Security researchers have found a way to use JavaScript to map a home or corporate network and attack connected servers or devices, such as printers or routers.

The malicious JavaScript can be embedded in a Web page and will run without warning when the page is viewed in any ordinary browser, the researchers said. It will bypass security measures such as a firewall because it runs through the user's browser, they said.

Read the full article JavaScript opens doors to browser-based attacks (CNET.com)

There’s more of your money to take; and the crooks are using more technology to take it.

e-Bay and PayPal phishing e-mails are becoming more and more prevalent. And now the dirty little crooks are no longer relying on e-mail to get you to cough up your dough. Some criminals have learned that we’re becoming more cautious about these e-mails – so they’re setting up fake call centers so that you phone-in and give your personal information after you receive the e-mail.

Phishing schemes often start with misleading spam urging people to visit a fraud website designed to mimic the real business website (such as e-Bay or PayPal). Once unsuspecting people go to the site they’re asked to give personal information – or are loaded up with spyware such as those that track and log your keystrokes.  

According to Symantec's latest Internet Security Threat Report, there were 7.92 million phishing attempts per day during the second half of 2005, compared with the 5.7 million attempts per day it reported for the first half of 2005. And the attacks are becoming sneakier and more sinister.

Criminals Increasingly Blend IT Threats is an interesting read from eWeek: “As businesses and home users have become increasingly savvy about traditional threats delivered via e-mail attachments, criminals are finding new ways to lure end users to consume their attacks, according to the report. Researchers specifically cited a growth in the number of threats that use spam e-mail messages or IMs to distribute links to Web sites where malware or spyware is secretly downloaded to end users' computers.”

One of the keys to identifying a phisher is looking at the URL requesting you to update your information. If for example, rather then clicking through to the PayPal URL www.paypal.com, a phisher would have you go to a dummy site with a similar URL (e.g. paypal.palpay.com). Now, one crook even used a URL hosted on PayPal's legitimate site that had been altered by cyber-criminals using a “so-called cross-site scripting attack.” Little bastards!

Here are some tips from MailFrontier (TopTenTipsforFindingaPhish) to avoid being scammed:

1. Know thyself: Know the online companies you deal with. When a suspect email arrives, remember: it could be fraud, it's definitely spam, and it is definitely not for you. Delete it.
2. Subject matters: Consider the subject line of an email carefully. Citibank will never send you an email headed “_Citiibank_account_update ACT-N0W”. These messages may get through spam filters because they appear to come from a reputable source, but that doesn’t mean it’s really from Citibank.
3. Learn the language: Understand how the companies you deal with want to interact with you. For example, banks usually want you to access your account through their website–not an email link. “Phishing” emails stand out because they don’t follow the rules.
4. Browsing around: Practice safe browsing. Open a new browser window each time you log on to a web site that displays personal information. When you are done at that site, log out and close that browser window.
5. Spelling counts: Be sure to read emails that say they are from companies you know. Sometimes a real email will have a spelling or grammatical error, but anything more than one error is suspicious.
6. Mousing around: Scroll over the links in emails you receive and check them. In some email systems, you can scroll over the different links in an email and see the actual contents of the link. If the email says PayPal, but the link content says “ www.paipall.com”, be careful. And note: URLs can be disguised—so don’t take a suspect link at face value.
7. All form, no function: Never enter your personal or credit information into a form in an email. If you feel the email is legitimate, call the company or visit their web site and log in to provide the requested information.
8. It’s personal: Expect good customer service. Unless your name is “eBay User” or “johndoe99”, most “phishing” emails are not personalized. If you receive a “Dear Customer” email, it may be time to move on.
9. Make a statement: Read your statements – every one, every month to ensure your charges and debits are correct. Often information obtained through phishing is not used right away. Stay vigilant and report any suspicious activity immediately.
10. Stay current: Use and maintain your email protection software for spam blocking, fraud blocking, and anti-virus. If you have any questions, there are many fine web sites which can provide the latest information on the latest virus, “phishing” attack, or on-line scam.

