Cybercrime

Our Financial System is Under a Coordinated, Sophisticated Attack

By Rich

This is a great day for security researchers, and a bad day for anyone with a bank account.

First up is the release of the 2009 Verizon Data Breach Investigations Report. This is now officially my favorite breach metrics source, and it's chock full of incredibly valuable information. I love the report because it's not based on bullshit surveys, but on real incident investigations. The results are slowly spreading throughout the blogosphere, and we won't copy them all here, but a few highlights:

1. Verizon's team alone investigated cases that resulted in the loss of 285 million records. That's just them, never mind all the other incident response teams.
2. Most organizations do a crap job with security- this is backed up with a series of metrics on which security controls are in place and how incidents are discovered.
3. Essentially no organizations really complied with all the PCI requirements- but most get certified anyway.

Liquidmatrix has a solid summary of highlights, and I don't want to repeat their work. As they say,

Read pages 46-49 of the report and do what it says. Seriously. It’s the advice that I would give if you were paying me to be your CISO.

And we'll add some of our own advice soon.

Next is an article on organized cybercrime by Brian Krebs THAT YOU MUST GO READ NOW. (I realize it might seem like we have a love affair with Brian or something, but he's not nearly my type). Brian digs beyond the report, and his investigative journalism shows what many of us believe to be true- there is a concerted attack on our financial system that is sophisticated and organized, and based out of Eastern Europe.

I talked with Brain and he told me,

You know all those breaches last year? Most of them are a handful of groups.

Here are a couple great tidbits from the article:

For example, a single organized criminal group based in Eastern Europe is believed to have hacked Web sites and databases belonging to hundreds of banks, payment processors, prepaid card vendors and retailers over the last year. Most of the activity from this group occurred in the first five months of 2008. But some of that activity persisted throughout the year at specific targets, according to experts who helped law enforcement officials respond to the attacks, but asked not to be identified because they are not authorized to speak on the record.

...

One hacking group, which security experts say is based in Russia, attacked and infiltrated more than 300 companies -- mainly financial institutions -- in the United States and elsewhere, using a sophisticated Web-based exploitation service that the hackers accessed remotely. In an 18-page alert published to retail and banking partners in November, VISA described this hacker service in intricate detail, listing the names of the Web sites and malicious software used in the attack, as well as the Internet addresses of dozens of sites that were used to offload stolen data.

...

Steve Santorelli, director of investigations at Team Cymru, a small group of researchers who work to discover who is behind Internet crime, said the hackers behind the Heartland breach and the other break-ins mentioned in this story appear to have been aware of one another and unofficially divided up targets. "There seem, on the face of anecdotal observations, to be at least two main groups behind many of the major database compromises of recent years," Santorelli said. "Both groups appear to be giving each other a wide berth to not step on each others' toes."

Keep in mind that this isn't the same old news. We're not talking about the usual increase in attacks, but a sophistication and organizational level that developed materially in 2007-2008.

To top it all off, we have this article over at Wired on PIN cracking. This one also ties in to the Verizon report. Another quote:

"We're seeing entirely new attacks that a year ago were thought to be only academically possible," says Sartin. Verizon Business released a report Wednesday that examines trends in security breaches. "What we see now is people going right to the source ... and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks."

If you read more deeply, you learn that the bad guys haven't developed some quantum crypto, but are taking advantage of weak points in the system where the data is unencrypted, even if only in memory.

Really fascinating stuff, and I love that we're getting real information on real breaches.

–Rich

Will This Be The Next PCI Requirement Addition?

By Rich

I'm almost willing to bet money on this one...

Due to the nature of the recent breaches, such as Hannaford, where data was exfiltrated over the network, I highly suspect we will see outbound monitoring and/or filtering in the next revision of the PCI DSS. For more details on what I mean, refer back to this post.

Consider this your first warning.

–Rich

A Small, Necessary, Legal Change For National Cybersecurity

By Rich

I loved being a firefighter. In what other job do you get to speed around running red lights, chops someone's door down with an axe, pull down their ceiling, rip down their walls, cut holes in their roof with a chainsaw, soak everything they own with water, and then have them stop by the office a few days later to give you the cookies they baked for you.

Now, if you try and do any of those things when you're off duty and the house isn't on fire, you tend to go to jail. But on duty and on fire? The police will arrest the homeowner if they get in your way.

Society has long accepted that there are times when the public interest outweighs even the most fundamental private rights. Thus I think it is long past time we applied this principle to cybersecurity and authorized appropriate intervention in support of national (and international) security.

One of the major problems we have in cybersecurity today is that the vulnerabilities of the many are the vulnerabilities of everyone. All those little unpatched home systems out there are the digital equivalent of burning houses in crowded neighborhoods. Actually, it's probably closer to a mosquito-infested pool an owner neglects to maintain. Whatever analogy you want to use, in all cases it's something that, if it were the physical world, someone would come to legally take care of, even if the owner tried to stop them.

But we know of multiple cases on the Internet where private researchers (and likely government agencies) have identified botnets or other compromised systems being used for active attack, yet due to legal fears they can't go and clean the systems. Even when they know they have control of the botnet and can erase it and harden the host, they legally can't. Our only option seems to be individually informing ISPs, which may or may not take action, depending on their awareness and subscriber agreements.

Here's what I propose. We alter the law and empower an existing law enforcement agency to proactively clean or isolate compromised systems. This agency will be mandated to work with private organizations who can aid in their mission. Like anything related to the government, it needs specific budget, staff, and authority that can't be siphoned off for other needs.

When a university or other private researcher discovers some botnet they can shut down and clean out, this law enforcement agency can review and authorize action. Everyone involved is shielded from being sued short of gross negligence. The same agency will also be empowered to work with international (and national) ISPs to take down malicious hosting and service providers (legally, of course). Again, this specific mission must be mandated and budgeted, or it won't work.

Right now the bad guys operate with impunity, and law enforcement is woefully underfunded and undermandated for this particular mission. By engaging with the private sector and dedicating resources to the problem, we can make life a heck of a lot harder for the bad guys. Rather than just trying to catch them, we devote as much or more effort to shutting them down.

Call me an idealist.

(I don't have any digital pics from firefighting days, so that's a more-recent hazmat photo. The banda

a is to keep sweat out of my eyes; it's not a daily fashion choice).

–Rich

Recent Data Breaches- How To Limit Malicious Outbound Connections

By Rich

Word is slowly coming through industry channels that the attackers in the Heartland breach exfiltrated sniffed data via an outbound network connection. While not surprising, I did hear that the connection wasn't encrypted- the bad guys sent the data out in cleartext (I'll leave it to the person who passed this on to identify themselves if they want). Rumor from 2 independent sources is the bad guys are an organized group out of St. Petersburg (yes, Russia, as cliche as that is).

This is similar to a whole host of breaches- including (probably) TJX. While I'm not so naive as to think you can stop all malicious outbound connections, I do think there's a lot we can do to make life harder on the bad guys.

First, you need to lock down your outbound connections using a combination of current and next-generation firewalls. You should isolate out your transaction network to enforce tighter controls on it than on the rest of your business network. Traditional firewalls can lock down most outbound port/protocols, but struggle with nested/stealth channels or all the stuff shoveled over port 80. Next-gen firewalls and web gateways (I hate the name, but don't have a better one) like Palo Alto Networks or Mi5 Networks can help. Regular web gateways (Websense and McAfee/Secure Computing) are also good, but vary more on their outbound control capabilities and tend to be more focused on malware prevention (not counting their DLP products, which we'll talk about in a second).

The web gateway and next gen firewalls will focus on your overall network, while you can lock of the transaction side with tighter traditional firewall rules and segmenting that thing off.

Next, use DLP to sniff for outbound cardholder data. The bad guys don't seem to be encrypting, and DLP will alert on that in a heartbeat (and maybe block it, depending on the channel). You'll want to proxy with your web gateway to sniff SSL (and only some web gateways can do this) and set the DLP to alert on unauthorized encryption usage. That might be a real pain in the ass, if you have a lot of unmanaged encryption outside of SSL. Also, to do the outbound SSL proxy you need to roll out a gateway certificate to all your endpoints and suppress browser alerts via group policies.

I also recommend DLP content discovery to reduce where you have unencrypted stored data (yes, you do have it, even if you think you don't).

