With the increase of online banking, online e-mail, online purchases, etc., there is a need for increased password security. If you are like many people who use the same password for most sites, you are in trouble if your password gets hacked. You need to make your passwords complex and tough to crack and create a separate password for each account. Once you create a different complex password for each site , the problem is how to remember these passwords. The last thing you want to do is write the passwords down on a paper or notebook and carry them in your wallet/purse.

KeePass is an open source utility that works on almost any platform, including your smartphone ( Clients available for Windows, Ubuntu, Linux, MacOS X, J2ME (Cell Phones), Blackberry, Windows Mobile and more). You can store your passwords in a password protected and encrypted database and use the passwords when needed. It will even generate a complex password for you. KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithms to encrypt its password databases. There are many plugins available that will allow things like filling forms, onscreen keyboard, etc.

Click here for more information on Keepas.

Keepas Demo Screenshot

Source: http://vjalagam.blogspot.com/2009/09/keepass-opensource-password-safe.html
Read the rest of this entry »

Many anti-phishing browsers have been implemented till date and some of them include embedding features in browsers, as extensions or toolbars in browsers, and as part of website login procedures. Most websites that are targeted for phishing are secure, meaning that SSL with strong cryptography is used for server authentication. In principle, it should be possible to confirm the site using the SSL authentication, but in practice, it is easy to deceive the user.

The superficial flaw is in the browser’s security User Interface (UI) that is insufficient to deal with today’s strong threats. There are 3 parts for secure authentication: first,indication that the connection is in authenticated mode,second, the site which the user is connected to and third,which authority says it is the site that it claims to be.

Secure Connection: The user easily misses the padlock that was the standard display for secure browsing from the mid-1990s to mid 2000s. Mozilla featured a yellow URL bar in 2005 as a better indication that the connection is secure. However, unfortunately, this innovation was then reversed due to the EV Certificates, which replaced high value certificates with a green display and the rest with a white display.

Which Site: The user is expected to be sure that the domain name in the browser’s URL bar is in fact where they wanted to go. URLs can be too complex to be parsed and users often do not know or recognize the URL they intend to go making authentication meaningless. Many e-commerce sites will change the domain names within the overall set of websites making it harder for the user to trace himself. Also simply displaying the domain name of the visited website as some anti-phishing toolbars do is insufficient.

Firefox offers an alternative- a pet name extension which lets users type in their own labels for websites that they can recognize when they later return to the website. In addition, if the site is not recognized then the software warns the user or detects it outright. This symbolizes the user-centric identity management of the server. A graphical image selected by a user could be a better identification.

With the introduction of EV Certificates, browsers display the organization’s name in green making it more visible ad hopefully more consistent with the user’s expectations. But then the browser vendors have limited this display to only EV Certificates, leaving the user groping in the dark for other certificates.

Who is the Authority As far as the user is concerned, the browser is the authority at the simplest level since no authority is stated at this stage. The current practice is for the browser vendors to control a root list of acceptable Cas. The problem is that all Certification Authorities (CAs) employ neither good nor applicable checking. In addition, neither do all CA s subscribe to the same model and concept that certificates are only about authenticating web sites or e-commerce organizations. Certificate Manufacturing is the term given to low value certificates that are delivered on a credit card and an email confirmation, which can be easily perverted by fraudsters. Thus, a valid certificate issued by another CA may spoof a high value site. This could happen because the CA is in another part of the world and it is unfamiliar with high value e-commerce sites. Nevertheless, since the CA is charged with protecting its own customers and not the customers of another CA there is an inherent flaw in this model.

The solution to the above problem is that the browser should show and the user must be familiar with the name of the authority that issues the certificate. This projects that the CA as a brand and allows the user to come in contact with the handful of CAs in their country. The use of brand provides the CA with an incentive to improve their checking and the user would demand good checking for high value sites.

This solution was put into action in early versions of IE7 when displaying EV Certificates where the issuing CA was displayed. Nevertheless, this turns out to be an isolated case. There is resistance for branding CAs on the chrome resulting in a fallback to the simplest level above: the browser is the user’s authority.