RELATED READING:

Assessing your security risk

Best practices: securing your intranet

Securing your intranet from the inside

Top 10 security lapses

Email and intranet are biggest wireless threats

Like a child, an intranet is a lot of work – and if done properly, the rewards are enormous.

Also, like a child, the intranet however can try your patience like no other business system. Successful intranets require more than just hard work – they require a lot of nurturing, patience, and understanding. This is what I would call smart parenting or smart governance.

Patience is key however because the rewards often take years to bear true fruit. Successful intranets like some profiled here on Intranet Blog take many, many years. The intranet is a complex, and often very emotional, business system. It is not just a website or another communications tool. It’s a representative ecosystem of the entire business.

Your employees, however, are not children. Treat employees like children, and you better dam well expect questionable behavior.

A client organization of many thousands of employees came to me with a problem – one of the businesses was forcing employees to accept an online compliance agreement for using their computer – every day. Let me repeat: forcing employees every day to accept an online compliance agreement for using their computer for work. Wow. I’d love to meet the guy who came up with this idea. Now, I don’t mean to sound sexist, but I’m convinced that only a guy could come up with this – and likely someone with a military or football background.

I dare anyone to prove to me how this benefits anyone – especially the company. Please convince me that as we stand on the precipice of the greatest labor shortage in the history of modern business how such a forced daily compliance routine will engender employee satisfaction and employee retention. Come on, convince me. I’m looking for a good argument.

Just about every company has an employee conduct policy that new employees are expected to sign. But let me ask you, does your organization have a daily employee compliance procedure for…

• Making a phone call
• Using the bathroom
• Eating in the cafeteria

Yeah, exactly. So why the hell would apply such a tyrannical rule to using a computer? Treat an employee like a child and the predictable will ensue:

• Decreased productivity
• Decreased employee satisfaction
• Decreased employee retention
• Decreased customer satisfaction
• Decreased earnings

Employees as adults

Of all the dozens of intranets I have worked with – and hundreds I’ve seen and used – almost all companies have corporate polices on Internet and intranet usage. However, I have yet to come across a company that has ever forced any employee to agree to any form of compliance or agreement on a daily basis. Sometimes, very rarely, compliance is a one-time agreement online where the user selects ‘yes’ or ‘no’. More common is a set of policies attached to the employee conduct agreement that is either agreed to by the employee upon hire or on a semi-annual basis.

Additionally, in an overwhelming majority of large established companies, employees are bound by a policy or disclaimer that is published on the intranet home page and/or available within the footer of all intranet pages.

Fidelity Investments Canada has a link at the bottom of all pages to “Important Legal Information” which links to their page outlining the employee’s obligations regarding acceptable use, confidentiality and distribution. The same link and policy is promoted on all pages of the Fidelity Investments global intranet portal, Fidelity Central.

One of the big banks (a client) has an online code of conduct test that employees have to take every two years. It incorporates an "Information Technology Use" section included. Employees have this in their personnel file to prove knowledge of and agreement to the code of conduct. These policies detail the company’s right to monitor emails/internet usage, downloading inappropriate info, etc.

HSBC has a one paragraph disclaimer at the bottom of the intranet home page. There are also links to established policies on “acceptable use” which all employees must sign-off on.

Wachovia has a link at the bottom of most of their main intranet site pages called “Usage Policy”.

Capital One has a link entitled “Disclaimer”; Bank of Ireland has a link called “Group Intranet Guidelines.”

What if employees surf porn?

Let them surf porn, and eat cake. I expect that some employees will do naughty things – online and offline – regardless of company policies and compliance. Personally, I’d rather empower employees to make the right decisions – just like we do with their day-to-day jobs. I’d also like to give employees access to whatever they like.

If employees surf porn during the day, then I’ll make a decision on their employment based on that behavior. I’d prefer to find out based on their behavior rather than rule over them with a big stick. This is also a natural retention tool – it separates the wheat from chafe.

RELATED READING: