11/3/09

Blogging Security Warnings

Blogs are vulnerable and need security, developers work overtime on this, releasing updates as fast as they can in response to a threat. Still, you need to keep up with the news on security issues and risks. You must read tips on keeping your blog safe from new hackers attacking blog passwords.

Sometimes Internet Explorer
and some other applications, add a bit to the file to mark it as being downloaded from the Internet. It serves as a warning that this may be unsafe content. If the file is digitally signed, the warning does not have the red shield, and the publisher is listed in the dialog, but otherwise it stays the same.



Internet Explorer adds a flag to downloaded file through alternate data streams, and there are tools that can show you those streams, and even the built-in unzip tool in Windows adds the same flag if the archive that was unzipped has the flag set. The point, however, was not how a very technically savvy user can download an advanced tool and manually review the alternate data streams, and possibly remove them. If all you want to do is remove that flag it would be far simpler, in fact, to uncheck the box in the dialog for "Always ask before opening this file"; although maybe inspecting and twiddling with alternate data streams would be more satisfying for some segment of computer users.

You must educate yourself first and then educate your users. Teach them that the warning is there so that they can assess whether they want to accept the risk involved in opening applications off the Internet. In this case, you have digitally signed the application so they can trace it to you and have assurance that they are, in fact, opening a trusted application. Anytime they get a dialog like this they should evaluate it and see if they really want to accept that risk or not. If the publisher is unknown, they have no way to tell who wrote the application, and should consider it a higher risk.

There are very good reasons for these warnings in many cases. Rather than trying to prevent users from seeing them we all need to do our part to help users understand what they are seeing and make appropriate decisions based on that data. That would provide a savvier user base and a more secure Eco-system in the long run. We cannot keep focusing on preventing people from making risk management decisions any longer. If we do, eventually, they will realize they do not have the skills to do so, and that nobody is willing to help them acquire those skills. At that point, the Eco-system will be in danger of collapse.

Social networking blogs like give scam artists and virus writers new ways to package tried-but-true tricks. The latest example of this making the rounds is an e-mail that appears to be an invitation from Face book to add a friend: A recipient who opens an attached image to take a look at their new friend instead opens the door for hackers to compromise his PC.

Here a few tips and things to keep in mind that can help you avoid being burned by e-mail based attacks.

E-mail addresses in the "From" field can be easily spoofed. So never open attachments in e-mails that you weren't expecting, even if the -mail appears to come from some person you know and trust. (Legitimate friend requests, in fact, don't include attachments).

Avoid responding to unsolicited e-mails. You'll only let spammers know they've got a mark for future e-mails.

Consider switching from HTML e-mail to text-based messages only. Malicious JavaScript and nasty instructions written in other powerful scripting languages can be embedded in HTML messages, and in many cases that code will load as soon as you view the message.

No comments:

Post a Comment