Yesterday, was Patch Tuesday and a bug fix released by Microsoft caused a problem for ZoneAlarm firewall users - they could no longer get online. Oops. Except, if they followed the advice offered earlier on this blog, which is to wait until Thursday or Friday before installing the patches Microsoft releases on Tuesday. This is exactly the sort of situation for which that advice was intended.
On July 2nd, I wrote about Flagfox, a Firefox extension that displays a small flag in the corner of the browser window. Three days later I expanded on this saying that Flagfox can serve a very important service, displaying the IP address of a website. For financial institutions, or anywhere you do sensitive transactions, this is very important. There are many ways that malicious software can fake out things such that even using a browser bookmark/favorite and even seeing the name of your financial institution in the address bar, you can nonetheless be at a phony, scam copy of the website, one designed to steal your password. Typically this is the result of an attack on DNS, a system that I described back in December when I suggested using OpenDNS.
Yesterday, it comes to light that there is a huge bug in DNS. Massive repercussions. But, not for Flagfox users. They can see the IP address of their bank website and verify it. If, for example, a bank website is supposed to be at IP address 1.2.3.4 and a DNS poisoning attack results in your ending up at 5.6.7.8, Flagfox users won't be faked out. Of course, the banks have to publicly verify their IP addresses and so far only Bank of America has done so. Chase outright refused to say anything. I'm still working on this.
On June 11th Brian Krebs at WashingtonPost.com wrote about a version of the "Zlob" Trojan that tries to zap the DNS settings on your router (a totally different type of DNS attack). But, anyone who took my March posting, Defending your router, and your identity, with a password change to heart, had already changed their router password and was immune to this attack.
On July 6th I discussed Still more reasons to avoid Internet Explorer. The very next day, we learned of another security problem with IE, this one having to do with an ActiveX control related to Microsoft Access. By my count, this brings the number of known bugs in Internet Explorer without fixes to six. I read my fair share of articles on this latest IE bug, none said anything about a Microsoft commitment to fix it, despite the fact that bad guys are currently exploiting it. In fact, Elinor Mills said Microsoft "may" provide a fix in the future. It must be nice to be a monopoly.
Back in April, when Windows XP Service Pack 3 was released, I advised against installing it at a time when others said it was good thing. In retrospect, the problems it caused far outweighed the trivial benefits it offers. I still haven't installed it and don't plan on doing so in the immediate future. Neither should you.
Watch this space for more Defensive Computing and, if you missed it, let me suggest reading The pillars of Defensive Computing.
See a summary of all my Defensive Computing postings.
Recently I wrote about Flagfox, a simple Firefox extension that puts a flag in the corner of the browser window indicating the country where the website being viewed resides. Hovering the mouse over the flag displays the IP address (explanation below) of the website and clicking the flag brings up more details, including the city where the site is located.
This can be important because there are many ways to be tricked into thinking you are at, for example, a bank website, when you are really viewing a well-crafted, scam copy designed to steal personal information. Flagfox can go a long way toward verifying that you are really looking at the website you expect. Anyone doing financial transactions online would be well served to use it.
When banks explain why their websites are safe and secure, they focus on the SSL encryption used to transmit data over the Internet. That's only part of the puzzle however. We can encrypt data and send it to the bad guys too. That's where Flagfox can help.
The problem is verifying the physical location of legitimate websites.
For example, on my computer, Flagfox reports that the login page for Capital One credit cards is in McLean, Virginia. Is this the real site, or, has my computer been compromised such that I'm looking at a phony copy?
The only way to verify the location is to ask the bank. So that's what I've been doing.
On July 3rd, I contacted eight banks asking where their websites were physically located. In some cases I emailed, in other cases I filled in a form on their website. In each case I pointed to my previous blog posting and asked for a comment. The banks I contacted were: Citibank, Chase, Washington Mutual, Bank of America, Wells Fargo, Wachovia, HSBC and Capital One.