One technique used to combat phishing is training people to recognize phishing attempts, and exposing them to the know-how of dealing with them. Education can be effective since training provides a direct feedback. Spear phishing, a form of phishing targeted at a specific company, was harnessed to train individuals at various locations that included the United States Military Academy at West Point, NY. In a spear phishing experiment conducted on June 2004, 80% United States Military Academy, West Point cadets out of 500 were tricked when a fake email was sent and revealed their personal information.

People must take appropriate steps to prevent themselves from phishing by slightly modifying their browsing habits and taking correct initiatives. When asked to reveal any personal and sensitive information which may include the account details or any password, wisdom calls for contacting the company from which the email apparently originates to check that the email is legitimate. Alternatively, the address of the website which the user knows to be legitimate can be typed in the address bar rather than trusting any hyperlinks within the suspected message.

Nearly all websites contain information that is not available directly to the phishers. It may be noted that PayPal for example, always addresses the users by their user names and not by any generic names such as “Dear PayPal Customer”. This information can be used as a means of identifying whether the website is real or fake. Some financial institutions may use the account numbers of their customers as a means to authenticate the messages. But according to a recent study the customers typically do not distinguish between the first few digits and the last few digits of an account number which is a significant problem, since the first few digits are all same for most financial institutions. People’s suspicion can be aroused if they do not find any specific personal information in their messages. Yet again, phishing attempts in early 2006 included personal information that made it unsure to assume that if a message carries personal information then it is safe. Furthermore, according to recent research, people hardly pay attention to the fact that personal information is present and hence the presence of this personal information does not bring down the success rate of phishing attacks.

The Anti-Phishing Working Group predicts that the conventional phishing attacks would become obsolete in the future due to the awareness among the people against phishing. They predict that pharming and other forms of malware will become useful in stealing information.

It would be a courteous act for everyone to educate the people about safe practices and avoid dangerous ones. However, as a misfortune, even well known players are known to incite users to hazardous behavior for example, by requesting their users to reveal their passwords for third party services such as email thus aggravating the menace.

Unsolicited email was first considered a bit of joke earning the jocular name of spam. However, as the spam volumes rose to epidemic proportions what was a minor crisis in the life of an IT professional soon snowballed into a major crisis. Factual figures estimate that spam amounts to nearly 95 percent of all emails. According to Jupiter Research reports, the active email consumer received a shocking 3253 pieces of spam in 2005.

This matter has to be taken up seriously these days. The daily flood of junk email has an adverse effect on the corporations by clogging their networks and filling up mail server bandwidth. It can also act as a gateway for serious network related threats such as Trojans, viruses, worms, and phishing scams that penetrate corporate networks. The cost of spam not just involves the cost of providing the extra bandwidth but also encompasses all the IT Departments protecting their organizations from the various threats as just seen.

Spam is a driving force behind the increasing number of data breaches in the corporate world. The impact of international awareness and the enforcement of anti-spam laws in countries like USA have forced the spammers to shift their operations to countries where the law is less regulated. According to the IT security firm Sophos, the spam operators are working hand in glove with hackers and virus’ writers with 60 percent of all spam coming from computers infected with malware. According to Webroot Software’s State of Spyware report 2005 was considered as the biggest year yet for spyware.

Apart from just the security threats the firms face from spam, there are concerns that are even more serious the firms face. In today’s world where corporate ethics matter a lot, firms are increasingly accountable for the actions of their employees. Any offensive message from a disgruntled employee can tarnish the name of the organization. Since there can be no definitive solution, the only way to reduce the threats of the email related threats is to deploy ever more sophisticated server side filtering to filter out spam and malicious emails from reaching the network.