As you've probably figured out by now, if you are starting from scratch some of this will be very difficult to implement on an existing network, especially one that hasn't been managed tightly. Thus I suggest you focus on any of your processing/transaction paths and start walling those off first. In the long run, that will reduce both your risks and your compliance and audit costs.

–Rich

Heartland Payment Systems Attempts To Hide Largest Data Breach In History Behind Inauguration

By Rich

Brian Krebs of the Washington Post dropped me a line this morning on a new article he posted. Heartland Payment Systems, a credit card processor, announced today, January 20th, that up to 100 million credit cards may have been disclosed in what is likely the largest data breach in history. From Brian's article:

Baldwin said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country. He declined to name any well-known establishments or retail clients that may have been affected by the breach. Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn't until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients. "The transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month," Baldwin said. "At this point, though, we don't know the magnitude of what was grabbed."

I want you to roll that number around on your tongue a little bit. 100 Million transactions per month. I suppose I'd try to hide behind one of the most historic events in the last 50 years if I were in their shoes.

"Due to legal reviews, discussions with some of the players involved, we couldn't get it together and signed off on until today," Baldwin said. "We considered holding back another day, but felt in the interests of transparency we wanted to get this information out to cardholders as soon as possible, recognizing of course that this is not an ideal day from the perspective of visibility."

In a short IM conversation Brian mentioned he called the Secret Service today for a comment, and was informed they were a little busy.

We'll talk more once we know more details, but this is becoming a more common vector for attack, and by our estimates is the most common vector of massive breaches. TJX, Hannaford, and Cardsystems, three of the largest previous breaches, all involved installing malicious software on internal networks to sniff cardholder data and export it.

This was also another case that was discovered by initially detecting fraud in the system that was traced back to the origin, rather than through their own internal security controls.

–Rich

There Are No Trusted Sites: Paris Hilton Edition

By Rich

While not on the scale of Amex or BusinessWeek, I just find this one amusing.

Paris Hilton's official website was hacked and is serving up a trojan (the malware kind, not what you'd expect from her*). From Network World:

The hack was discovered by security vendor ScanSafe, which said that Parishilton.com (note: this site is not safe to visit as of press time) had apparently been compromised since Friday. Visitors to the site are presented with a pop-up window urging them to download software in order to enhance their viewing of the site. Whether they click "yes" or "no" on this window, the site then tries to download a malicious program, known as Trojan-Spy.Zbot.YETH, from another Web site.

The best part? Only 12 of 37 tested AV vendors catch the trojan. All of you that give me crap for hammering on AV can go away now.

• sorry, couldn't help myself there.

–Rich

Stop Using Internet Explorer 7 (For Now), Or Deploy Workarounds

By Rich

There is an unpatched vulnerability for Internet Explorer 7 being actively exploited in the wild. The details are public, so any bad guy can take advantage of this. It's a heap overflow in the XML parser, for you geeks out there. It affects all current versions of Windows.

Microsoft issued an advisory with workarounds that prevent exploitation:

1. Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones.
2. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
3. Enable DEP for Internet Explorer 7.
4. Use ACL to disable OLEDB32.DLL.
5. Unregister OLEDB32.DLL.
6. Disable Data Binding support in Internet Explorer 8.

–Rich

Our Annual Black Friday/Safe Shopping Post

By Rich

Hard to believe we've been around to post this yet a third time, but here you go. Our list of advice for shopping safely online this year; and we even updated it this time:

Yes folks, Black Friday is only days away and the silly season is upon us. As someone born and bred in good old North Jersey (until I could legally escape), land of honey and shopping malls, this is a time so deeply ingrained into my subconscious that I've occasionally found myself sleepwalking around the nearest parking lot, looking for our old wood-paneled station wagon.

These days, thanks to the wonder of the Internet, anyone can experience the hustle and bustle of the Paramus malls from the comfort of their own home. And to help keep your shopping experience authentic, there's no shortage of cheats and thieves ready to yank your painstakingly chosen gifts right out of the virtual trunk of your web browser. Of course they might take your house with them, which, even in Jersey (despite the legends) is somewhat rare.

In the spirit of safe and happy holidays, Securosis presents our top 6 tips for safe online shopping, simply presented for the technical or non-technical consumer. Some of these tips also apply to the real world for those of you who just can't restrain the draw to the mall. Spread the fun, and feel free to post your own tips in the comments.

