The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation Secure Sockets Layer) certificates are considered “unsafe” for financial transactions.Now on the one hand, I think EV SSL is color-coded checklist security candy: Continue reading
“In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts,” said PayPal Chief Information Security Officer Michael Barrett.
Barrett only mentioned old, out-of-support versions of Microsoft’s Internet Explorer among this group of “unsafe browsers,” but it’s clear his warning extends to Apple’s Safari browser, which offers no anti-phishing protection and does not support the use of EV SSL certificates.
— BPayPal Plans to Ban Unsafe Browsers, By Ryan Naraine, EWeek.com, 2008-04-17
The second annual Counter-eCrime Operations Summit (CeCOS II) will engage questions of operational challenges and the development of common resources for the first responders and forensic professionals who protect consumers and enterprises from the ecrime threat every day. This year’s meeting will focus on the development of response paradigms and resources for counter-ecrime managers and forensic professionals. Presenters will proffer case studies of national and regional economies under attack, narratives of successful trans-national forensic cooperation as well as models for cooperation and unified response against ecrime and data resources for forensic activities.The Anti-Phishing Working Group continues to expand via national associates, and to put on good workshops.
— Counter-eCrime Operations Summit II, APWG Japan, 2008
I painfully predicted a few years back that phishing and related identity theft would result in class action suits. I lost my bet as it didn’t happen fast enough, but a significant step has been taken (reported by Lynn) with the publication of a book that apparently blames the banks and the software manufacturers for identity theft.The book review iang quotes gets it about online crime not being amateur anymore: it’s organized. And it gets it about perhaps a more important point: Continue reading
— Signs of Liability: ‘Zero Day Threat’ blames IT and Security industry, Ian Grigg, Financial Cryptography, April 14, 2008
One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back.But the best part is what it took to get the state to fix it: Continue reading
The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years.
— Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data, by Alex Papadimoulis in Feature Articles, The Daily WTF, 2008-04-15
Despite last minute attempts by the French government to divide them, European MEPs today voted decisively against “three strikes”, the IFPI-promoted plan to create a class of digital outcasts, forbidden from accessing the Net if repeatedly accused by music companies of downloading infringing content.The European Parliament voted for social inclusion, participation, and human rights over profits for a tiny group of companies. That wasn’t hard. Even if the vote had gone the other way, it wouldn’t have produced any real security for the tiny group, and the way it did go, it produces far more security for everyone else. Maybe the U.S. can get the message.
In a vote held today, hundreds of MEPs supported language which declared termination of Internet access to be in conflict with “civil liberties and human rights and with the principles of proportionality, effectiveness and dissuasiveness”, all core values of the European Union.
… And Guy Bono, the author of the report, had this to say in the plenary:“On this subject, I am firmly opposed to the position of some Member States, whose repressive measures are dictated by industries that have been unable to change their business model to face necessities imposed by the information society. The cut of Internet access is a disproportionate measure regarding the objectives. It is a sanction with powerful effects, which could have profound repercussions in a society where access to the Internet is an imperative right for social inclusion.”
— European Parliament to Sarkozy: No “Three Strikes” Here, Posted by Danny O’Brien, EFF, April 10th, 2008
The Executive Order calls for a single set of information security reporting standards for all agencies to follow. Currently, state agencies use a variety of reporting standards, making it difficult to measure information security across state government or to track progress from year to year.I think this is a good move. Now how about monthly reporting in a publicly visible web page.
Governor Perdue has directed the Georgia Technology Authority (GTA) to work with the Georgia Department of Audits and Accounts and the Governor’s Office of Planning and Budget to develop a reporting format and required content for agency information security reports. Each agency will be responsible for reporting to GTA at the end of the fiscal year. GTA will compile agency reports into a single Enterprise Information Security Report, available by October 31 of each year.
— Gov. Perdue Signs Executive Order Strengthening Georgia’s Information Technology Security, News Report, Government Technology, Mar 20, 2008