The Federal Bureau of Investigation has identified “phishing” as the “hottest and most troubling new scam on the Internet.”

What is Phishing?

Phishing is a scam initiated via e-mail. Messages are “fishing” for personal and financial information. Most often, e-mails appear to be from reputable companies (internet service providers, telephone companies, etc), banks, and other financial organizations. The e-mail message often gives a story of the bank needing to update its personal information database or a financial institution claiming your personal data had been lost.

Who Phishes?

Hackers and Scammers looking for personal and financial information use phishing as an effective method of gathering information. Phishers imitate legitimate companies in e-mails to entice people to share passwords or credit-card numbers. Recent victims include:

• Bank of America
• Best Buy
• America Online
• eBay
• PayPal
• Washington Mutual
• MSN (Microsoft Network)

History of Phishing

The term phishing comes from the fact that Internet scammers are using increasingly sophisticated lures as they “fish” for users’ financial information and password data. The most common ploy is to copy the Web page code from a major site - such as AOL - and use that code to set up a replica page that appears to be part of the company’s site. (This is why phishing is also called spoofing.) A fake e-mail is sent out with a link to this page, which solicits the user’s credit card data or password. When the form is submitted, it sends the data to the scammer while leaving the user on the company’s site so they don’t suspect a thing.

Avoid Phishing

Fortunately, common sense can save you from giving away your personal information. For example, be aware for the company requesting information. I have received e-mails from banks I have never had business with. Know that your bank or ISP will never ask for your information out of the blue. Banks do not update their databases and misplace information.

Read more…

Is your domain really safe? There is a number of common mistakes which can lead to a permanent loss of your domains. The most common ways that domains are lost are:

1. Inadvertent domain expiration: The owner does not renew the name in time and it is snatched up by a domain speculator. This is often caused by failure to receive renewal notices because of out of date contact information.

2. Domain hijacking or theft: A domain hijacker effectively ’steals’ the domain by submitting a fraudulent registrar transfer request and tricking an unsophisticated domain owner or registrar into giving them control of the name. More sophisticated hijackers can also hack your email address account and, in such way, take control of your account at registrar.

At this point, legal options can be expensive and time consuming. Since the domain has been transferred away from the domain owner’s original registrar, this registrar is often powerless in assisting. Domain hijackers are aware of this and commonly transfer domains to countries far away from the original owner - making legal recourse cost prohibitive.

3. Inaccurate contact information: your name can be cancelled if your domain information is not accurate and you fail to respond to a registrar’s inquiries within fifteen days!!! (Section 3.7.7.2 of ICANN’s Registrar Accreditation Agreement). In the past, this section was seldom enforced, however as of October 2003, ICANN is requiring all registrars to contact their customers on a yearly basis to verify domain information.

Now let’s see how you can protect yourself from these common mistakes.

Read more…

As found on a recent post on Security Bench the first step to fight Cyber Crime is assuring security to your customers.

So how to defend your website from spies and hackers?

The first thing to do is pursuing the best programming practice. If your website, like the vast majority nowadays, is developed using php language you can follow these easy steps:

1. Set register_globals to OFF
2. Turn off Display Error/Warning Messages. Set display_error to ZERO.
3. Never run unescaped queries
4. Validate all user inputs. Items on Forms, in URLs and so on
5. Move config.php and files containing Passwords to MySQL to a secure directory outside of the public_html folder
6. Change permissions on any configuration files containing private information such as database passwords or email accounts to 440 so they cannot be written to and so there is no world permissions. If you need to edit them at a later time you will need to change it back to 640.
7. Access Control: You don’t want the user to have access to any Admin function or Clean up scripts
8. The .htaccess file is your friend. Use it to deny access to your site or files. (We also have an easy IP Deny Manager tool in the cpanel)
9. PHP can parse any valid script, whether it is called foo.php, very_long_name.php.php.php, or even deleteme.bat.
* Using the default extension of “.php” means that before your hackers start you have already told them you are using PHP.
* As mentioned, you can use any filename for your scripts - if you are using PHP for every script on your server, consider using the “.html” extension for your scripts and making PHP parse HTML files.
* You can change your file extension by adding this line to the .htaccess or turn it on via the Apache Handlers in the cPanel (AddHandler application/x-httpd-php5 .html)
* To protect against SQL injection attacks Sometimes hackers will try to screw up your database by inserting SQL code into your form input fields. They can for example, insert code that could delete all the data in your database!
* To protect against this, you need to use this PHP function:
* mysql_real_escape_string()
* This function escapes (makes safe) any special characters in a string (programmers call text a ’string’) for MySQL.
10. Example: $name = $_REQUEST['name']; $safe_name = mysql_real_escape_string($name); Now you know the variable $safe_name, is safe to use with your SQL code.
11. Keep the PHP code to yourself. If anyone can see it they can exploit vulnerabilities.
* You should take care to store your PHP files and the necessary passwords to access your MySQL databases in protected files or folders.
* The easy way to do this is to put the database access passwords in a file with a .inc.php extension (such as config.inc.php), and then place this file in a directory which is above the server’s document root (and thus not accessible to surfers of your site).
* Then, refer to the file in your PHP code with a require_once command.
* By doing things this way, your PHP code can read the included file easily but hackers will find it almost impossible to hack your site.

You can find more information about hardening your PHP scripts at: PHPsec.org

Also, for security purposes, you can refer to these two websites:

PHPIDS - Web Application Security 2.0 - Index

BlogSecurity