1. Use a dedicated credit card, temporary credit card number, or PayPal account for holiday shopping. Our first tip is also useful for the physical world- still the origin of most credit card fraud. Take your card with the lowest limit and use it exclusively for holiday shopping. Use one you can monitor online, and check the activity daily through the holidays (weekly at a minimum). Make sure it isn't a debit card, and turn off any automatic payments (so you can dispute any charges before making payments). Keep tracking activity at least weekly for 12 months after the holidays are over, or cancel the card. DON"T USE A DEBIT CARD!!! These don't have the same protections as credit cards, and you're responsible for fraudulent charges. As for temporary credit cards or PayPal, read on to our second tip.
2. Only use credit cards at major online retailers; use a PayPal debit account or temporary credit card for smaller shops . Sure, you might get a better deal from Billy-Bobs-Bait-Shop-And-Diamond-Wholesaler.com, but many smaller retailers don't follow appropriate security practices. Those hosted with a major service are often okay, but few consumers really want to check the pedigree for specialty shops. Instead, create a dedicated PayPal account that's not linked to any of your bank accounts or credit cards. Credit it with as much cash as you think you need and use it for those riskier online payments. Worst case, you only lose what's in that account, and you can easily cancel it anytime. Another option, depending on your credit card company, is a temporary credit card number for online shopping. These are single use, or single retailer/session numbers that can't be used again or leveraged to run up your account. Charges still appear on your same bill and are tied to your main credit card account. Check with your credit card company to see if they offer this service, but most of the major card issuers have it as an option. I like these better than account passwords (e.g. Verified by Visa and Mastercard SecureCode) since they work everywhere, and you don't have to worry about anyone sniffing them.
3. Never, ever, ever ,ever click on ANYTHING in email. It doesn't matter if your best friend sent you a really good deal in email. It doesn't matter if it's your favorite retailer and you've always gotten email offers from them. Repeat after me, "I will never click on anything in email." No special offers. No Ebay member to member emails. No "fraud alerts" to check your account. No nothing. Ever. Nada. Attackers are getting more and more refined in their attacks, some of which are very hard to distinguish from legitimate emails. Spam waves over the holidays are expected to break records this year. When you see an interesting offer in email, and it's a business you want to deal with, just open your web browser, type in the address manually, and browse to the item, offer, or account area. Email is the single biggest source of online fraud; never click on anything in email!
4. Update your browser- use Firefox 3.1, IE 7 or 8, Safari 3.2.1, or Opera 9.6. Turn on the highest security settings. Over the past few months or so we've seen big updates of all the major browsers to include enhanced security features. Since the Safari update last week, all major browsers include features to help detect fraudulent sites- if you see a warning, shut down the browser and don't go back to that site. All of these browsers will ask you before installing any software when you visit a site; when shopping, never allow the site to install anything. Either it's a fraud or they don't deserve your business. Pay particular attention to plugins to watch video, or free games unless you know it's a trusted site (both are usually trojans). Most browsers now install with security enabled by default, so we won't be providing detailed instructions here. Just download them. Now. Then come back and read the rest of this list. We'll wait.
5. Download and install NoScript for Firefox. This is a free plugin for Firefox that blocks anything from running in your browser that you don't allow (like Javascript, Flash, and so on). You won't need it if you just stick with Amazon, but if you use Google to help you find that can't-miss Drink-With-Me Elmo, you shouldn't be trolling the Internet without it. If you don't want it bothering you all the time, at least use it during your holiday shopping and turn it off later.
6. Keep your antivirus, firewall, antispam, and anti-spyware up to date. I don't really care which product you use (and truth be told, we don't really like most of the commercial ones, and don't use them on our Macs) but as bad as some of these perform they really are essential on a PC. All users, regardless of platform, should use an email service that includes antivirus and antiphishing. For Windows users, Windows Defender is a good, free additional tool to limit spyware. Right now there's no known spyware for Macs, unless you're stupid and start manually downloading things.

These six simple steps won't stop all fraud, but will significantly reduce both the chances you'll be a victim, and the damage if you are. Feel free to email them to your friends and family who won't normally browse a security site like this one.

–Rich

Idiocy

By Rich

Experts: Cyber-crime as Destructive as Credit Crisis

Bullshit.

–Rich

Going On The Offense

By Rich

Brian Krebs posted a follow up article on the takedown of fraudulent hosting provider McColo (facilitated by his initial reporting last week). If you think all the nasties out there are hosted in Russia or China, you should really read his article.

McColo's servers weren't sending out the actual spam; they functioned as the command and control infrastructure for some of the world's biggest botnets. For those of you who don't know, spam is rarely sent from static servers anymore; it originates from botnets scattered around the world that are directed by their control network to issue once in a lifetime offers for the best possible deals on male enhancement products. (It's nice to know everyone has small weewees and lasts about 8 seconds, since otherwise this stuff wouldn't be so profitable). Since the spam originates from tens of thousands of different systems, it makes it nearly impossible to blacklist based just on IP address.

McColo hosted major components of the command infrastructure for spewing out your totally legitimate university diplomas (for a small fee). All those little bots are still out there, but no one is telling them what to do. As Krebs reports, it's only a matter of time before the network owners reassert control and we can get back to purchasing discount medications and finding true love in former Soviet countries.

But what if we took control ourselves and locked out the network? Those servers are still sitting in some building in California, and the ISPs still control the IP addresses. Imagine what we could do if we sent in a research team (or law enforcement) to commandeer all those bots and lock the bad guys out.

Yes folks, this is just fantasy today. We don't have the legal framework to execute such a project without creating risk for the good guys involved. Sure, we could use the botnet to patch all the compromised systems, but that's effectively breaking into someone's computer and making changes.

I dream of a day when we can more effectively take the fight to the bad guys without worrying about going to jail ourselves. There's absolutely no chance we can continue this fight indefinitely if we're always on the defense. But we're a long way off from having the legal framework and institutions to effectively stand up for ourselves.

–Rich

Brian Krebs: Ultimate Spam Filter

By Rich

First he exposes the Russian Business Network and forces them to go underground, now he nearly single-handedly stops 2/3rds of spam.

Most tech journalists, myself included merely comment on the latest product drivel or market trends. Brian is one of the only investigative journalists actually looking at the roots of cybercrime and fraud. On Tuesday, he contacted the major ISPs hosting McColo- a notorious hosting service whose clients include a long roster of cybercriminals. At least one of those ISPs pulled the plug, and until McColo's clients are able to relocate we should enjoy some relative quiet.

Congrats Brian, awesome work. This also shows the only way we can solve some of these problems- through proactive investigation and offense. We can't possibly win if all we do is run around and try and block things on our side.

–Rich

There’s Always a Double Standard

By Rich

I don't remember the exact quote from King of the Hill (an animated series here in the US), but it went something like this.

Bobby: But how come you don't want Luanne to go out with guys but you want me to date girls?

Dad: It's called the double standard, Bobby. Don't knock it -- we got the long end of the stick on that one.

Alan Shimel clearly got the short end of the stick when his account was hacked. Heck, he got the short end of the nub, and so would pretty much all of us.

Odds are high you've heard that the college kid that hacked Palin's account is being indicted and could face jail time. Twitter was all aflutter yesterday with concerns that the potential punishment exceeds the crime. Personally, I believe if you break the law, you face the consequences. I also harbor no illusions that our justice system is blind. It's clear if you mess with a popular politician, they will frack you as hard as possible, in every way possible Then bury you. Then pee on your grave. Then pee on your dog before they bury it next to you. Your family and friends? You really don't want to think about that. And when you mess with a maverick Republican? Well, let's better hope they can't track down anyone that ever bothered to smile in your general direction.

Had the perpetrator broke into a government account I would expect a different set of consequences. But a personal account should be treated the same as Joe Six Pack's. Heck, Alan's break in involved documented financial fraud, unlike Palin. Not that I think we should destroy the lives of every college kid that virtually shoplifts a virtual candy bar (punishment should suit the crime), but over-tolerance only breeds contempt.

Just call me a dreamer, but as a realist I know I'm just wasting my words on this particular topic.

Still, I've heard from businesses that unless credit cards or other hard financial losses are clearly involved it is essentially impossible to get law enforcement to take action; they just don't have the resources. As such we need to focus on our own monitoring and incident response. If you can't prove someone really stole your cash, you won't get the attention of law enforcement. If you can't give them a description, don't expect the case to go very far. It's really no different in the physical world.

