After years of training customers to trust only SSL-enabled sites, banks are shifting their online banking logins to the unencrypted home pages of their websites. Although the data is encrypted once the user hits the "Sign In" button, the practice runs counter to years of customer conditioning, as well as the goals of the browser makers. Three of the five largest U.S. banks now display login forms on non-SSL home pages, including Bank of America, Wachovia and Chase, as well as financial services giant American Express.
Web sites are generally reluctant to use "https" on busy home pages, since SSL involves a tradeoff: improved security, but slower response time. Consumers, meanwhile, prefer easy to-remember URLs for their online banking. In placing login screens on non-SSL home pages, banks are trying to have it both ways: fast page loading without the SSL-related performance hit. The login form's "action" URL points to an SSL-enabled https URL.
A Cisco security flaw may allow attackers to hack into systems through the intrusion detection system (IDS), Cisco warned Monday in an advisory. An SSL certificate-checking flaw in two Cisco products - CiscoWorks Management Center for IDS Sensors (IDSMC) and Monitoring Center for Security (Secmon) - could allow an attacker to spoof an IDS system and gain access to sensitive data. SSL certificates are used to authenticate Cisco devices and services as they interact with one another.
A successful attacker "may be able to gather login credentials, submit false data to IDSMC and Secmon or filter legitimate data from IDSMC and Secmon, thus impacting the integrity of the device and the reporting capabilities of it," Cisco said. A free software update that corrects the flaw is available from Cisco.
Exploits are circulating for at least two new vulnerabilities in Microsoft software, barely two days after the critical security holes were disclosed in security advisories. The swift availability of working exploit code provides additional incentive for Windows users to update their systems promptly following the monthly release of security patches.
Microsoft acknowledged Thursday that "detailed exploit code " had been published for a vulnerability in Plug and Play technology that could allow a remote attacker to take control of a Windows machine via the Internet, with Windows 2000 systems being at particular risk. "Users running Windows 2000 are vulnerable to a potential worm attack that would take advantage of this flaw," noted security research firm eEye Security. The vulnerability, known as MS05-039, is addressed in the latest Windows Update patches issued Tuesday.
Fraudsters have exploited a flaw in the eBay web site that allows them to orchestrate phishing attacks using eBay's own Sign In page.
Registered users of eBay's popular online auction web site must sign in using a username and password in order to participate in bidding and listing of items. A new style of phishing attack reported through the Netcraft Toolbar community shows fraudsters exploiting flaws on the Sign In page and on another ancilliary page which results in victims being redirected to the fraudster's phishing site after they have logged in.
This particular attack starts off like many others, by sending thousands of emails that instruct victims to update their eBay account details by visiting a URL. However, that is where the similarity ends, because the URL in this case actually takes the victim to the genuine eBay Sign In page, hosted on signin.ebay.com. By including special parameters at the end of the URL, the fraudster has changed the behaviour of the Sign In page so that when a user successfully logs in, they will then be sent to the fraudster's phishing site via an open redirect hosted on servlet.ebay.com.
The eBay Toolbar reports that the maliciously modified Sign In page is a "Verified eBay Site". Conversely, the Netcraft Toolbar denies access to the modified page while still allowing access to genuine eBay Sign In pages.
The victim is more likely to trust the contents of the fraudster's site, because they have arrived there as a result of signing into eBay via a genuine eBay Sign In page. Because there is less reason to suspect anything is awry, the victim is more likely to surrender any sensitive details in the mistaken belief that they are really giving them to eBay.
Some web hosts are banning the use of phpBB in the wake of persistent security problems for the popular open source web forum program. The move follows renewed attacks on phpBB after a coding error was found in the same file targeted by a December worm attack that defaced thousands of phpBB sites.
"It's been brought to our attention over recent weeks that some hosts are banning or dissuading the use of phpBB," said a message from the phpBB development team. "This is unfortunate for everyone and seems largely to be based on FUD (Ed. fear, uncertainty and doubt). While phpBB has and no doubt will continue to suffer from exploits (show me a piece of software that doesn't!) we have consistently addressed such issues very quickly."
Web hosts are less impressed. One host that has banned the software said phpBB had been its biggest security headache. "Since January, phpBB has been through at least 4, and maybe 5 revisions due to serious vulnerabilities, often found/reported wthin HOURS of a version release," HostPC said in its customer advisory.
Many popular PHP-based blogging, wiki and content management programs can be exploited through a security hole in the way PHP programs handle XML commands. The flaw allows an attacker to compromise a web server, and is found in programs including PostNuke, WordPress, Drupal, Serendipity, phpAdsNew, phpWiki and phpMyFAQ, among others.
The flaw affects the XML-RPC function, which has many uses in web applications, including "ping" update notifications for RSS feeds. PHP libraries that allow applications to exchange XML data using remote procedure calls(RPC) fail to fully check incoming data for malicious commands. The affected libraries, including PHPXMLRPC and Pear XML-RPC, are included in many interactive applications written in PHP.