Webware

Malicious attackers are increasingly setting their sights on targeted phishing attacks, or "spear" phishing, and custom-built applications, pushing these two areas into Sans' Top 20 Internet Security Risks of 2007.

The report, released Tuesday, provides a glimpse into the nefarious activities of online attackers and the issues faced by security firms.

"Spear phishing has had its most critical and damaging impact in military and civilian government organizations and military contractors who build weapons and more," said Alan Paller, Sans Institute research director.

He estimated that 90 percent of the attacks that caused the greatest damage over the past 18 months targeted the military and government entities, as well as defense contractors. Corporate executives are also increasingly finding themselves as targets of spear phishing.

"It's done as an act of espionage, and not so much for economic gain," Paller said during a press conference with other security experts to release the report.

A chief information officer at a midsize federal agency, for example, discovered his own computer was sending out data to China, unbeknownst to him, according to a composite cited in the report.

And in an effort to tackle the the weakest security link in an organization, one federal agency has taken the unusual step of sending out a benign version of a phishing attack to its employees and further educating those who bite on security measures they should be taking.

Phishing is used for economic gain, as a means to lure users into giving up their log-on and passwords, as well as such sensitive information as Social Security numbers and bank accounts.

Custom-built applications have also gained favor with malicious attackers, due to developers' lackadaisical approach in designing security into the software. Previously, attackers used to concentrate their efforts on widespread software.

Other frequent attack targets cited on the list include Web browsers, Office software, e-mail clients and media players on the client side, while Windows services, Unix and Mac OS services and database software were listed on the server side of the equation.

Unencrypted laptops and removable media, as well as VoIP servers and phones, also made it on the list.

Digg exploded into riot on Tuesday.

A story was posted that contained the hexadecimal decryption key that allows Linux users to decode and play HD DVDs. The Digg staff received a request from the Advanced Access Content System License Administrator to remove the story, interpreting the request as following the law and as falling under Digg's preexisting terms of use that prohibit the posting of infringing content. Jay Adelson explained this in his blog post at 1 p.m. on May 1.

Digg getting bombed by HD DVD cracks.

(Credit: CNET Networks)

The Digg user community was not to be silenced, and found a way to route around this censorship. Digg users posted links to hundreds of stories that contained the decryption key, and each one was Dugg up, until the entire site seemed to be nothing but a repository for this one string of hexadecimal digits. A few Digg users found their accounts suspended for misuse.

At 9 p.m., Kevin Rose reversed course, with another blog post: "...after seeing hundreds of stories and reading thousands of comments, you've made it clear. You'd rather see Digg go down fighting than bow down to a bigger company. We hear you, and effective immediately we won't delete stories or comments containing the code and will deal with whatever the consequences might be. If we lose, then what the hell, at least we died trying."

This online riot illustrates three points.

1. If a DRM method can be cracked, it will be. And if it is, the crack will get out. It will be printed on T-Shirts or Dugg to high heaven until it becomes as laughable as Rot-13.

2. Laws and lawyers cannot restrain a revolting mob of wanna-be online anarchists. For that matter, even Digg's iconic founders can't control an online horde.

3. Mobs are not smart. Stampeding a server (or a police line or a stadium) makes a strong point and may eventually lead to changes in laws or policies, but there is often a price paid for those actions. In this case, Digg itself may be the price of revolt.

For (much) more on this story, see TechMeme.

Passwords are a real pain. It's not so bad dealing with one or two, but once you have five or more log-ins and passwords at various sites, even the sharpest mind will have trouble remembering what goes where. PassPack is a new service that attempts to solve this problem, letting you create a personal archive of log-ins and passwords that can be packed and unpacked with one master password.

Passwords can be read over your shoulder, so be careful.

(Credit: CNET Networks)

After setting up PassPack, you can start plugging in as many accounts as you want. When you're done you can "Pack it up!" using a special packing password, essentially closing your log-in collection until you want to expand it again.

PassPack doesn't just take your data and encrypt it on its end, it encrypts it client-side as well, meaning your precious information will be guarded even if somebody else gets it on the way to the PassPack servers.

There are a few weaknesses to the PassPack system. For one, your passwords aren't visually safeguarded. So if you're using PassPack at work, anyone looking over your shoulder will be able to see what you're typing in. There's also no way to recover your PassPack password if you lose it.

PassPack is pleasingly simple to use and very responsive. Can you trust a tool like this with all your passwords? Normally I'd say no, but with the client-side encryption, even the best decrypters won't be able to figure out your Amazon log-in. See also Agatra and RoboForm, which several CNET editors swear by.

(Credit: Sxip Identity Corporation)

Like most webware fans, I love to play with the cool features at sites such as Splice, Jumpcut, and the like, but most of these Web 2.0 ventures require registration, which in turn requires filling out forms and tracking passwords and log-ins. It's not only Web-based applications and community sites. I often get most frustrated when buying airline tickets or holiday gifts through new online vendors. Typing out my entire address and credit card information is fine a few times, but I have lots of relatives, and the 23rd form gets to be a bit tiring.

In the past, software solutions have filled the gap admirably. One excellent product is Siber System's RoboForm, which provides a robust platform for managing your personal information, all encrypted via AES, BlowFish, or 3DES. While RoboForm is a great program, the amount of information and passwords you can manage is limited for those of us cheapskates not willing to shell out $30 for the full version. The open-source application KeePass is great for securely storing passwords, but it doesn't fill out forms automatically.

Now, a new Firefox extension called Sxipper (pronounced "skipper") aims to improve on that browser's password-management features with a free, secure system for automatically adding your personal information and passwords to Web sites. On installation, Sxipper scours your address book and Firefox preferences for passwords and information you've already saved. It then walks you through a wizard that explains the privacy policy and end-license user agreement, lets you select your personal icon, and asks you to enter basic personal information for your profile.

(Credit: CNET Networks)

After a brief, optional demo from the Sxipper site, you're off and running. If you land on a Web form that's in the Sxipper system, a prompt with your icon will ask if you want to "Sxip this." You'll then be provided with a Sxip dialog that lets you specify which of your personal information you want to add to the form. On page with a log-in form, you can choose which account you'd like to use and then automatically log in. When you visit a form that isn't in the Sxipper database, you can add it to the program's "semantic map" for other users. That map will then be credited with your username. (Register for Splice with Sxip and you should see a "Sxipped by peterb" note at the top of the prompt.)

Though it's still in beta, one obvious problem with Sxipper arises when you've got a log-in page such as Digg's that forces you to complete a randomized CAPTCHA form. Unlike RoboForm, Sxipper currently has no option of adding your log-in and password to the form without automatically entering it, resulting in a CAPTCHA error. Another downside is you can't manually add maps to the system. The only way to add them is to set your Preferences to "Auto Prompt Map Creation," which will prompt you on every form that Sxipper doesn't recognize. The problem there is you might have HTML-based forms you use regularly for various purposes. You don't want to have to cancel the Sxipper prompt each time you visit those forms.

(Credit: CNET Networks)

Those are both easy issues to fix. Sxipper should add a option to its taskbar icon that lets you manually add a map and a selection to its autoprompt mapping feature that says "No, and don't ask me about this form again." Aside from small bugs and necessary improvements, most of the Sxipper preferences such as changing your map attribution and saving your personal data to a backup file are nonfunctional. In fact, some of the options don't even fit within the preferences pop-up window. You can see what the Sxipper team is up to next with its release notes for the latest version.