Turns out, you are better off logging out all accounts even at home.

I recently read somewhere that the Internet Explorer 8 is getting ready to protect users from clickjacking attacks. A little digging, and I found a lot of literature on this subtle attack called CSRF that is being dubbed “the sleeping giant” of web vulnerabilities.

Cross-site Request Forgery
Suppose Alice closed her bank page without logging out and that the session is still alive. Now she opens an apparently harmless webpage but with a tiny obscure image referring to a “post” page of bank. That is, the page that is executed after the confirmation, the page where the actual transaction takes place.

While Alice is going through that apparently harmless webpage, a transaction is being executed on her behalf.

This kind of attack where a part of one site cross-refers a different site is cross-site request forgery.

Now, the above explanation is a very simplified version. In reality, bank sessions are more secure, but the CSRF done is equivalently more subtle and cunning. It is a good thing that most banks expire sessions automatically after a few minutes of idleness.

Clickjacking
ClickJacking is a term which encompasses multiple techniques that can be used to trick the user into unwittingly clicking an obscured or hidden web element, usually resulting in an unwanted transaction.

Read more about Clickjacking, about what IE8 is doing to defend users against Clickjacking, and about the CSRF.

One way to be on guard is to use different browsers or browser profiles for normal browsing activity and activity where logins are necessary.

Post from: EveryJoe

Why Log Off Your Accounts?

First thumb rule is to keep your mouse away or tie your fingers from accidentally clicking on the links within the message or downloading the attachment.

Second thumb rule for any kind of spam (apart from cheesy forwards, I guess) is: DO NOT REPLY. Not even if they ask you to click “Unsubscribe” or reply back with that keyword in the subject.

Third thumb rule is to click “Report Spam” or some equivalent button provided by the mail service provider. This enables the service provider to take automated actions in identifying future spam from the same source, curbing it or at least sending it to the Spam folder instead of your inbox.

If you come across what seems to be a particularly malicious spam mail, you can help further by forwarding it to spam@uce.gov. The Federal Trade Commission uses the spam stored in their database to pursue law enforcement actions against people who send deceptive email.
Here is a little more unsolicited advice for tackling specific kinds of spam mail:

Forwards: Sharing interesting things that we’ve come across online is being increasingly done using social bookmarking tools. However, forwarding some messages or for that matter even addressing a large group is inevitable. Cleaning the previous headers containing scores of lines of unknown email addresses and headers, and using the BCC column while forwarding to your own contacts are two invaluable pieces of the same cake.

Phishing: If you’re really tempted by a mail from what claims to be your bank, open the official bank website directly and try navigating from the home page to this page. If the website doesn’t contain the link you’re looking for, it is not worth it.

For News, Offers and Porn, trust Google to provide the latest information.

For Personals, get offline.

Post from: EveryJoe

Three Thumb Rules to Defend Yourself Against Spam

Blogging is increasingly being seen as a sustainable model of income. Where money is involved in large sums, there is also fraud. Problogging is perhaps at too early a stage to discuss at length about blog fraud, but there is undoubtedly an upward trend in these cases.

A blog with too many advertisements, IMHO, is not a fraudulent blog. It is simply a bad idea, and sometimes not altogether bad either.

Here are three common types I have come across:

Fake Blogs: The Internet provides a mask for users, allowing them to lurk anonymously. This is true in the case of blogs as well, though less frequently. While bloggers using a fake name is not necessarily fraudulent, nor is it unlawful by default, there are instances where fake bloggers abuse their anonymity to defame or hurt or cheat organizations or people or readers.

Sell-out Blogs: Affiliate blogging means selling products through blogs, which is good because the sale often comes through a feature overview and a review, and the reader can make a decision based on that. But unlike salesmen who believe in the product they sell, sell-outs have a pride in selling even trash. Sell-out bloggers excessively do affiliate blogging, providing positive reviews to every product they come across.

Pseudo Blogs: While sell-out bloggers take pains in creating original content, however untrue that may be, pseudo bloggers have tons of content all of which is dutifully lifted from elsewhere. The shrewder psuedo blogs post content taken from other not-so-popular blogs so that readers don’t easily recognize the content. Some take a step further and make disclaimers that they mostly pump feeds from various blogs across the Internet. However, no acknowledgements nor links to the original source are ever made, unless by accident.

You can help curb blog fraud. When you suspect a blog as fraudulent, raise an alert in any open forum. The best remedy is to inform the original source if possible.

Post from: EveryJoe

Types of Blog Fraud