Security Quest #12:Privacy

Facebook caused an uproar over the past week with their new Beacon advertising service. Being the last human not to have a Facebook account I didn’t follow the story too much at first, but then it became hard to ignore. At the very least it was a public relations disaster for Facebook, although I suspect it won’t really affect their membership numbers. Ars Technica has a pretty good summary and includes the changes Facebook made in response to the outcry. But it appears Facebook may still have a ways to go. PC World reports that Beacon tracks non-Facebook users and logged off Facebook users. It appears nobody at Facebook talked to their users and they implemented Beacon without really explaining what it meant before it kicked in for users.

I find it interesting that Google most definitely has as much info about users but tries to keep a low profile. When there’s a uproar about Google it’s what they might do with the data. With Facebook it’s what they were actually doing with the data. Google pulls us in slowly, Facebook wanted it to overwhelm us.

Also in the privacy arena, the November 22nd Security Now Podcast talked about third -party cookies, specifically PayPal’s routing of links through Doubleclick to avoid the issue of browsers rejecting third-party cookies. As the podcast mentions, this could give the Doubleclick advertising access to information about you. I don’t use PayPal a lot, and while I don’t like what they do I won’t use it any less. I use PayPal when a credit card isn’t accepted or I don’t want to give a website my credit card number so it would remain my preferred, if reluctant, choice. It may get me go through the hassle of using a one-time credit card number my bank offers.

Software Vulnerabilities

Symantec is reporting than an active exploit is in the wild for a QuickTime vulnerability that was first reported last week. From the article:

Hamada said the exploit code was found on a compromised porn site that redirects users to a site hosting malicious software called “Downloader.” Downloader is a Trojan that causes compromised machines to download other malicious software from the Internet. Symantec rates Downloader as “very low” risk.

A second QuickTime flaw has also just been reported.

News & Links

Blogger in Draft: New feature: OpenID commenting – Google has begun testing OpenID with their “Blogger in Draft” program.

CNet.com: McAfee Internet Security Suite 2008 – complete package Internet security and firewall reviews – CNet review McAfee Internet Security Suite 2008 and rated it 7.3 out of 10 and said “McAfee Internet Security 2008 trounces Norton Internet Security 2008, offering a better designed product with more security tools.”

Google Online Security Blog: Help us fill in the gaps! – Google is asking users to report malicious websites they come across by filling out a online form.

MSNBC.com: Virus experts warn of ‘Google poisoning’ – The Red Tape Chronicles – Info about malware distribution via websites is making it’s way in to the general news.

News.com: Inviting the hackers inside – News.com article about how Microsoft has taken a more inclusive approach to security.

News.com: Yahoo, Adobe team on PDF ads – Advertising can now infect PDF files.

WinSuperSite.com: Windows Live OneCare 2.0 Reviewc- Good review of the latest Windows OneCare version

Wired.com: Spammers Giving Up? Google Thinks So – Google says that spam is down (as a percentage of all mail) through their GMail system.

theage.com.au: Flaw leaves Microsoft looking like a turkey – Vulnerability in Windows that was thought patched 5 years ago still exists under some conditions. Vista is affected too. via tech.blorge.com

Security Quest #2: PayPal Security Key & Weekly Update

PayPal is piloting a new feature that more financial institutions should consider and every PayPal client should use. They are making Verisign security key fobs available to PayPal users for a nominal cost of $5 each. The cost includes shipping.

The key fob generates a new six digit password every thirty seconds. You enter this, along with your password, when signing onto PayPal. Even if someone gets your password they cannot access the account without the key fob (well, there is an exception).

PayPal’s Security Key FAQ sums up it’s benefits:

Because it gives you an extra layer of security when you log in to your PayPal or eBay account. Most websites keep your online account safe by only asking for your user name and password to verify your identity. The PayPal Security Key gives you an additional security code that only you know about. That makes your account more resistant to intrusion. Plus, the Security Key’s easy to use.

PayPal does allow access if you lose the key or it breaks. The FAQ states they’ll ask you to confirm account ownership. After entering your password you’ll be asked to verify account information (by providing the full account numbers) or by answering your security questions. This method can be used to access your account when you don’t have your security key or to deactivate the key if it’s lost or broken.

Since PayPal is owned by eBay it’s no surprise that the key can also be used with eBay. While key fobs are a great security idea, one key fob per account isn’t feasible. The key fob is issued by Verisign and can be used their Personal Identity Provider (PIP) service which is in beta. PIP is OpenID enabled and can be used at sites that are OpenID enabled.

For information about the PayPal security key logon to your PayPal account and go to http://www.paypal.com/securitykey.

Security Updates

Firefox 2.0.0.7 has been released. The only patch in the update is to fix a critical security vulnerability when dealing with Quicktime media files. The vulnerability bulletin only mentions Windows as an affected OS but the update is for all platforms. The update is being sent through Firefox update and is available for direct download.

Security Software

AVG Antivirus Free Edition has been upgraded to version 7.5.487

Security News, Information & Discussion

The Unofficial Apple Weblog has a good article on using the OS X keychain application to store and locate passwords.

Ars Technica, among others, is reporting that spammers seem to be turning their botnets against anti-spam sites. Speculation is the attacks are from those controlling the Storm worm botnets although it may be customers paying for the attacks.

The Washington Post Security Fix blog is reporting that the RightMedia ad network was serving banner ads trojans. Rightmedia has banned the ads which were served by Photobucket, MySpace and others. RightMedia was recently purchased by Yahoo.

The Spyware Guide brings an update of spammers use Skype for a rogue anti-spyware scam.

There were a couple recent articles about managing spam comments in WordPress blogs:

  • Internet Duct Tape talks about use Akismet Auntie Spam, a Greasemonkey script for Firefox, to manage spam in WordPress.

TD Ameritrade issued a press release concerning an internal audit of their systems. They were investigating stock-related spam and found “unauthorized code” in their systems which has now been removed. They say only contact information was stolen. Ameritrade customers might want to think about new email addresses – and a new broker.

Media Defender, an anti-P2P company, made news recently after over 700MB of their emails were made public. The emails directly contracted the companies public statements over questionable tactics the company was accused of using. Media Defender employee Jay Mars forwarded all his company email to a GMail account. The GMail account was used as the conduit to get the emails. The lesson here is no matter how secure a company tries to make it’s systems employee actions are always the weakest link.