Friday, December 7, 2007

Can you hear that? It's a Skype vulnerability.


Those of you out there that really enjoy the free (or low cost) calling afforded by Skype need to be aware of a recent vulnerability found in Skype for Windows. TippingPoint's Zero Day initiative is responsible for the disclosure and pushing Skype to patch the issue. So update your Skype as soon as you can. You want to make sure you have version 3.6.0.216 or later.

For more information, check out Secunia's write-up of the vulnerability.

Tuesday, December 4, 2007

When typos attack


We all make mistakes. In my case, it's pretty much all through the day. I tend to type pretty fast and let spell checker figure it out. But in the case of browsing the web, these innocent typos may not be so innocent.

According to a recent McAfee study, a new attack vector is called "typo-squatting," which preys upon the folks that make simple typos when browsing. The bad guys register domains that seem like the one you are looking for. Then the fun begins. "These squatter-run sites generate click-through advertising revenues, lure unsuspecting consumers into scams and harvest email addresses to flood users with unwanted email."

Since drive-by Trojans and other nasty web attacks don't need user interaction anymore, it's all the more important to make sure your devices are configured securely. Right, that's Step 2 in Security Mike's Guide. Step 3 focuses on securely configuring your browser.

Over the next week or so, when Step 4 goes live, you'll also learn about a utility that plugs into your browser to show whether a web site is good. None of these methods are totally foolproof, but the more layers of security you have, the more likely you won't get nailed.

Monday, December 3, 2007

A downside to being a Billionaire


I guess the grass isn't always greener on the other side. Even if the other side is you having a couple billion dollars. I dug into the archives for this post by Ed Dickson, which described how NYC Mayor Bloomberg was victimized twice, almost simultaneously, by thieves trying to get at his multi-billion dollar wallet.

Check out Ed's post for the details, but let's take a quick look at what we can learn from these attacks. The first was a pretty standard check counterfeiting attack. Not much you can do about that. If someone gets a copy of your check, with the routing number and account number, then they can produce a likeness that could be accepted by any number of merchants out there.

The banks invest a lot in anti-counterfeiting marks on the checks, but in the end it's up to the merchant and your bank as to whether they will accept the fake. Most of the time they won't, but other times they may. That's why it's so important for you to keep on top of your finances and check your balances daily. Then you'll know if unauthorized charges are showing up. This is discussed in detail in Step 6 of Security Mike's Guide to Internet Security.

The second attack involved the criminal logging into Mr. Mayor's bank account and transferring money to a 3rd party financial institution. How did someone get his login and password? Who knows? It could have been anything. This is another example where staying on top of your account balances would have shown a weird transfer and you could have investigated it.

I'm sure Bloomberg has people to look into this. That's how they found the issues and with a high profile victim like the Mayor, the banks and law enforcement will work hard to bring the perpetrators to justice. It makes for good PR. I'm sure the bank also returned the money right where they found it, and no one but the criminals are any worse for wear.

So I guess the grass is greener after all for the Billionaires out there. If it's not, you certainly can afford a lot of spray paint, sod or whatever else you want to use to make your grass seem greener.

Did you blink? You may have missed Firefox 2.0.0.11


That's right, the fine folks at Mozilla bungled one of the updates associated with 2.0.0.10. I could do some research to figure out what they messed up, but do you really care? Right, I didn't think so.

So just update to the latest version of Firefox and rejoice. Detailed instructions are on the Portal for Security Mike members.