A few years ago, when I moved to Phoenix, we screwed up and left the garage door open at night. One of those silly mistakes when you think the other person took care of it. Neighborhoods are routinely cruised out here, and when I woke up and noticed it was too late. There went my road bicycle, most of my climbing gear, and, worst of all, a small pack containing my original Star Wars figures I'd saved since I was a kid and some other very personal mementos. We filled out a police report but never expected any action (no, they won't take fingerprints if someone steals your bike), and after our deductible it wasn't even worth filing an insurance claim. I made the rounds of the local pawn shops, but no joy.

Society accepts a certain level of losses, since we don't have the resources to continue otherwise. That doesn't, of course, apply when something gets the press attention of the Palin hack. Sometimes it's about the losses, and other times it's about looking good in the press.

–Rich

The Breach Reporting Dillema

By Rich

Over at Emergent Chaos, Adam raises the question of whether we are seeing more data breaches, or just more data breach reporting. His post is inspired by a release from the Identity Theft Resource Center stating that they've already matched the 2007 breach numbers this year.

Personally, I think it's a bit of both, and we're many years away from any accurate statistics for a few reasons:

1. Breaches are underreported. As shown in the TJX case, not every company performs a breach notification (TJX reported, other organizations did not). I know of a case where a payment processor was compromised, records lost for some financial services firms that ran through them, and only 1 of 3-4 of the companies involved performed their breach notification. Let's be clear, they absolutely knew they had a legal requirement to report and that their customer information was breached, and they didn't.
2. Breaches are underdetected. I picked on some of the other companies fleeced along with TJX that later failed to report, but it's reasonable that at least some of them never knew they were breached. I'd say less than 10% of companies with PII even have the means to detect a breach.
3. Breaches do not correlate with fraud. Something else we've discussed here before. In short, there isn't necessary any correlation between a "breach" notification and any actual fraud. Thus the value of breach notification statistics is limited. A lost backup tape may contain 10 million records, yet we don't have a singe case that I can find where a lost tape correlated with fraud. My gut is that hacking attacks result in more fraud, but even that is essentially impossible to prove with today's accounting.
4. There's no national standard for a breach, never mind an international standard. Every jurisdiction has their own definition. While many follow the California standard, many others do not.

Crime statistics are some of the most difficult to gather and normalize on the planet. Cybercrime statistics are even worse.

With all that said I need to go call Bank of America since we just got a breach notification letter from them, but it doesn't reveal which third party lost our information. This is our third letter in the past few years, and we haven't suffered any losses yet.

–Rich

PDF Security Pain: We Told You So

By Rich

Thanks to Slashdot, here's a story on Adobe PDF vulnerabilities:

The Portable Document Format (PDF) is one of the file formats of choice commonly used in today"s enterprises, since it's widely deployed across different operating systems. But on a down-side this format has also known vulnerabilites which are exploited in the wild.

I normally ignore stories coming out of vendor labs on new exploits that are coincidentally blocked by said vendor's products, but on occasion they highlight something of interest.

Back in February I mentioned three applications that are a real pain in our security behinds- IE/ActiveX, QuickTime, and Adobe Acrobat (the entire pdf format, to be honest). It's nice to see a little validation. Each of these, in their own way, allows expansion of their formats.

In the Adobe case they keep shoveling all sorts of media types and scripting into the format. This creates intense complexity that, more often than not, leads to security vulnerabilities. When you manage an open format, content validation/sanitization is an extremely nasty problem. Unless you design your code for it from the ground up, it's nearly impossible to keep up and lock down a secure format. I suspect Adobe's only real option at this point is to start failing with grace and focus on anti-exploitation and sandboxing (if that's even possible, I'll leave it up to smarter people than me).

Truth is I should have also put Flash on the list. My bad.

–Rich

Reminder- There Are No Trusted Sites

By Rich

Just a short, friendly reminder that there is no such thing as a trusted website anymore, as demonstrated by BusinessWeek.

We continue to see trusted websites breached, and rather than leaving a little graffiti on the site the attackers now use that as a platform to attack browsers. It's one reason I use FireFox with NoScript and only enable the absolute minimum to get a site running.

–Rich