A survey of Bank of Scotland (BoS) has found that about 37% of UK small firms were badly hit due to unsolicited spam, viruses, and faxes. The study has found that though the cost of minor data losses and firewalls is less than 1000 Pounds a year for two-thirds of small firms a full-scale virus attack can be terminal on entrepreneurs on tight budgets. For over fifty firms polled, it was found that there was one firm approximately, for which the cost of the viruses exceeded 10,000 Pounds a year. A further 40 percent of the managers claimed that junk email significantly added to their costs, while one in ten lost an estimated 10,000 Pounds a year through lost productivity and purchasing email filtering systems. Though laws have come up which state that individuals are not allowed to send emails or any other means of communication without prior permission, these are valid only in the UK and did not provide any help in reducing the flood of spam in the USA.

According to Eddie Morrison of BoS computer viruses are clearly one of the scourges of our business age. He observes that it has become increasingly easy for small firms to be bombarded with multiple unsolicited emails and faxes for advertising and other purposes.

Small firms are even more vulnerable to spam with a junk of them still without a junk email policy. The research conducted by Clearswift has found that 34 percent of small companies do not have measures in place to combat spam, while a further 57 percent of firms with a policy of not communicating about it to the staff.

Related Links:
Claims software
Wan optimization

As Scareware threats are on rise, millions of Internet users are falling prey to the Scareware scams.

Scareware adopts bogus sales tactics that are designed to scare a user into believing that his or her computer contains critical errors or viruses that have to be fixed immediately. Scareware ads offer an instant solution to the so-called problems on the computer and come for a price. In some cases, this software is harmless – while in others – it is actually a malware or another spyware. The ad might pop up anytime when surfing the web. The ad may open a pop-up window leading people to believe that the message is triggered by their own Operating System. The message claims that the consumer’s computer is infected with a virus and may require a “fix” and that clicking on “OK” would take the user to the download site from where the user could purchase the “fix”. By luring the victims to buy the software, the perpetrators may even steal sensitive information such as credit card details of the victim and these details may be sold to black market forums.

As of June 2009, over 250 rogue programs had been detected by Symantec in a study, which spanned over June 2008-09. Bogus security software could be freely available, may cost up to US$100 or come in a trial version. They may be installed manually by the user or when he opens an attachment or while surfing through a malicious website. Scareware can also be unknowingly advertised on legitimate websites such as social-network sites, forums, blogs, and appear in search engine results that are sponsored by cyber criminals. These crooks also hire sales representatives to sell their products who earn an average of US$23,000 a week. They are paid for every installation they make and even get bonuses like electronic gadgets and luxury cars.

Another tactic of Scareware is scaring users with unanticipated images, sounds or video. This is known as Prank software. An example of this kind of software is “NightMare”, which when executed lies dormant for some amount of time, finally changing the entire screen of the computer to an image of a skull while a horrifying shriek is played on the audio channels.

Many cases have been filed against the perpetrators of such sites and they have been asked to pay for the damages caused by them. In 2005, Microsoft and Washington State successfully sued Secure Computers for US$1million over charges of using scareware pop-ups. Various regulatory bodies like the US Federal Trade Commission are taking an active part in trying to put an end to this menace.

However, it is your responsibility to be aware of these things and avoid being trapped.

As we are aware of the recent issue with a few thousands of emails, lets see how some of these scammers have used the emails they hacked into.

The following email was sent to a small business support’s email id for financial gain from a@gmail.com – an email id belonging to their client.

“I’m sorry for this odd request because it might get to you too urgent but it’s because of the situation of things right now, i’m stuck in New York City with family right now, we came down here on vacation , we were robbed, worse of it is that bags, cash and cards and my cell phone was stolen at GUN POINT, it’s such and crazy here in london , i need help flying back home, the authorities are not being 100% supportive but the good thing is we still have our passport but dont have enough money to get on flight ticket back home, please i need you to loan me some money till im back home to pay back , i will refund you as soon as i’m back home, i promise , all we need is $800”

The issue looked genuine. The only odd thing was that it was sent as ‘BCC’ (undisclosed recipients). However, the email was from the client’s id.

The following reply was sent to the email id of the client.

“Not a problem. Please let us know what we need to do.”

Then this person got suspicious and sent this message immediately.

Is there a number we can reach you?

