Defending The Kingdom

Just a heads up for you Twitter users:

A phishing attack that began striking U.S. Twitter profiles this weekend is still going strong and isn’t showing any signs of letting up. As VentureBeat reports, the scam operates through a direct message reading, “Lol. this you?” Once users click on it, they’re sent to a fake Twitter login page, where they could be tricked into revealing their login and password.

It seems to me that threats like this one are becoming more common, probably because most folks have become pretty good at fending off standard viruses. The major browsers vendors are working hard to inure their software to phishing threats, but it’s hard to protect people from their own gullibility.

NatWest, a UK-based bank, has a unique login page that makes it safe to sign into your online bank account even on untrusted computers. The login page makes it impossible to employ the Revised Vesik Method that is ordinarily the best way to beat keyloggers, but it more than compensates with its clever login requirements.

When logging in, the first set of fields ask for just three of the four or more digits that make up your account PIN, and the next set of fields asks for just three of the eight or more characters from your password (you are using eight characters or more for your passwords, right?). The specific characters you need to enter change each time you successfully login.

So suppose a keylogger captures every stroke you enter - are you safe? Yes, since the six digits that a keylogger could scrape are likely to prove useless when the next login page is generated. The new page will ask for different characters, and it won’t regenerate new requirements until those characters are successfully entered. That’s important, because otherwise it might be possible to refresh the page until the desired six digits are requested again.

As safe as other techniques?

You might wonder if the trick of asking for just six digits means that the login procedure is less safe than one that asks for eight. I believe it is, but not in any sense that matters as long as there is a limit to the number of incorrect login attempts that can be made. Like most banks, Natwest hinders password-guessers by temporarily blocking access to online banking after a certain number of failed login attempts

So, how much less safe is NatWest’s request for six digits instead of eight? Well, guessing an eight digit password composed of numbers and varied case letters would see success about 1 in 200 trillion times; guessing a single number from a four digit PIN and then guessing the correct three digits from the same password as before would see success about 1 in 2.4 million times. There is a difference, but it doesn’t really matter if the temporary lockout feature is working properly. In my judgment, the anti-fishing benefits make NatWest’s login procedure safer than it is with login pages that ask for complete passwords.

The one downside is that logging in is inconvenient, since you have to mentally count to the right digit in your password before entering it. Still, Natwest’s login requirements ought to be considered industry best-practices. I hope to see more banks adopt the technique.

If you want a simple way to create, store, and use strong passwords, get Password Safe. You need only remember one password — the master password that grants access to your password database. Making a suitable password is easy, as I’ve written about before.

Slate has an article this month that gives similar advice for making passwords. It’s worth reading for the examples, and I like the suggestion for creating a password that can be altered slightly every few months so frequent password-changers don’t have to memorize a completely new one.

First, which browsers are the most common these days? Wikipedia has a useful summary of browser usage statistics collected from various sources. The summary statistics look a little off to me (even after considering the note at the bottom of the table), but you get the basic idea: Internet Explorer and Firefox are running away with it.

Security Update

Internet Explorer 6 remains a hopelessly dangerous browser, but I’ve been impressed by Internet Explorer versions 7 and 8. If you haven’t yet upgraded, do so now.

I wanted to update previous comparisons (see here, here, and here) between the two most prominent browsers, but Secunia, the security consultancy I had been getting figures from, now advises against using its statistics for comparison purposes because of the way it reports them.

Fair enough, and it wouldn’t hurt to go to a second source. I recently ran across a report by NSS Labs, which mentions that “53% of malware is now delivered via internet download versus just 12% via email, while IFrame exploits and other vulnerabilities comprise 7% and 5%, respectively…” (If you’re wondering, IFrame exploits are just another flavour of attack aimed at web browsers.)

Check out the report summary, which has two very interesting graphs. It looks like Internet Explorer 8 is beating Firefox (and other browsers) by a wide margin when it comes to protecting against “socially engineered malware” (links that lead to infected downloads), while the two leading browsers provide about the same amount of protection against phishing attempts.

Mac’s don’t get viruses — everybody knows that. But is it true?

It’s just one of those things that the media hungry — but security disinterested — public has turned into an axiom.

But now that OS X is garnering an increased share of the operating system market, it is increasing its value as a platform for malware, and consequently increasing in value in the software security market.

As always, there is no such thing as perfect security.