Simon Heron – SecureNet

Tabbed browsing has been around for quite a while now, allowing users to switch between dozens of websites whilst keeping the task bar clutter free. One 2009 study discovered that users switch tabs at least 57.4% of the time, 36% of users opening new tabs for search engine use.

It’s become common practice for internet users to login to several websites at once using the tab method. A recent study of Firefox users by Mozilla revealed the following reasons for using tabbed browsing:

-    To act as a reminder to do something later
-    Opening many document/search links at once
-    As a substitute for the back button
-    Keeping frequently used sites open
-    Temporary bookmarks

The study also found that an average of 73.3% of tab switches were revisits.

All of this would simply be an interesting way of looking at internet browsing if it weren’t for one small detail. Cyber-criminals are exploiting the system.

During a typical day in the office, you may have several applications that require a login open at once. Let’s say you have Google, LinkedIn, Twitter, BBC News and Amazon open. You’re in the middle of looking for something on Amazon, when someone asks you to find an article for them, so you switch to Google and carry out a search. After a while, you switch back to Amazon and are confronted not with the page you were previously on, but with the login page. No problem, you’ve obviously just been kicked out of the site and just need to log back in. That’s what many would assume, and that is the assumption that phishers are playing on.

“Tabnapping”, as its being called, is where a hacker uses JavaScript to manipulate one of your inactive tabs so that when you return to it, you’re on a fake login page rather than the one you’d left it on. Unless you check the url, you may not realise that the page is a fake, or that your online bank was your last tab, but is now the second. The fake page may even display a message saying that your session has timed out. Aza Raskin of Mozilla demonstrates just how easy it is to hack the tab and fool the unwitting user. (You can also find out more about the problem, and test it out for yourself over at his blog).

So, what can the user do? Normally, I would recommend installing noscript on Firefox to prevent unauthorised JavaScript from running on your computer, but that won’t help in this case. Aspects of the users behaviour need to change as well. Users should keep the number of tabs open to a minimum; always check that the url matches the site before you enter any login, financial or identity information; and if in doubt, close the tab and navigate to the page again.

It’s important to remember that when we fill out online forms and submit login details, we are entrusting our information to an organisation outside our control. It’s not enough just to trust these organisations to protect our data. We need to make sure we do, too.

This year at InfoSec, a lot of the talk was of the Information Commissioner’s new powers of enforcement that came into play in April. There seems to be confusion from many companies as to what they should do to avoid a data breach, and what the Information Commissioner’s Office would regard as a ‘serious’ breach.

As far as I can tell, it is expected that the ICO will reserve heavy fines for the most serious breaches (for companies that have been lax in their security to start with, or who have deliberately flouted security laws), rather than those who have – through genuine accident – fallen victim to a hacker, for example. Preventative measures that have been put in place to avoid such a breach, and to minimise damage done by it, would seem to stand a company in good stead once the ICO investigates.

I should be really clear here that I am not a lawyer, but at Network Box we do know a thing or two about securing data. So we wanted to do something to help our customers (and anyone else who’s interested) understand what constitutes best practice in security terms. We  sought the opinion of James Pickering, a commercial litigation barrister, on interpreting the data protection laws, and combined this with our own security advice, to produce a guide to securing data. This is available free for anyone to download from our website.

The issue is that organisations keep more data for longer than they’ve ever done before. Much of it – customer records, financial information, personal identity details and so on – has intrinsic value to cyber-criminals.

How an organisation might be compromised, and the steps they should take to avoid it, will differ from company to company. But there are some really simple things that all organisations can do. In my view there is just no excuse, for example, for leaving an unprotected and un-passworded laptop on a train; or moving unencrypted, confidential data on a data stick when you should use a secure VPN; or not checking what information is being transferred out of the building over IM. This list could go on.

Feel free to read the guide, and give us feedback. It won’t – and shouldn’t – replace your legal advice, but I hope it will help businesses put good security practice in place that will help them avoid a security disaster.

Russian internet host PROXIEZ-NET has been taken offline, according to reports from the BBC.

Popular with cyber gangs, PROXIEX-NET had advertised itself as being impossible to shut down, but as we have seen with the McColo shutdown in November 2008 it is possible and it does make it harder for criminals to find a place to host their server.

However, it does not mean that the cyber crooks won’t be back up and running in fairly swift order. We saw a dramatic fall in spam as a result of the McColo shutdown, but levels returned to pre-shutdown highs the following month.

Still, taking the host offline does inconvenience the criminal gangs, and may serve to discourage hosts from obliging criminals. (The cost of the hosting may also go up – which will hopefully drive some of the criminals out of business).

According to our most recent statistics, Russia produces 5.3 per cent of the worlds viruses, 3.2 per cent of spam, and is responsible for 7.7 per cent of the worlds intrusions.  As PROXIEZ-NET was one of the more popular hosts for cyber gangs, theses figures look set to fall – at least for now.

Car dealerships are using increasingly sophisticated technology both to secure their vehicles from theft and delinquency, and to communicate with customers and suppliers.  More and more sensitive data is now being stored on systems that can make the company liable under the new powers of the Information Commissioner’s Office. Something as simple as a not changing a password when an employee is fired can cause a breach in the security of customer and corporate data which can lead to a fine or in extreme cases a jail sentence of up to two years!  There is no question, IT security is set to become as much of an issue for car dealerships across the country as for any other businesses that hold customer data.

The issues facing car dealerships are interesting and increasingly complex. Often IT just isn’t high up on the agenda. As manufacturers put their manuals online, dealerships have not just bandwidth issues but they have routing and security issues to ensure that their connections to third party suppliers (of parts, for example) or head offices do not act as backdoors for viruses or hackers.

We have experience of working with various dealerships across the country and from this experience we’ve published a free guide describing the unique challenges and security threats that car dealerships face and we detail how they can increase security measures to combat them. Dealerships looking for more information or help can contact us via our website.

It is always so difficult to judge about the success or failure of a show.  You put a lot of time and effort into choosing the right presence, the design and building of  a stand, how many people to man it, what events to throw, who to invite and the list goes on.  Obviously, it is important to have a place to meet customers and to be able to talk about the future.  Being able to raise awareness and just to promote the brand is recognised as helping the bottom line of selling the product.  However, it is interesting that a number of big names, BT and Microsoft amongst them, decided that InfoSec was not for them.  So perhaps all the effort did not result in sufficient branding, awareness and sales in previous years.

Personally, I find it interesting to get round the various manufacturers and see what they are focusing on.  I expected to see more web 2.0 but the show seemed more focused on regulation but this might just be my anecdotal experience.  I also find the smaller vendors of interest as you see new products that the established vendors have not put forward, perhaps they did not think of them or maybe they cannot see sufficient return but they can be of interest.

Not so sure about the discussions and talks but I did find the discussion on compliance on Thursday lunchtime particularly interesting.  It is an area that most companies will have to address yet few really understand the implications or what they need to do.  Unfortunately, it is an area that will be of particular interest to lawyers and the case law that is being established seems to be getting particularly detailed.  Stuart Room, one of the panelists, gave an example of a company doing the right thing by encrypting all their laptops but one was stolen whilst waiting to be encrypted in the lab.  The resulting recommendation was that all laptops must be secured to the desk through the use of a security cable to the USS (Universal Security Slot).  The solution may not be great but what is of concern is the specific nature of the recommendation.

So was InfoSec worth the effort?  Well our company made quite a number of contacts and new leads which is always good.  I made a number of contacts too and learnt about issues so I would say personally I did too but as ever, we will continue to look at each year as it comes to make sure all that preparation is worth it.