Video Screencast Help
Search Video Help Close Back
to help

Website Security Solutions

Showing posts tagged with phishing
Showing posts in English
EV SSL and iFrame attacks
Tim Callan | 18 Dec 2012 | 9 comments

We're seeing active discussion online about the possibility of hijacking a single frame in a production site to steal logins or PII. The scenario is that a criminal gang would redirect this frame (through DNS poisoning, let's say) and populate it with its own content from servers under its control. Presumably this content would involve form fields asking for information the criminals want to receive and which you would be willing to share in this context (such as your bank account login or social security number).

Now, the recent dialog is around the scenario where this proposed attack happens on a site with an Extended Validation SSL Certificate. The certificate identifies the controller of the top-level frame and does not report on the sources of any internal frames in that page. That is in keeping with near-ubiquitous practices in consumer Web applications...

Read more
Big VeriSign Contests at Internet Retailer
Bob Angus | 18 Dec 2012 | 0 comments

Visit VeriSign (booth #1043) at Internet Retailer 2009 this week for your chance at winning several big contests. Of course, you will also want to get the scoop on why 90% of the 2008 Internet Retailer 500 trust VeriSign to secure their sites and how those leading online retailers are increasing transactions as a result.

Now about those contests...

Everybody wins - Take the Phish or No Phish Challenge at the booth. You will get to test your knowledge of phishing scams in a fun interactive game and you receive a "Trust This" t-shirt. Here's an online version of the Phish or No Phish Challenge to hone your skills in advance.

VeriSign is also partnering with ...

Read more
Protecting against brand damage from online crime
Tim Callan | 18 Dec 2012 | 4 comments

Here's a cool Advertising Age article about how businesses view online crime and brand damage and what they do about it.

Read more
Gartner reports 40% increase in phishing, over 5 million affected in US in 2008
Tim Callan | 18 Dec 2012 | 0 comments

A new report from Gartner states that the number of phishing incidents rose 39.8% with an average loss per incident of $351. This article summarizes Gartner's recommended response for online businesses,

Gartner recommends that enterprises continue to deploy and improve security solutions that protect accounts and customers against attacks. Enterprises that are custodians of customer accounts should also consider site authentication or assurance to confirm to a customer that he or she is on a legitimate Web site and not a spoof site.

Gartner analyst Avivah Latan goes on to suggest a layered security approach as the best response to phishing.

Read more
IRS requires EV SSL for online filing in 2009
Tim Callan | 18 Dec 2012 | 0 comments

The IRS has published draft 2 of a requirement that will require all e-file tax sites to use Extended Validation SSL Certificates starting January 1, 2009. States the guideline in part,

This requirement applies to Authorized IRS e-file Providers participating in Online Filing of individual income tax returns that collect taxpayer information via the Internet. These Providers shall possess a valid and current Extended Validation Secure Socket Layer (SSL) certificate using SSL 3.0 / TLS 1.0 or later, and minimum 1024-bit RSA / 128-bit AES.

This passage refers to the service that may be offered by sites whereby you can file your taxes directly online from your own computer. The e-file program offers free filing to individual taxpayers with household income under a...

Read more
Phishing adapts to use financial meltdown to its advantage
Tim Callan | 18 Dec 2012 | 0 comments

We know that the practice of phishing, when done effectively, involves surprising the victim, taking him out of his normal context, and creating a sense of urgency through fear. What better opportunity to use all three of these principles than by sending phishing e-mails that are hand-crafted with the current financial crisis in mind. WashingtonPost.com's Brian Krebs gives us a great summary of some of the new attacks the prey on targets' financial concerns.

Read more
Consumer reports critical of Safari for lack of phishing protection
Tim Callan | 18 Dec 2012 | 0 comments

Consumer Reports recently joined the ranks of those criticizing Apple for the lack of proper security measures in the Safari browser. The consumer protection magazine specifically refers to the lack of support for Extended Validation SSL as one of the reasons for its recommendation against using the browser.

Read more
So how does EV SSL protect against the classic phish?
Tim Callan | 18 Dec 2012 | 0 comments

I recently wrote an entry in which I stated that EV SSL is a powerful mitigator against the classic phishing attack. I have received an e-mail asking me to explain how I know that to be the case. Happy to oblige.

If you were a reader of The SSL Blog a little over a year ago when VeriSign premiered the Extended Validation SSL Certificate, you know about the Tec-Ed research. For newer readers or in case we all don't exactly remember how it went, here's a recap.

Read more
The blogosphere presently is having a problem with bad evidence
Tim Callan | 18 Dec 2012 | 0 comments

As someone who focuses most of his work hours on SSL and related technologies, I read a lot of what is written on that subject in the press and the blogosphere and social media sites. I've grown used to a certain amount of misinformation floating around out there and typically view it as a hazard of the online medium.

It happens right now that the dialog around SSL is having a particular problem with information being misinterpreted or taken out of context, or occasionally appearing out of thin air. I'm going to dedicate a few postings to explaining what these misinterpretations are and shining a light on the associated facts.

Let's start with this article that appeared last week from Netcraft. This article discusses the cross-site scripting attack (XSS) and its presence on sites featuring...

Read more
UC Berkeley identifies top identity fraud targets
Tim Callan | 18 Dec 2012 | 0 comments

In a very interesting recent study based on clever use of the Freedom of Information Act, a Boalt School of Law staff attorney was able to determine which sites yield the most victims of identity theft. Here are the full results.

Security blogger Larry Seltzer gives some commentary here.

Read more