This week, a security expert showcased a CSS-related security hole that allows a would-be intruder to use Internet Explorer to access the information on your computer and execute remote commands via Google Desktop.

In all fairness, despite my concern I can't really blame the desktop app. According to the article, the flaw isn't in Google's product per se; it's in Internet Explorer. In addition to Google Desktop, the exploit could be used to access any number of other applications that use a similar setup.

-Posted by Dave

They must be getting a boatload of traffic from the link. The direct link to the quiz is currently not working (as of Thursday morning, around 11 am est).

But the comment thread on Lifehacker is interesting in and of itself. Several commenters raise the great point that two of the best ways to spot a phisher are not possible in the quiz:

• Look at the raw source of the message to see if the code behind the links are really pointing to the server they claim to in the text of the message.
  
• Look at the full mail header to see where the message was sent from.
  

For more tips, check out our ten ways to recognize phisher e-mails.

Some of the highlights of the agreed-upon security features include:

• In the default setting, all pop-up browser windows will now have URL location bars, so that you can see what site is hosting the pop-up.
  
• Beefed-up and phisher-resistant high security certificates will be created and issued to deserving sites. The notification will be standardized -- if you're on a site with one of these certificates enabled, your address bar will turn green.
  

I wonder how this will affect web developers who use sleek pop-up windows without location bars purely because they look better that way. It will be interesting to see if this practice phases out or if it sticks around on sites that don't have much concern with the perception of high level security.

via ArsTechnica.

If you receive any unexpected e-mails from the FBI or with FBI.gov in the sender or reply-to field, it's a scam. It's not clear yet whether the attack is a virus, phisher, or just plain spam, but there's some sort of new e-mail scam involving faked FBI headers.

Unless you personally know someone who works for the FBI, there's no reason to open an e-mail claiming to be from them. The FBI does not send unsolicited e-mails to the public.

If you receive one of the new fake FBI emails and would like to help track down the source, you can submit a complaint at: www.ic3.gov . More information about FBI e-scams can be found on the official FBI site.

Help is on the way. The newest PCC update should be available in time for Christmas, and it will include among other things, better support for the Windows Security Center. Installing the new update will ensure that your system recognizes that the PCC is doing its job.

If you are current PCC user, you don't need to do anything special to receive the update. You'll be notified when it is available via the PCC's update manager.

Thanks to everyone who wrote in on this topic.

In the context of instant messaging, a 'bot' is a computer program designed to respond to messages as if it were a person. It can interpret questions and statements made in natural language and send some sort of (hopefully) appropriate response back. Companies and individuals have developed bots for any number of purposes.

There have been infomation bots, like "SmarterChild", that give you movie showtimes and horoscopes, and play simple games. There are advertising bots that dispense product information, and there are attack-bots that inundate a user with so many messages that it causes their account to shut down.

AOL's new bots are designed to act as a shopping search engine and provide movie times.

Many bloggers are up in arms about the fact that AOL automatically added these new bots to every user's buddy list rather than giving individuals the choice of whether or not to install them in the first place. It's a fairly minor inconvenience to remove them from your list, but critics compare AOL's approach to 'opt-out' spamming.

An 'opt-in' list is one where you have to do something specific and clear, like submit your e-mail address in a form, to start receiving the list's mail. An 'opt-out' list is where the list assumes you want to receive its mail until you do something specific and clear to unsubscribe yourself. Although the CAN-SPAM act considers opt-out lists acceptable (provided the opt-out works within 10 days), many spamwatchers consider this practice highly undesirable for end-users. In my opinion, best practices dictate using opt-in lists only.

Things appear to have gotten even worse for Sony. An AP story circulating today points out that the XCP uninstaller Sony is distributing creates an even bigger security threat than the original malware. The story quotes Princeton University analysts as follows:

"The consequences of the flaw are severe," Felten and Halderman wrote in a blog posting Tuesday. "It allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get."

If you are one of the estimated 500,000 music fans who installed the XCP software on your computer, you may want to wait for the dust to settle before you use the Sony-provided uninstaller.

Here's an official statement from Sony and a link to the Sony XCP FAQ.

• U.N. Internet Summit - Representatives gather this week in Tunisia to discuss global policy issues surrounding the governance of the internet at the World Summit on the Information Society.
  
  
• Direct identity theft statistics may be inflated - Most studies and statistics include "synthetic" identity theft which involves no direct breach of security between a victim and the perpetrator.
  
  
• Sony won't be selling protected CD's anymore - After it was discovered that some of Sony's rights-protected music CD's create a security vulnerability in host computers, Sony has decided to discontinue the program.
  
