Four weeks after birthing a nationwide Wikipedia edit ban (http://www.theregister.co.uk/2008/12/10/iwf_reverses_wikiban/), Britain's child porn blacklist has led at least one ISP to muzzle the Internet Archive's Wayback Machine (http://www.archive.org/web/web.php) - an 85 billion page web history dating back to 1996.
According to multiple customers of Demon Internet (http://www.demon.net/) - now owned by Brit telecom Thus - the London-based ISP is blocking access to all sites stored in the archive. When they query the Wayback Machine, hoping to retrieve archived pages, customers are met with generic "not found" error pages. But judging from their urls, these pages are generated by a web filter based on the blacklist compiled by the Internet Watch Foundation, a government-backed organization charged with policing online pornography.
One Demon customer tells us he was unable to visit archived versions of websites run by the BBC, Parliament, the United Nations, the Internet Watch Foundation, Demon Internet, and Thus. In other words, this customer points out, Thus is blocking its own web history. "It is nuts," he says.
His experience is confirmed by other Demon customers posting to a Demon newsgroup here (http://groups.google.com/group/demon.service/browse_thread/thread/9bb61f29e25567b7#).
We have contacted both Thus and the Internet Watch Foundation, but they did not receive our messages until after UK business hours. When they respond, we will update this story.
It is unclear why Demon's IWF filter would block the entire archive. Presumably, the archive is housing images flagged by the IWF, and in an effort to censor these images, Demon has censored everything. But it appears the problem does not extend to all ISPs. One Demon customer says he has no problem accessing the Wayback Machine from his Vodafone mobile internet service.
Another user calls the archive blockage "yet more 'unintended collateral damage' from the IWF. Didn't they actually learn anything from their Wikipedia disaster just before Christmas?"
Article Source(Continued)
Thursday, January 15, 2009
Banking details can be stolen through a Java Script exploit
Banking details can be stolen through a new JavaScript exploit
posted by usb at 22:22:02 14.01.2009Phishers are reported to be able to exploit a vulnerability in the JavaScript engines of current browsers, including Internet Explorer, Firefox, Safari and Chrome. Trusteer is a security services provider specialising in online banking, whose chief technician is the well known security specialist Amit Klein. Trusteer report that a crafted web site can exploit a certain JavaScript function to identify the bank page a user is currently logged into.
If a user is connected to his bank's online banking service in one window, and leaves it open while visiting other sites, a crafted site can identify his bank, then activate a pop-up window imitating the bank's logo and appearance and ask for the login to be repeated. An inattentive user who re-inputs the data falls right into the phisher's trap.
Trusteer's reportPDF doesn't name the JavaScript function concerned, but says it doesn't surrender the information about open sites, instead it goes through a list of bank sites, asking each time whether the user is logged in to that particular bank, the response being a straight "yes" or "no". In order to make a phishing attack, a crafted web site merely needs to hold a long list of known banks and financial institutions.
One way to guard against what Trusteer calls "in-session" attacks is to have only the online banking site open in the browser and then to log off and close that window, before surfing elsewhere. Trusteer doesn't say whether it has reported the problem to the browser makers.
Article Source(Continued)
posted by usb at 22:22:02 14.01.2009Phishers are reported to be able to exploit a vulnerability in the JavaScript engines of current browsers, including Internet Explorer, Firefox, Safari and Chrome. Trusteer is a security services provider specialising in online banking, whose chief technician is the well known security specialist Amit Klein. Trusteer report that a crafted web site can exploit a certain JavaScript function to identify the bank page a user is currently logged into.
If a user is connected to his bank's online banking service in one window, and leaves it open while visiting other sites, a crafted site can identify his bank, then activate a pop-up window imitating the bank's logo and appearance and ask for the login to be repeated. An inattentive user who re-inputs the data falls right into the phisher's trap.
Trusteer's reportPDF doesn't name the JavaScript function concerned, but says it doesn't surrender the information about open sites, instead it goes through a list of bank sites, asking each time whether the user is logged in to that particular bank, the response being a straight "yes" or "no". In order to make a phishing attack, a crafted web site merely needs to hold a long list of known banks and financial institutions.
One way to guard against what Trusteer calls "in-session" attacks is to have only the online banking site open in the browser and then to log off and close that window, before surfing elsewhere. Trusteer doesn't say whether it has reported the problem to the browser makers.
Article Source(Continued)
Subscribe to:
Posts (Atom)
