARPA, the agency of the US DoD responsible for the development of new technology for use by the military - and of the Internet - has accepted the challenge and will be starting Cyber Genome, a project aimed at developing a “cyber equivalent of fingerprints or DNA”, so that the hacker can be conclusively identified. The project will be set in motion as early as this week.

The agency announced on Monday that they will strive to produce "revolutionary cyber defense and investigatory technologies for the collection, identification, characterization, and presentation of properties and relationships from collected digital artifacts of software, data, and/or users."

The digital artifacts in question will be "collected from live systems (traditional computers, personal digital assistants, and/or distributed information systems such as ‘cloud computers'), from wired or wireless networks, or collected storage media."

Theoretically, this could mean that someday, everybody's "cyber genome" will be known and mapped. But, let's not get ahead of ourselves - first, DARPA will have to see if the idea can be translated to reality.

Credit to : www.net-security.org
Url Ref: http://www.net-security.org/secworld.php?id=8784

Hacker attacks on healthcare organizations double

Posted on 27 January 2010.

SecureWorks reported that attempted hacker attacks launched at its healthcare clients doubled in the fourth quarter of 2009. Attempted attacks increased from an average of 6,500 per healthcare client per day in the first nine months of 2009 to an average of 13,400 per client per day in the last three months of 2009.

In the Fall of 2009, the security community began tracking a new wave of attacks involving the latest version of the Butterfly/Mariposa Bot malware. If a computer is infected with the Butterfly malware, it can be used to steal data stored by the victim's browser (including passwords), launch DDoS attacks, spread via USB devices or peer to peer, and download additional malware onto the infected computer.

SQL Injection attacks target vulnerabilities in organizations' web applications. "We also saw a resurgence of SQL Injection attacks beginning in October," said Hunter King, security researcher with SecureWorks. "They were being launched at legitimate websites so as to spread the Gumblar Trojan. Although SQL Injection is a well known attack technique, we continue to read news reports where it has been used successfully by cyber criminals to steal sensitive data," said King. One of the most recent cases reported involved American citizen Albert Gonzalez who was charged, along with two unnamed Russians, with the theft of 130 million credit card numbers using SQL Injection.

Factors contributing to healthcare attacks:

1. Valuable data stores – Healthcare organizations often store valuable data such as a patient's Social Security number, insurance and/or financial account data, birth date, name, billing address, and phone, making them a desirable target to cyber criminals.

2. Large attack landscape – Because of the nature of their business, healthcare organizations have large attack surfaces. Healthcare entities have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks.


Credit to : www.net-security.org
Url Ref : http://www.net-security.org/secworld.php?id=8780