  
• New varieties of "Sober" virus circulating - This new strain circulates in emails with the subject lines in German saying things like "60 years of Freedom: Who's Celebrating".
  ]]> Security earthling 2005-11-15T13:56:21-05:00 http://blogs.earthlink.net/protectionblog/2005/11/online_shoppers_becoming_more.html According to a Gartner report quoted in this article in CIO Asia magazine, Phisher schemes are reducing the number of purchases made online. However, reading the quoted data from the report, it doesn't sound like that's necessarily a bad thing.

  Author Lorraine Cosgrove Ware writes:

  "Nevertheless, 75 percent of the 5,000 online consumers who Gartner surveyed in May said they have become more cautious about where they shop online, and one-third reported buying fewer items than they would typically purchase due to security concerns. Eighty percent of those surveyed said they now trust commercial e-mail less, while 85 percent claimed to delete unexpected e-mails without ever opening them."

  I think Ware's analysis is off. This sounds like great progress to me. People looking to shop online are getting smarter about which sites and emails they trust. I don't see anything in the data she quoted showing a correlation between the savvier shoppers and a decline in legitimate e-commerce revenue. Am I missing something?

  ]]> Phishers earthling 2005-11-11T13:56:57-05:00 http://blogs.earthlink.net/protectionblog/2005/11/protection_control_center_q_a.html Here's a recap of the questions we have addressed from our readers on the EarthLink Protection Control Center (PCC).

  Ben Kaplan, Security Applications Product Manager answers more of your questions to the Protection Blog.

  In this post read answers to the following questions:
  - Why doesn’t Widows recognize that I have anti-virus software installed?
  - Is Protection Control Center compatible with Norton Anti-Virus?
  - How often are the PCC spyware/virus definitions updated?
  - With Earthlink protection, Do I still need an antivirus program or not?
  - Does the new PCC work with older Windows versions?
  - Can I download and use PCC without using TotalAccess 2005?

  ]]> Security earthling 2005-11-10T13:57:34-05:00 http://blogs.earthlink.net/protectionblog/2005/11/thanks_but_no_thanks.html Never let it be said that AOL isn't looking out for us. Looka what we found in our department mailbox yesterday, addressed to "current resident":

  

  It was really sweet of them. If there's one thing we need around here, it's internet access and protection services. And it's in our size!

  -Posted by Travis.

  ]]> Spam earthling 2005-11-01T13:58:47-05:00 http://blogs.earthlink.net/protectionblog/2005/10/phishing_activity_trends_repor.html The latest report published by the Anti-Phishing Work Group (APWG) shows the number of Phishing sites is still growing; however, the number of reports of phishing declined slightly.

  Are people just getting used to this new form of Social Engineering? I doubt it...

  Interesting statistic within the report:

  - Number of unique phishing reports received in August: 13,776
  - Number of unique phishing sites received in August: 5259
  - Number of brands hijacked by phishing campaigns in August: 84
  - Country hosting the most phishing websites in August: United States
  - Average time online for site: 5.5 days

  You can read the full report here (pdf document).

  ]]> Phishers earthling 2005-10-27T14:00:59-05:00 http://blogs.earthlink.net/protectionblog/2005/10/safety_tips_for_fighting_spywa.html The Anti-Spyware Coalition (which members of EarthLink are a part of) released some new documentation today.

  What will most likely be of interest to the readers of this blog are the Safety Tips published along with this new information.

  Safety Tip Highlights:

  - Keep security software on your computer up to date.
  - Download programs only from Web sites you trust.
  - Beware the fine print...
  - Be especially careful with certain types of “free” programs.
  - Use available tools to detect and delete spyware.

  For the complete list of Safety Tips...

  -Posted by Travis.

  ]]> Spyware earthling 2005-10-27T13:59:37-05:00 http://blogs.earthlink.net/protectionblog/2005/10/protection_control_center_more_1.html Ben Kaplan, Security Applications Product Manager answers more of your questions to the Protection Blog.

  In this post read answers to the following questions:
  - How often are the PCC spyware/virus definitions updated?
  - With Earthlink protection, Do I still need an antivirus program or not?
  - Does the new PCC work with older Windows versions?
  - Can I download and use PCC without using TotalAccess 2005?

  ]]> Security earthling 2005-10-19T14:02:03-05:00 http://blogs.earthlink.net/protectionblog/2005/10/question_time_the_pcc.html A few questions have come in regarding the new EarthLink Protection Control Center (PCC). Security Applications Product Manager Ben Kaplan has been kind enough to address them, and as a service to all of our readers we've published them here along with Ben's suggestions. Thanks to all who wrote in.

  Questions and Answers in the extended.

  ]]> Security earthling 2005-10-12T14:03:07-05:00