About IP Addresses
Flagfox determines the country based on the IP address of the website. Every computer on the Internet is reachable by a unique number called an IP address (a single IP address often front-ends multiple computers, but that's another topic).
It is impossible for the computer(s) running a website to hide their IP address. Just as the Flagfox extension displays it, so too can any Internet-aware software that cares to do so. And, just like you can learn the IP address of a website, the website also knows your IP address. To see this in action, go to ipchicken.com.
Thus, one way to detect scam websites would be for financial companies to publicize the IP address(es) of their website. Customers could put a yellow sticky on their monitor with the IP address and verify it with Flagfox before logging in to the website.
The Bank of America did just that. They wrote back that their website uses these three IP addresses:
171.161.161.173
171.159.193.173
171.159.65.173
But, IP addresses are for computers not for people. Humans are better off dealing with countries, states and cities. Capital One credit card customers would, I'm sure, prefer to remember McLean, Virginia rather than the IP address 208.80.48.53.
It has been two days since I contacted the eight banks (yes, it's a holiday in the U.S., but bank websites don't do holidays). Three haven't responded at all. Four responded with canned messages that failed to address the topic. Only Bank of America seems to have read the question.
If I learn anything from these companies, I'll pass it on. If you do financial transactions online, try asking your financial institution. Can't hurt.
Update July 7, 2008: Attacking the registrar for a domain is one way to redirect people to phony websites. See this July 7th ComputerWorld article for a recent example: ICANN blames June site hijack on registrar
See a summary of all my Defensive Computing postings.
A big part of phishing scams and identity theft is fooling people into thinking they are on one website when they are actually somewhere else. The technical tricks to accomplish this include lookalike and phony domain names, zapping the hosts file, tricks with URLs and assorted attacks on DNS servers. What's a normal person to do?
Flagfox is an unobtrusive extension for the Firefox web browser that offers some assistance by placing a flag in the bottom right corner of the Firefox window. The flag (shown below) indicates the country where the website physically resides.
If you don't recognize the flag, hover the mouse over it and a yellow pop-up window (below) displays the IP address of the website and the country where it resides. If you normally deal with a bank, brokerage or credit union in, for example, the United States, and one day you notice the flag is from another country, you are not at the website you thought you were.
Of course this only goes so far. If a legitimate website is in New Jersey and a phony, phishing copy of it resides in New Mexico, the flag will still be American. Before doing anything sensitive, such as banking, click on the flag to open a new tab showing a map and more precise location information such as the city and state.
This is the physical location of the website, not of the organization or person represented by the website. Although in the case of CNET and CNET.com they are the same, this is not normally the case. The New York Times, for example, runs their website out of Colorado. The website of another New York City newspaper, the Daily News is in Texas. Our third local newspaper, the New York Post, hosts their site in Massachusetts.
In all but two cases that I tried, Flagfox was able to pinpoint a location based on the IP address. However, it didn't know where CNN.com or TomsHardware.com were located.
The point is to be aware of where the important websites that you deal with are located. Customers of Citibank, for example, would be safer if they verified that the website was in New York City before signing in.
But where are the bank websites? Only the banks know for sure. For example, my computer showed Citibank.com as being in New York City, but if my machine was compromised, I could be looking at a scam site imitating Citibank while the real site is elsewhere.
For Flagfox to be most effective, banks, brokerages and credit unions would have to publicize the physical location of their websites. I'll contact a few and see what they say...
Update July 2, 2008: If Flagfox can't locate a website based on the IP address, there are other options. Two websites that I've used often for this are www.ip-adress.com/ipaddresstolocation and www.ip2location.com/demo.aspx.
For more on this same subject, see my next posting Verifying legitimate bank websites
I recently wrote about another Firefox tweak Firefox 3: Expand the Site Identification button on HTTPS pages which also helps with verifying the true identity of a website.
See a summary of all my Defensive Computing postings.
- prev
- 1
- next
