Category: Computer Security

Posted on
by

Emerald City Comicon’s website was hacked and deleted this week…along with all their backups.

Ouch.

Ticketing is all handled offsite by EventBrite, so tickets and financial info are safe. They’ve redirected their URL to the Facebook page while they rebuild their website.

Lesson learned: Isolate your backups.

I don’t just mean physically. Yes, you need to keep some offsite in case the reason you lost your server is that the building caught fire. But isolate the online access as well. If you back up your site by pushing the backups from your server to a remote location (either self-hosted or cloud storage like Dropbox or Amazon S3), those credentials are stored on your server somehow. What could an attacker do with them?

Consider: If someone breaks into your web server, what else can they do in addition to vandalizing your site? Can they access other databases? Can they hop onto your internal network? Retrieve or alter private files? Can they get at your backups? If so, can they get at all your backups including private documents?

The answers are going to depend on your network and backup setup. But they’re questions you need to start asking.

Posted on
by

Posted on
by

Posted on
by

Some recent linkblogging. (Thank you, StumbleUpon)

Art

Privacy

Posted on
by

If Your Password is “123456”, Just Make it “HackMe” (New York Times). Security researchers examine a list of 32 million passwords stolen from RockYou, and the most common are…well…pathetic. Things like “123456” (the most common), “abc123”, “password” and even “rockyou” (seriously!)

There’s been some slight improvement in the past decade, when the most common password was “12345” (the kind of combination an idiot has on his luggage). Now it’s got a whole extra digit. (Whee.)

Hmm, I wonder where “Chuck Norris” appears on the list?

(via @dixonium)

Posted on
by
  • Grr. Amazon wants to stop paying me because they think I’ve been buying search keywords to link to them. No, I haven’t. Update: Two days later, they responded: it’s a bad form letter, and even if I were buying keywords, they’d only stop paying referral fees on those links.
  • More concerned than usual about person sneezing in stairway.
  • Bad idea: leaving your pay stub in the brochure holder by the ATM. WTF? Someone’s asking for identity theft.
  • Good deed for the day: tearing it into tiny pieces and tossing the confetti in the trash.

Posted on
by

Last month, eWeek reported that PayPal intends to block unsafe browsersfrom accessing their site. They’ve focused on phishing detection and support for Extended Validation SSL Certificates. So what are these features, and why does PayPal think they’re critical? And just which browsers are they likely to block?

Phishing protection has an obvious appeal for a site whose accounts are one of the biggest phishing targets on the web.  Opera 9.1 and up, Firefox 2, and Internet Explorer 7 check the websites they visit against lists of known fraudulent sites. These browsers will warn the users before they accidentally type their credentials into a bogus log-in form. While this makes no difference when a user is already on PayPal’s site, it does mean the user is less likely to get his or her password stolen, and thieves are less likely to carry out fraudulent transactions with the account.

Extended Validation or EV certificates are like normal SSL certificates: they encrypt your web activity to prevent eavesdropping. What makes them different is that EV certificates require the issuer to verify the site owner more thoroughly. Browsers with EV support will display an indication that the site has been verified, usually by turning part or all of the address bar green. This is intended to give the user greater confidence that the site is legit. EV certificates are currently supported by IE7 and development versions of Opera 9.50 and Firefox 3. (You can preview a version of Opera with EV support by downloading Opera 9.50 beta 2.)

(It’s worth noting that Opera 9.50 beta 2 is stricter about verifying EV certificates, and will not show PayPal with a green bar because it loads images and scripts from another site. More recent preview releases will, like IE7 and Firefox 3, be satisfied if the main page is EV and the resources are all protected by regular SSL.)

So which browsers might get turned away at the gate?

In a follow-up story, PayPal clarified that they have absolutely no intention of blocking current versions of any browsers, and that they would only block obsolete browsers on outdated or unsupported operating systems. So an Opera 9 user on Windows XP isn’t likely to get shut out of PayPal anytime soon. But a Windows 98 user might have cause for concern.

Browser detection is extremely tricky to get right, requiring frequent adjustments. It looks like PayPal intends to take the minimalist approach: Assume most browsers are capable of handling what you send them, and only block the problematic ones.

(Originally posted at Opera Watch as a follow-up to Blocking IE6)