Within 10 minutes there was a reply from the email id as follows…

“Well I’ll can’t access any cell right here , all i need is $800 more to complete my ticket fee right now , I can get it back to you as soon as im back home , You can wire me the money via western union , You only need my name and the country name here , I still have my passport ID to pick up the money here

Name : First Lastname
Country Name : New York, United State of America

Thats all you need , You got it right ?”

This is a tricky situation as you don’t want to be seen as unsupportive when a client is in genuine trouble. Thus, the business was willing to send the money. However, they called the client’s mobile in the U.S and he answered – making it clear that the email was not sent by him. If it wasn’t answered they were all set to send the money, since, they were not aware of anyone being fooled in this way before. The business wanted to widely circulate this to prevent people from being fooled this way.

Mozilla Firefox is a popular browser used by millions of Internet users all around the world. The coolest feature of Mozilla Firefox is its compatibility to add more and more plugins and enable yourself with advanced browsing.

However, we need to update our plugins as soon as a new version is available. Updates of these plugins will not only cover new features of the plugin, but also will address some vulnerability to security threats during browsing. Many people ignore it as it takes little time (a matter of no more than 2 minutes) for the plugin to update and restart the browser. This increases their risk to security threats online like malware, viruses, botnets, etc.

How to check if your plugin is up-to-date? Just click here or copy paste this URL in your browser https://www-trunk.stage.mozilla.com/en-US/plugincheck/.

The window that opens will let you know the status of your plugin.

• Green indicates that your plugin is up-to-date.
• Yellow indicates outdated but without known vulnerabilities.
• Red indicates that the plugin is known to have security holes and is outdated.
• Don’t worry about the Grey colored plugin.

Update your plugin frequently for safe and better browsing.

Email users can help reduce the spam outflows in the Internet. When a user signs up for something online, he should be careful while checking checkboxes and must not check checkboxes for additional offers. Else, he will receive email from partners of the site he signed up at. It is advisable to use freebie accounts to fight spam. Create a few freebie accounts, direct them to your main account, and use those freebie accounts to sign up for something online. If an account is spammed disable or abandon it. One word of caution: Never use your primary email address to sign up for anything. At the very least a user should use three accounts: one for business, one for personal stuff and another for online shopping .

There are many freebie accounts available in the market today, the primary of which are AOL/AIM, AOL My eAddress, Excite, Fast Mail, Google Mail, Goowy, Hotmail/MSN Inbox, Lycos, MyWay Mail, Rock.com, and Yahoo!

If a user plans to use a freebie account as his main account, it is recommended that he use Gmail. Google Mail is arguably the most productive well thought out free email offering available, with highly efficient spam filters, loads of disk space for messages, and has Google with third party plug-ins to increase productivity.

There are also expendable email address services that have more selective disabling features than regular free email accounts. Having your own domain might include 50 to 100 email addresses as part of your hosting package. You can use these addresses for newsletter or shopping sign ups and redirect each account to a main account.

Whatever you may go about doing, never publish your main email address anywhere online. You can use freebie accounts, which can be dropped when necessary. Use a CAPTCHA image based code to separate spambots from human visitors. Encode your email address like me*AT#hotmail#DOT*COM so that humans can easily read them.

Few of the ISPs add junk mail header status information to messages passing through their mail servers. If the email client is suitable, you can write a “filter rule” to ditch any message whose header includes “X-Spam-Status:Yes”. The disadvantage is that there could be false positives on spam needing you to check the spam folder on a weekly basis.

You can also write your own command line email filters in a scripting language like Perl or Python; both of which have superior regex pattern matching abilities. Write a program to grab your email (copies) off POP or IMAP email servers. Build a frequency table for the keywords by saving the IPAddress information for each message. If the data is saved for long term profiling keep the spam information in a separate database. If some words in the message raise flags, compare their frequency counts against other words. This step should be manual until you build up long-term profiles. If its spam, delete the original copy of your mail server. An Operating System like Linux gives you the facility to integrate custom filters into your email client.