IE8 more secure than Firefox

A report on Browser Security testing by NSS Labs shows that Internet Explorer 8 security is far better than Firefox, catching 81 percent of "live threats" vs. only 54 percent caught by Firefox 3, which came in second place.

The tests include rating the browser's protection against malicious software using socially engineering and phishing attacks.

The lab tested the most recent versions of Microsoft's IE8, Mozilla Firefox, Apple Safari, Google Chrome, and Opera. Opera caught a mere 2 percent of the threats.

Quiz: Tech user type

Pew Research has a neat online quiz, "What kind of a tech user are you?".

It's fun, fast, and easy. Me? I'm a "Digital Collaborator". How about you?

Facebook security

Social networking sites such as Facebook and MySpace come under heavy attack, especially from phishers.There are an average of three different Facebook phishing campaigns every day, reports the Washington Post.

One prime attack method is to have a link that appears to go to Facebook and even displays what to be the official Facebook logon page. The logon display is actually not at Facebook -- it just looks like it is. The link to that faked page can come in an email or even on a hacked or malicious web page. So how can you lessen the danger from this type attack?

• Be paranoid about emails you get. Even if they appear to be from a "friend", be wary. If the email contains a link or attachment, send a separate email to (or call) the friend. Make sure they really did send it to you. A name in a "From" field of an email message means absolutely nothing these days!
• Always login to any site that requires a password by using your own link (Favorite or Bookmark) or manually typing it in. Never click on a link from somewhere else. Never. Ever.
• If the web site offers it, always choose to login by using what's called "Secure Socket Layer" (SSL). That's when you use "https" (think "s" for "secure") in the address, not just "http". Facebook happens to offer that choice. Use it! That is, use https://www.facebook.com/ to login to Facebook. This same security tip applies to many sites. Some do not even work without using HTTPS. [If Facebook were really interested in customer security it would force use of https, but that's a whole 'nother topic.]

In Internet Explorer 8, a valid HTTPS connection shows the "padlock" to the right of the address bar area, as in the figure above. It also shades the address background green. If you click on the padlock area, IE8 pops up certificate information.

While having a valid certificate is not a foolproof indicator that the company or site is "good", it's a big improvement over not checking it at all.

Another caution is that Facebook currently only allows the HTTPS protection at their login page. After login, you get dumped back into a normal HTTP session.

If you just have to have a Facebook page, be as safe as possible. Then be very paranoid.

Adobe Reader, Acrobat security issues -- again!

In respect to the latest in a series of security vulnerabilities with Adobe Reader and Adobe Flash, Adobe says, "We are in the process of fixing the issue, and expect to make available product updates for the relevant supported Adobe Reader and Acrobat versions and platforms by May 12th, 2009."

"SANS NewsBites" newsletter editors comment that users of Adobe Reader and Acrobat may want to consider less-exploited alternatives. Adobe Reader keeps bloating in size and Acrobat seems way over-priced, so perhaps it is time to start looking elsewhere.

• Adobe Product Security Incident Response Team (PSIRT) blog
• Adobe Acknowledges Reader, Acrobat flaws (SANS NewsBites)

Scrapers hit social networking sites

A recent article in Windows Secrets newsletter, "Viral inviters want your email contact list", stated, "The arms race between the script builders and big-name Web services is just beginning. The massive data collections that the scrapers are able to accumulate are simply too valuable to pass up.

The problem will only get worse as social-networking sites create linked systems. For example, the Facebook Connect service that launched last year allows members to use their Facebook account to sign in to hundreds of third-party sites, such as CNET and MoveOn.org."

Unfortunately, too many people are lured by friends and acquaintances that tell them, that having a Facebook page makes them "cool". But they don't tell them (perhaps because they don't know or don't believe) about the pitfalls, the need for locked down tight security, the need to keep data you share to an absolute minimum, and the real need to be skeptical of emails you get.

Criminals can only flourish in such a naively trusting environment. Here's hoping that future tightening of the world's email system underpinnings will reduce the ability of Spammers and other Criminals to pretend to be a "friend" and sucker people into hurting themselves.

First Mac botnet found

Researchers have found malware in pirated copies of Apple's iWork ’09 and Adobe Photoshop CS4. What's worse, the malware has created the first botnet for Macs.

The Mac OS has been overdue for malware attention by hackers and "safe" only due to much lower market share than IBM-clone PCs. Mac users can expect to see more such attacks.

• iBotnet: Researchers find signs of zombie Macs

Beware Antivirus 2009

Beware of fake antivirus software. And beware of a pop-up notice that you have a virus or "might have" a virus (unless the pop-up notice comes from software you already own).

A type of software that tricks you into installing it, then demands payment "or else" is called ransomware. And it's spreading.

One nasty piece of ransomeware seems to be a legitimate program called Antivirus2009. But after you install the software, it encrypts several document types. Then when you try to open one of the encrypted files, it pops up an alert and offers to sell you FileFix Pro 2009, which it says can decrypt the file.

So you get duped into downloading the fix. But it decrypts only one document. After that, it demands that you pay $50 to buy the software to decrypt the rest of your files (that the Antivirus 2009 encrypted).

