HCommerce is all about how people get scammed through Phishing and alike, and the associated stories and what people can do to reduce the chances of it happening to them.

Chris Roberts (CCi5 and Cyopsis)demonstrates just how easy it is to get hold of important confidential data, and lends his expert services to help out the family brought close to the brink when they are subject to electronic attack.

Episode One

Episode Two

Episode Three

Episode Four

Episode Five

Episode Six

I was reading today a page on Out-Law how Jakob Nielsen and Bruce Schneier say that the masking of password is actually leading to weaker security.

“It’s time to show most passwords in clear text as users type them,” said Nielsen in a post on his website. “Providing feedback and visualizing the system’s status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.

“Password masking has annoyed me for years,” Schneier told OUT-LAW.COM. “Shoulder surfing is largely a phantom problem, and people know to be alert when others are nearby, but mistyping a long password happens all the time.”

“The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security,” he said.

Nielsen said that sites usually blank out type-in passwords out of force of habit rather than reason. “Password masking has become common for no reasons other than (a) it’s easy to do, and (b) it was the default in the web’s early days,” he said.

I can kind of see the reasoning used to come to this conclusion, but personally I think its not a good idea. I believe shoulder surfing is a reality, and there are masking technology options that allow the masking of a password but still shows the last character typed in an effort to show a user when they have gone wrong. I also find this interesting as Schneier spoke about users being encourage to write down passwords on a piece of paper. I believe that we could make better use of biometrics in the future, but the password still plays a key defence in security. With that in mind we really should take care to store these passwords securely, and I really dont think it makes sense to start showing passwords in clear text. We live in an age of technology, these things are not new, and if people really cant handle typing in a password without seeing it, perhaps we have other problems. Finally they believe Shoulder surfing is largely a phantom problem, which I dont agree is true, but I imagine if we moved to a standard where we dont mask password there would be a steep rise.

I know we need people to think out of the box, and yes we need to strike a balance of useability with security, but I really dont think this is the brightest thought of late, but we are all entitled to our own opinions.

Taken From i-hacked

I hereby declare that WED JULY 1st is Twitter Security Day (#twittersec). I do so with good reason. As it stands, the guys at http://twitpwn.com/ have declared July the “Month of Twitter Bugs” (MoTB). Taken from their site:

Today, three years after the “Month of Browser Bugs”, I’ve decided to declare July 2009 as “Month of Twitter Bugs” (MoTB). I’m doing so in order to raise the awareness of the Twitter API issue I recently blogged about. MoTB could have been easily converted to any other “Month of Web2.0 service bugs”, and I hope that Twitter and other Web2.0 API providers will work closely with their API consumers to develop more secure products.
Each day I will publish a new vulnerability in a 3rd party Twitter service on the twitpwn.com web site. As those vulnerabilities can be exploited to create a Twitter worm, I’m going to give the 3rd party service provider and Twitter at-least 24 hours heads-up before I publish the vulnerability.
Even though I have enough vulnerabilities for this month, you are more than welcomed to send me (via email or twitter) vulnerabilities you find in 3rd party Twitter services. I will do my best to publish all submitted vulnerabilities. I will, of course, credit the submitter.

So what does #twittersec mean? What should you do?

Simple: On Wed, July 1st CHANGE YOUR TWITTER PASSWORD.

How many times have you given your twitter password to a third party site? Did you change your password after you did that? Well, if not here is a good time to do so. Yes, it is true that changing your password doesn’t invalidate all of the “MoTB” however, it could help stop a few.

Even more importantly #twittersec’s goal is to raise awareness to the “MoTB” and to put pressure on the developers to fix the vulnerabilities in these third party apps.

Please help spread the word about Month of Twitter Bugs and #twittersec day!

Paramedics were called to the singer’s home around midday local time on Thursday after he stopped breathing and suffered a suspected cardiac arrest.

He was rushed by ambulance to a local medical centre, but his death was announced shortly afterwards.

The star, who had a history of health problems, had been due to begin a series of comeback concerts in the UK on 13 July.

He had a history of health problems and had not completed a concert tour in 12 years.

Look out for Spamming

As with all these types of incident with huge media exposure, we should expect to see an onslaught of spam, and phishing attacks.

I have seen mails going doing the rounds already, with stories, jokes, videos etc, so please be careful.

Just after about 8 hours of his demise, SophosLabs witnessed the first wave of spam messages employing the sad news in the subject line and body part to harvest victims’ email addresses.

In this kind of spam message, the spammer claims she/he has vital information about the death of Michael Jackson to share with somebody, ie you.

The body of spam message does not contains any call-to-action link such as url, email, or phone number. And the from email address of the message is bogus.

But the spammer can harvest receivers’ email addresses via a free live email address if the spam message is replied to.

Also keep an eye out for suspicious emails talking about having your 02 ticket refunded if you bought one. If you have questions about this contact the booking offices you made the purchases through directly.

Ok so I have installed the Microsoft Security Essentials Beta, run a quick and full scan. I have to say its not to bad.
Looks like it takes about 4,184k of memory when running, and I guess thats not as good as some of the other free AVs on the market but it does seem to do the job.

I have taken a few screen shots below so you can get an idea of the different screens. It did find and flag Kon-Boot, so its doing something.

So Microsoft’s Security Essentials Beta went live today, and I believe is limited to 75,000 users.
I got myself a copy from the MSE site, the beta is available only to customers in the United States, Israel (English only), People’s Republic of China (Simplified Chinese only) and Brazil (Brazilian Portuguese only). Obviously you may find ways around this.

I will install it later and give my opinions, but might want to grab a copy and see what its like.

Here is some information and screenies:

What is Microsoft Security Essentials?

You’re too busy to spend a lot of time worrying about protecting your PC. With Microsoft Security Essentials Beta, you get high-quality protection against viruses and spyware, including Trojans, worms and other malicious software. And best of all, there are no costs or annoying subscriptions to keep track of.

Security Essentials is easy to install and easy to use. Updates and upgrades are automatic, so there’s no need to worry about having the latest protection. It’s easy to tell if you’re protected – when the Security Essentials icon is green, your status is good. It’s as simple as that.

When you’re busy using your PC, you don’t want to be bothered by needless alerts. Security Essentials runs quietly in the background, only alerting you if there’s something you need to do. And it doesn’t use a lot of system resources, so it won’t get in the way of your work or fun.