Firefox, IE, Opera, and Konqueror have all agreed to a set of standardized security features that will find their way into all browsers in future releases. This is pretty significant. Throughout the history of web browser development, it's been near-impossible to get the various camps to agree on standards of any kind.
Some of the highlights of the agreed-upon security features include:
In the default setting, all pop-up browser windows will now have URL location bars, so that you can see what site is hosting the pop-up.
Beefed-up and phisher-resistant high security certificates will be created and issued to deserving sites. The notification will be standardized -- if you're on a site with one of these certificates enabled, your address bar will turn green.
I wonder how this will affect web developers who use sleek pop-up windows without location bars purely because they look better that way. It will be interesting to see if this practice phases out or if it sticks around on sites that don't have much concern with the perception of high level security.
Spammers and scammers have used all sorts of tricky subject lines and from addresses to make you want to open unexpected e-mails. One of the latest tricks amounts to scare tactics.
If you receive any unexpected e-mails from the FBI or with FBI.gov in the sender or reply-to field, it's a scam. It's not clear yet whether the attack is a virus, phisher, or just plain spam, but there's some sort of new e-mail scam involving faked FBI headers.
Unless you personally know someone who works for the FBI, there's no reason to open an e-mail claiming to be from them. The FBI does not send unsolicited e-mails to the public.
If you receive one of the new fake FBI emails and would like to help track down the source, you can submit a complaint at: www.ic3.gov . More information about FBI e-scams can be found on the official FBI site.
Protection Control Center: More XP Support for the Holidays
Several customers have sent us emails pointing out that the Protection Control Center's icon doesn't show up as "security software" in the Windows Security Center. Although the PCC provides full protection against viruses, spyware, and intrusions, the current version doesn't get recognized by the Windows Security Center suite. This is why even though you have the PCC installed, you may still see a red "x" in your system tray indicating that XP thinks you have no protection software installed.
Help is on the way. The newest PCC update should be available in time for Christmas, and it will include among other things, better support for the Windows Security Center. Installing the new update will ensure that your system recognizes that the PCC is doing its job.
If you are current PCC user, you don't need to do anything special to receive the update. You'll be notified when it is available via the PCC's update manager.
Three different people asked me yesterday about why two buddies known as 'bots' showed up in their AOL Instant Messenger Buddy List. The new buddies were called "Shopping Buddy" and "Moviefone". One of the people had been given a message when they logged in mentining that these new buddies were added, but the other two people did not receive any such message.
In the context of instant messaging, a 'bot' is a computer program designed to respond to messages as if it were a person. It can interpret questions and statements made in natural language and send some sort of (hopefully) appropriate response back. Companies and individuals have developed bots for any number of purposes.
There have been infomation bots, like "SmarterChild", that give you movie showtimes and horoscopes, and play simple games. There are advertising bots that dispense product information, and there are attack-bots that inundate a user with so many messages that it causes their account to shut down.
AOL's new bots are designed to act as a shopping search engine and provide movie times.
Many bloggers are up in arms about the fact that AOL automatically added these new bots to every user's buddy list rather than giving individuals the choice of whether or not to install them in the first place. It's a fairly minor inconvenience to remove them from your list, but critics compare AOL's approach to 'opt-out' spamming.
An 'opt-in' list is one where you have to do something specific and clear, like submit your e-mail address in a form, to start receiving the list's mail. An 'opt-out' list is where the list assumes you want to receive its mail until you do something specific and clear to unsubscribe yourself. Although the CAN-SPAM act considers opt-out lists acceptable (provided the opt-out works within 10 days), many spamwatchers consider this practice highly undesirable for end-users. In my opinion, best practices dictate using opt-in lists only.
In yesterday's entry I linked to a story about Sony discontinuing one of its digital rights management programs. It turned out that the XCP software they force consumers to install in order to listen to certain music CDs also installs spyware on their machine.
Things appear to have gotten even worse for Sony. An AP story circulating today points out that the XCP uninstaller Sony is distributing creates an even bigger security threat than the original malware. The story quotes Princeton University analysts as follows:
"The consequences of the flaw are severe," Felten and Halderman wrote in a blog posting Tuesday. "It allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get."
If you are one of the estimated 500,000 music fans who installed the XCP software on your computer, you may want to wait for the dust to settle before you use the Sony-provided uninstaller.
Here's a roundup of what's going on this week in the areas of Protection and Security:
U.N. Internet Summit - Representatives gather this week in Tunisia to discuss global policy issues surrounding the governance of the internet at the World Summit on the Information Society.
Direct identity theft statistics may be inflated - Most studies and statistics include "synthetic" identity theft which involves no direct breach of security between a victim and the perpetrator.
Sony won't be selling protected CD's anymore - After it was discovered that some of Sony's rights-protected music CD's create a security vulnerability in host computers, Sony has decided to discontinue the program.
New varieties of "Sober" virus circulating - This new strain circulates in emails with the subject lines in German saying things like "60 years of Freedom: Who's Celebrating".
According to a Gartner report quoted in this article in CIO Asia magazine, Phisher schemes are reducing the number of purchases made online. However, reading the quoted data from the report, it doesn't sound like that's necessarily a bad thing.
Author Lorraine Cosgrove Ware writes:
"Nevertheless, 75 percent of the 5,000 online consumers who Gartner surveyed in May said they have become more cautious about where they shop online, and one-third reported buying fewer items than they would typically purchase due to security concerns. Eighty percent of those surveyed said they now trust commercial e-mail less, while 85 percent claimed to delete unexpected e-mails without ever opening them."
I think Ware's analysis is off. This sounds like great progress to me. People looking to shop online are getting smarter about which sites and emails they trust. I don't see anything in the data she quoted showing a correlation between the savvier shoppers and a decline in legitimate e-commerce revenue. Am I missing something?
Here's a recap of the questions we have addressed from our readers on the EarthLink Protection Control Center (PCC).
Ben Kaplan, Security Applications Product Manager answers more of your questions to the Protection Blog.
In this post read answers to the following questions:
- Why doesn’t Widows recognize that I have anti-virus software installed?
- Is Protection Control Center compatible with Norton Anti-Virus?
- How often are the PCC spyware/virus definitions updated?
- With Earthlink protection, Do I still need an antivirus program or not?
- Does the new PCC work with older Windows versions?
- Can I download and use PCC without using TotalAccess 2005?
