security: May 2008 Archives
The guys at XKCD have done it again!
I took delivery of some of their tshirts this morning, as well as my Top Gun tshirt
I took delivery of some of their tshirts this morning, as well as my Top Gun tshirt
Earlier today both Debian and Ubuntu maintainers announced a serious security issue with both Open SSH and Open SSL.
There is, of course, a post about it on SlashDot, but if you'd rather skip the crud (ie. some of the rather inane comments) and are running a Debian (or derivative system such as Ubuntu) do a dist-upgrade as soon as you can.
If you're using SSH keys you'll need to generate fresh ones, as any keys currently "in the wild" maybe vulnerable to brute force attacks.
There is, of course, a post about it on SlashDot, but if you'd rather skip the crud (ie. some of the rather inane comments) and are running a Debian (or derivative system such as Ubuntu) do a dist-upgrade as soon as you can.
If you're using SSH keys you'll need to generate fresh ones, as any keys currently "in the wild" maybe vulnerable to brute force attacks.
Either there's an upsurge in Amazon phishing emails or the phishers only got my email address recently.
I've had about half a dozen phishing emails today purporting to be from Amazon regarding my "seller" account.
To start with I don't have a seller account.
The other giveaway sign is that although the links are similar to Amazon domains, they aren't Amazon domains.
They all seem to be subdomains of by.ru, which appears to be some sort of free hosting solution based in Russia (I don't speak Russian, so I'm only making an educated guess)
Unfortunately, while Amazon do have a facility for reporting phishing emails it is clearly not aimed at the "casual" end user or anyone who is short of time. It consists of a rather convoluted series of web forms instead of a simple email address.
While the likes of Paypal, Ebay and most of the major financial institutions make it relatively easy for even a novice to report phishing emails Amazon dare to be different.
While they may be getting the reports in from honeypots etc., surely it would make more sense to facilitate end user reports?
Am I missing something?
UPDATE: Over 24 hours later I got a reply from Amazon with the email address to use for reporting phishing emails.
In case anyone else needs it the email address is: stop-spoofing@amazon.com
If you forward phishing emails to that address as an attachment they get sent to their security team.
I've had about half a dozen phishing emails today purporting to be from Amazon regarding my "seller" account.
To start with I don't have a seller account.
The other giveaway sign is that although the links are similar to Amazon domains, they aren't Amazon domains.
They all seem to be subdomains of by.ru, which appears to be some sort of free hosting solution based in Russia (I don't speak Russian, so I'm only making an educated guess)
Unfortunately, while Amazon do have a facility for reporting phishing emails it is clearly not aimed at the "casual" end user or anyone who is short of time. It consists of a rather convoluted series of web forms instead of a simple email address.
While the likes of Paypal, Ebay and most of the major financial institutions make it relatively easy for even a novice to report phishing emails Amazon dare to be different.
While they may be getting the reports in from honeypots etc., surely it would make more sense to facilitate end user reports?
Am I missing something?
UPDATE: Over 24 hours later I got a reply from Amazon with the email address to use for reporting phishing emails.
In case anyone else needs it the email address is: stop-spoofing@amazon.com
If you forward phishing emails to that address as an attachment they get sent to their security team.
The Irish media must have been really bored this morning or just looking for a big headline. I guess its all an anticlimax now that Bertie Ahern is gone and thew new cabinet are in place.
According to RTE there was a "security breach", while Morning Ireland used the term "hacker".
What were they talking about?
Was a major ecommerce site hacked?
Did private and confidential information leak into the public domain?
No. All that happened is that Damien Mulley worked out where a file was on the Data Privacy Commissioner's site before they announced it to the public.
Hardly newsworthy and hardly a "security breach".
The report itself is a totally different matter, however.
According to RTE there was a "security breach", while Morning Ireland used the term "hacker".
What were they talking about?
Was a major ecommerce site hacked?
Did private and confidential information leak into the public domain?
No. All that happened is that Damien Mulley worked out where a file was on the Data Privacy Commissioner's site before they announced it to the public.
Hardly newsworthy and hardly a "security breach".
The report itself is a totally different matter, however.
