Browser Changes An Opportunity for SSL Certificate Authorities

Do you know who checked that gold padlock in your web browser? Names like GeoTrust, Comodo, Starfield Technologies and Thawte will likely become more familiar to Internet users as browsers begin displaying the names of the issuers of SSL certificates that secure e-commerce web sites. These companies, known as certificate authorities, will gain visibility as the padlock icon indicating a secure connection moves to the address bar in Internet Explorer 7 and other new browser releases.

The move is part of a broader effort to improve Internet security, with Microsoft working with the developers of Firefox, Opera and Konqueror browsers to simplify the display of SSL certificate information. The unusual collaboration is driven by concerns about phishing, and is likely to bring changes in the SSL market, which has become more competitive lately following years of dominance by VeriSign.

Continue reading

Exploit Targets New phpBB Security Hole

An exploit has been released for a new security hole in phpBB, the popular web forum software. The attack has the potential to compromise any phpBB installation that has enabled the use of HTML in forum messages, a setting which is disabled in the default configuration. Allowing HTML in forms poses a security risk, but is popular with forum participants and thus may be activated by some web site operators. The vulnerability in version 2.0.18 was was featured on security sites Monday, and exploit code is now in the wild, according to the Internet Storm Center, which noted that "an exploit has been posted in several places that will do brute force dictionary attacks to get the passwords of phpBB users." The exploit can be defended if phpBB's "Allow HTML" and register_globals settings are both disabled

Continue reading

US Government Security Site Vulnerable to Common Attack

The U.S. government site that tracks cyber security risks was recently found vulnerable to cross-site scripting, a technique commonly used in hacker attacks and web site spoofing. Several security sites have published a demonstration of the security hole in the web site for the National Institute of Standards and Technology (NIST), which hosts the U.S. National Vulnerability Database, which ironically includes numerous examples of cross-site scripting.

Cross-site scripting (XSS) is a well known technique which involves injecting the text of code to be executed by the browser into urls that generate dynamic pages. Attacks using XSS have been found by security researchers in a wide variety of products and specific sites in recent years. The cross-site scripting vulnerability in the NIST site was found in a script that warns visitors that they are about to leave the NIST site, a common practice on U.S. government sites. The NIST script allows potentially malicious Javascript to be appended to the URL and executed by the browser, a technique which works in Firefox and Internet Explorer. The flaw was originally reported by the RootShell Security Group. Staff at the NIST web site closed the security hole after being contacted by people who saw the RootShell posting.

Continue reading

Critical Security Hole in PHPMyAdmin

A critical security hole has been discovered in PHPMyAdmin, a popular program for managing MySQL databases. The vulnerability allows an attacker to defeat the program's security scheme by overwriting key system files, which in turn enables remote file inclusion and cross-site scripting attacks. The PHPMyAdmin project has released an update that fixes the issue, which can be downloaded here. Details of the security hole and its implications are outlined in an advisory from the Hardened PHP Project, which discovered the issue during a code audit.

Continue reading

eBay Fooled by Fast-moving Phishing Scam

Sometimes even the targets of phising attacks have difficulty sorting out whether an e-mail or web site is bogus. In other instances, spoof sites remain online long after they are identified as criminal scams.

Both scenarios are found in a story related by an e-mail security researcher, who submitted an obviously fraudulent phishing site to eBay, only to have the auction company's staff e-mail back to insist that the site was legitimate and that the "bait" e-mail was sent by eBay.

The scam site,, was blocked on Nov. 25 by the Netcraft Toolbar community. This particular fraud site illustrates the difficulty of relying upon web hosting services to protect Internet users by taking a site offline.

Continue reading

Netcraft Toolbar Available for Firefox 1.5

Firefox users who haven't yet tried the Netcraft Toolbar are invited to install the latest version, which has been updated for compatibility with Firefox 1.5. Current users upgrading from Firefox 1.0.7 or earlier will need to install the newest version of the toolbar. Our toolbar download page allows Firefox users to choose the install for their version of the popular open source browser:

Netcraft Toolbar download for Firefox

Windows XP users upgrading from Firefox 1.0.7 who have disabled software installations as a security precaution may experience difficulty installing the newest Toolbar update. In Firefox 1.5, the software installation option has been removed from the user preferences and is enabled by default. If you previously disabled this option and then upgraded to Firefox 1.5, you can enable the preference by typing "about:config" in the address bar and scrolling down to "xpinstall.enabled." Set this to "true" and restart Firefox. You should then be able to update the Toolbar successfully.

The toolbar runs on any operating system supported by Firefox and displays the hosting location, country, longevity, popularity, and an abstracted risk rating for each site visited. Additionally, the toolbar blocks access to phishing sites reported by other members of the Netcraft Toolbar community and validated by Netcraft, mobilizing the community into a giant neighborhood watch scheme which empowers the most alert and experienced members to protect the vulnerable against fraud and phishing attacks. Toolbar users submitted more than 8,700 phishing URLs in October.

It is available to download from the Toolbar website, and requires no special administrator privileges to install. Customized versions with corporate branding and navigation are also available.