Beware of "something for nothing". Be paranoid. Check out reviews of software at trusted sites before you download and install any.

Protect your personal information

A PC World test found that some search sites had random details about co-workers' and acquaintances' college roommates and boyfriends from the 1980s, political donations, shopping preferences and musical tastes.

Social networking sites give a false sense of security and if left "open" to all can result in a lot of personal information being harvested (sometimes called "scraped") by criminals.

A recent Symantec study showed that 91% of Phishing attempts are now aimed at social networking sites (the top two are My Space and Facebook). Why? The personal data is there for easy pickings. Plus, people who join social networking sites tend to feel more "free" in their personal comments.

Another disturbing tidbit ... 23% of people succumb (are tricked by) social engineering attemps via Phishing emails. At a recent Information Security conference, a speaker admitted that he had been a victim too. His daughter had joined Facebook, soon had 300 "friends" (right!) and then her got an email from "his daughter" with a link to something neat "she" wanted him to check out. He did. His computer got attacked. The problem? Too trusting. Bad assumptions.

People get tempted to take risky actions when using social networking sites. Human nature plus the very essence of a social networking site make using it risky.

How much is your identity worth? Is is humany possible to not be a social networking lemming? Just say, "No" to joining social networking sites. You'll live to rejoice in that decision.

IE8 is gr8

I installed the newly released IE 8 and am already liking the enhancements.

• Web Accelerators looks like something I'll use a lot, for example:http://www.microsoft.com/windows/internet-explorer/videos.aspx?mname=accelerators
• Automatic Crash Recovery (tab closes, not all of IE).
• Web Slices.
• Faster page display.
• Better pro-active built-in security (domain highlighting, SmartScreen filter -- sites ID'd with Spyware or PII collection get a pop-up warning [I assume it uses a database, so frequent updating is hopefully provided].
• InPrivate browsing, easier data deletion/cleanup.
• Compatibility mode for pages coded for older browsers (with compatibility updates pulled from MS as available).
• Love the grouped, suggested URLs as you start typing in the address bar.
• Oooo ... a "Read mail" toolbar icon automatically opened my Thunderbird email.

Next I'll have to see if FireFox 3.5 will match or beat that. As of now, IE8 is my preferred browser experience.

Does that email pass the smell test?

We get lots of email messages every day. How do you tell what's a fake (and likely to try to hurt you) and what's not? Carnegie Mellon's Software Engineering Institute produced a set of checks that are still valid. It's the KREVS "test".

• The Know test. Do you already know the sender?
• The Received test. Have you received safe emails from the sender before?
• The Expect test. If the email has an attachment, were you expecting to get it?
• The Virus test. Does the message pass a virus-check? (Make sure your Antivirus program also checks your email messages).
• The Sense test. Does it look right? Are there unexpected misspellings? Does it "smell" in any way?

If an email messages fails any of the above tests, delete it. Even if an email messages passes all 5 tests above, it still might be malicious. Be paranoid; the "bad guys" really are out to get you. Criminal attack attempts using email are increasing rapidly.

If the email is from a person you already know, still be careful. Call them and see if they really sent any unexpected attachment.

Malware worms its way into social networking

Social network site users tend to be more trusting than they should be about emails from "friends". They seem to assume that since they have to login to the account that messages from others are "safe". Criminals know that.

So with increasingly sophisticated social engineering, criminals are successfully attacking social networking services. Angry Facebook members created a special facebook page for victims of the Koobface worm.

Malicious software "scrapes" Facebook for all the user data it can find. People who give out real names, addresses, email addresses, and other information may find it cropping up in the hands of criminals. We teach kids to be wary of strangers, but then we turn around are and much too trusting in our online behavior ourselves. Parents, schools, and churches all need to start educating kids and even other adults about being wary of online personas and of being careful not to release personal information. Criminals now "mine" data from multiple sites to "fill in the picture" about victims identities and personal information.

Government agencies normally let their employees do personal surfing, yet they are starting to block access from the government offices to social networking sites. Why? It just too unsafe, at least for now.

Part of the challenge is that in order for social networking sites to be "fun", they have to encourage their members to share information. The default for most social networking sites is to be "open" rather than to have tight security. And most people are much more gullible online than in the "real world". So social networking sites like FaceBook and MySpace may continue to be a rich feeding ground for criminals.

If you insist on risking use of a social networking site, it might be a good idea to subscribe to a service that tracks your credit card actions as well as actions taken that relate to your credit rating. For example, you'd get an alert if someone was applying for a loan or credit card and using your credit record. And make sure to keep your Antivirus, AntiSpyware, and Firewall software up to date. You might also want to add prayer to the list. You may need it.

Be paranoid!

Be very wary of emails you did not expect to get and of any web pages they may link to. Just because an email or web page looks nice or is interesting or you are just plain curious is no reason to start clicking away.

A case in point is the recent malware that pretends to be about President Obama (or for you Irish folks, O'Bama). The Microsoft Malware Protection Center (MMPC) blog has more about this Waledac Trojan, including pictures of an email and the malicious web page.

Remember, it's perfectly OK to be paranoid -- the bad guys really out to get you!