Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
Phishing attacks are on the rise, but do your organization's URL naming practices help protect customers or help the attackers?
March has been an incredibly slow month, and I'm not complaining. It's wonderful to have a rest from installing emergency patches and fighting increasingly more virulent malware.
But of course, it does make writing this column—typically devoted to immediate threats—a bit more challenging. However, this unexpected lull gives me the chance to cover some important topics that I usually don't have the time for, such as proactive steps you can take to strengthen your organization's security.
Several recent high-profile security breaches have caused enough of a stir that many companies are reevaluating their potential liability and their security best practices. If your company isn't already discussing this, there's no better time than the present.
The big news focuses on ChoicePoint, a company that most people had never heard of until recently. The company wound up answering some rather tough questions at a recent congressional hearing. However, while the 145,000 stolen records have been a high-profile story, it hasn't been the only one. Recent other major problems include:
- Last week, hackers may have gained access to 59,000 personal records of staff, students, and even potential students that were on a supposedly secure server at Cal State Chico.
- Earlier this month, LexisNexis lost control of 32,000 personal records.
- Also in March, the Discount Shoe Warehouse (DSW) announced hackers had compromised credit card records 103 of 175 stores.
- In April 2004, someone accessed a University of California San Diego (UCSD) computer system that held data on nearly 400,000 people. For more details, check out this Web page on UCSD's Web site.
- In December 2003, someone accessed 178,000 personal records on San Diego State University computers, leading to a number of identity theft cases.
Everyone knows that phishing attacks are on the rise, but virtually all the advice for combating attacks has been on the user side of the equation. Examples include warning users not click links in e-mails and telling them to make sure a site's URL as listed in the browser is legitimate.
But what about the Web site owner's responsibility in all of this? Some sites prominently post an easy way for customers to notify the business of phishing attempts, but is that sufficient? Do certain poor practices actually contribute to phishing attacks either by making a site easier to fake or by making the URL so confusing that even regular visitors can't tell whether a Web site is legitimate?
Many companies use different top-level domain (TLD) names to simplify the development and maintenance of Web sites, but they often do this without giving much thought to how it affects customers. So what difference does it make if a URL is long, complex, or uses some internal company shorthand to make things simpler for the Webmaster? In fact, it can make a big difference. Let's look at an example.
Let's say the XYZZ Company uses www.xyzzcompany.com as its main Web site, but it uses www.xyzzcompany-purchase.com or www.secure-xyzzcompany.com as the address of its online store.
While this may seem simple enough, consider what happens to customers when they surf the site and the URL keeps changing, in what probably seems to be a random fashion. If this is the case, how can you expect customers to differentiate between a phishing site and a legitimate one by the URL?
Let's look at some best practices for naming URLs. To begin with, always keep your TLD the same if at all possible. In other words, make it easy for visitors to determine whether they're at a legitimate site by always showing the same beginning text in the URL. So, for our example company, a better choice for the online store's URL would be www.xyzzcompany.com/secure or www.xyzzcompany.com/purchase.
A white paper from NGS Software Ltd. offers the following advice for companies with an international presence. Let's say our company also has a branch in the United Kingdom or maybe conducts a lot of business there. It seemingly makes sense to buy www.xyzzcompany.co.uk, if only to keep some competitor or prankster from grabbing it. However, using one foreign-based URL could help convince visitors to accept a fake URL, such as www.xyzzcompany.co.au.
To prevent this occurrence, the company could buy every possible URL, which may or may not be feasible. Or, it could use automatic redirection so visitors entering www.xyzzcompany.co.uk would access the site either from the main site (www.xyzzcompany.com) or from www.xyzzcompany.com/UK.
In addition to making it easier for visitors to determine the site's legitimacy, you can also take other steps to help harden your site. For example, we've all visited sites that generate long, complex URLs as you navigate your way through a session.
Many of these include some session-specific data in the URL where anyone can see it—and learn something about how your site security works. Organize your Web site to make the displayed address as short as possible, containing as little information as possible that could aid hackers.
This applies to all businesses that have any sort of secure information on their Web site or require visitors to use passwords (or even cookies) to access various features. Of course, it applies a hundred times over to any company that has an online store or that provides confidential information to visitors.
If there is any possibility someone might want to try some phishing among your customers or even staff, then your organization must make it easier for visitors to know they've reached a legitimate site.
Also watch for …
- News.com reports that the U.S. Senate is making another attempt to draft and pass an anti-spyware bill. A previous attempt in 2004 passed the U.S. House of Representatives but died a quiet death in the Senate.
- ISS X-Force has discovered—and McAfee has confirmed—a security vulnerability in older versions of McAfee's virus scan engine. McAfee fixed the problem in release 4400 (December 2004).
with other news outlets, washingtonpost.com
is reporting a Symantec
claim that Macintosh OS -X systems are rapidly becoming a prime target
for hackers. Although Mac fans often tout the system's security, security
experts widely believe it's simply a matter of the Mac being such a small
target compared to Windows. Symantec documented 37 critical Macintosh
vulnerabilities in 2004, all confirmed by Apple.
Others are disputing the claims, rightly pointing out that Symantec stands to gain if Macintosh users believe they need more protection. ZDNet Australia points out that the 37 patched Mac threats compare very favorably to the 17,500 Windows viruses and threats.
- Another part of the latest Symantec Internet Security Threat Report indicates that XP SP2 may have resulted in a dramatic reduction in the number of bot scanning incidents, which dropped from 30,000 per day to only 5,000 per day.
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.