a summary

1. Assuming your security software is protecting you.  Most people don’t keep their security software updated, but expect that it will continue to do the same job as when they got it.
2. Accessing a financial account (or consumer website account) via a link embedded in your email.  With the number of fraudulently constructed emails out there (SPAM) that look legit, using an embedded link may result in identity thieves obtaining vital information about you.
3. Using a single password for all online accounts.  Duh.
4. Downloading free software.  Anything coming from a less reputable source than SnapFiles or Downloads.com (original authors suggestions, not mine) may contain spyware.  Get a spyware detecting software package and clean all of that out.
5. Thinking your MAC shields you from all risk.  I find it hilarious the author dedicated a single entry to MAC.
6. Clicking on a pop-up add that says your PC is insecure.  Pop up ads are rarely innocent, ads that prey on your lack of knowledge or emotional insecurity regarding your computer are never innocent.
7. Shopping online the same way you do in stores. Don’t use a debit card, don’t use the same credit card you use for all other purchases, etc. etc.

http://boren.nu/archives/2008/07/14/ssl-and-cookies-in-wordpress-26/

define(’AUTH_KEY’, ‘put your unique phrase here’);
define(’SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(’LOGGED_IN_KEY’, ‘put your unique phrase here’);

These three keys increase the security of your browser cookies, making wordpress more secure to normal users.  These keys are only useful if your are implementing a mixed HTTP/SSL environment.  If you are using HTTP only, the you should stick with

define(’SECRET_KEY’, ‘put your unique phrase here’);

Added in 2.5, used to increase security of your browser cookies in an all plain text website (HTTP only).

define(’FORCE_SSL_LOGIN’, true);

Force usage of SSL for login and admin pages.

define(’FORCE_SSL_ADMIN’, true);

Force usage of SSL for admin pages only, login still uses HTTP.

Since DNS cache poisoning attacks are far beyond my normal realm of responsibility, it’s hard for me to really talk about the topic.  I did make a post about it on my work blog a few days ago, but only because Microsoft released a patch for Windows DNS servers [MS08-037] and Nortel commented on it’s applicability to Nortel servers in a bulletin.

However, when you digg your news, you find all sorts of interesting things.  One thing I found last night was a link to a website talking about the DNS vulnerability found by Dan Kaminsky.  The main reason that I make this post now is because Dan did something really useful.  he made a little web tool and posted it on his blog which tests to see if your DNS server is vulnerable to the flaw he discovered.

The picture above came from the results of the website where I first found out about this tool.  My results are as follows:

(I included a bit more text above the Check My DNS button than the other poster did.)

If you want to know how secure your ISP’s DNS server is, go to Dan Kaminsky’s website (click the image at the top of the post) and try out his DNS Checker yourself.  If your ISP hasn’t patched yet (and some 40% or more DNS servers haven’t been according to one statistic I read) then the next time you visit your credit card company, or online bank statement, you just might be giving away your username/password to identity thieves.

Of course, if we were all using Perfect Paper Passwords with all of our online banking websites, such a vulnerability wouldn’t be a big issue.  You might type in 1-2 password combinations from your PPP crib sheet before realizing that something was amiss, but even so, the thieves wouldn’t have anywhere near enough information (or enough of your PPP password sheet) to hack your online identity.

Almost without exception, today’s Internet users prove their identity online using a fixed account name and password. In the past, this simple system provided sufficient security. But with the growing popularity of online banking and eCommerce, the value of stealing online identities has skyrocketed. And the increasing presence and “spyware” and “malware” on innocent users’ computers means that users can be “watched” while logging onto their banking and other eCommerce sites. Once their logon credentials have been “captured” and stolen, Internet criminals can easily assume their identity.

The trouble with a username and password is that they never change. We create them, write them down or memorize them, then use them over and over again. What has been needed is an inexpensive system that provides something which changes everytime it is used. GRC’s Perfect Paper Passwords system offers a simple, safe and secure, free and well documented solution that is being adopted by a growing number of security-conscious Internet facilities to provide their users with state-of-the-art cryptographic logon security.

And…  this PPP implementation can even be done in PHP [direct link], although the authors page is broken at the moment.  An alternate author is Daniel Hodder, his page appears to be working at first blush.