Sunday, May 24, 2009

Facebook security

Social networking sites such as Facebook and MySpace come under heavy attack, especially from phishers.There are an average of three different Facebook phishing campaigns every day, reports the Washington Post.

One prime attack method is to have a link that appears to go to Facebook and even displays what to be the official Facebook logon page. The logon display is actually not at Facebook -- it just looks like it is. The link to that faked page can come in an email or even on a hacked or malicious web page. So how can you lessen the danger from this type attack?

  • Be paranoid about emails you get. Even if they appear to be from a "friend", be wary. If the email contains a link or attachment, send a separate email to (or call) the friend. Make sure they really did send it to you. A name in a "From" field of an email message means absolutely nothing these days!
  • Always login to any site that requires a password by using your own link (Favorite or Bookmark) or manually typing it in. Never click on a link from somewhere else. Never. Ever.
  • If the web site offers it, always choose to login by using what's called "Secure Socket Layer" (SSL). That's when you use "https" (think "s" for "secure") in the address, not just "http". Facebook happens to offer that choice. Use it! That is, use https://www.facebook.com/ to login to Facebook. This same security tip applies to many sites. Some do not even work without using HTTPS. [If Facebook were really interested in customer security it would force use of https, but that's a whole 'nother topic.]

Browser address area for a valid HTTPS address

In Internet Explorer 8, a valid HTTPS connection shows the "padlock" to the right of the address bar area, as in the figure above. It also shades the address background green. If you click on the padlock area, IE8 pops up certificate information.

While having a valid certificate is not a foolproof indicator that the company or site is "good", it's a big improvement over not checking it at all.

Another caution is that Facebook currently only allows the HTTPS protection at their login page. After login, you get dumped back into a normal HTTP session.

If you just have to have a Facebook page, be as safe as possible. Then be very paranoid.

Friday, May 01, 2009

Adobe Reader, Acrobat security issues -- again!

In respect to the latest in a series of security vulnerabilities with Adobe Reader and Adobe Flash, Adobe says, "We are in the process of fixing the issue, and expect to make available product updates for the relevant supported Adobe Reader and Acrobat versions and platforms by May 12th, 2009."

"SANS NewsBites" newsletter editors comment that users of Adobe Reader and Acrobat may want to consider less-exploited alternatives. Adobe Reader keeps bloating in size and Acrobat seems way over-priced, so perhaps it is time to start looking elsewhere.