WebProWorld IT Forum

Javascript Countdown
I have been looking for a Javascript countdown, but I haven't had much luck. There are heaps online, but not like the one I need. I need a countdown that lasts 24 hours. After 24 hours, it should restart again.

ASP 500:100 error pages
Ive recently bought a new home PC with XP pro. got it all nicely set up as a webserver and running a couple of sites for local testing. I know i have done this before because my work PC is set up fine but for the life of me...

301 redirect
Plz keep in mind i'm a noob at this. I need to 301 redirect and i'm on IIS. I went from html to .asp. I read around and noticed the following solution everywhere: * In internet services manager, right click on the file or folder you wish to redirect * Select the radio titled "a redirection to a URL".



Recent Articles

Hackers Saw Plank, Microsoft Ship Drops
Within hours of the release of Microsoft's Windows Genuine Advantage (WGA), hackers decided to flip off Microsoft with a single, simple line of javascript that promptly turned off the WGA and turned on laughter in hacker circles around the globe.

Network Forensics is Affordable for Most Businesses
Regulatory requirements such as Sarbanes Oxley or HIPPA along with cyber crime have heightened the interest in computer security.

Key Benefits of a Single Intranet or Public Website
A single website is more connected and credible. It is more consistent and cost effective. It is easier to manage and measure.

PassMark's SiteKey - Answering The Wrong Question
In my article "Spear-Phishing - New Angles On An Old Game" (http://www.cafeid.com/art-spear.shtml), I wrote about a variation on "traditional" e-mail phishing that has proved to be more effective than random casting of stink-bait into a vast pool of random e-mail addresses.

IT Career Error! Click Here to Repair
Two years ago Jeff was a discontented software developer. His work left him frustrated and mentally drained each day.

Microsoft Getting FrontBridge Hookup: Secure Messaging
Microsoft announced yesterday they will acquire FrontBridge Technologies Inc., a company that provides managed services for corporate email security, compliance and availability requirements. This adds another set of features to Microsoft's ongoing war against security problems through archiving, minimizing spam and viruses, and ensuring email availability in case of a disaster.

Remote Reboot Power Management Guide
Implementing a remote reboot power management solution is a required procedure for assembling a true lights-out data center or co-location facility.

Environmental Monitoring Reference Guide
Creating a safe and secure lights-out co-location or remote data center facility ensues by incorporating environmental monitoring devices to remotely detect and resolve unwarranted server room conditions.

What is a Matrix KVM Switch Solution?
Enterprise KVM switches, such as the Raritan Paragon II, will often include the word Matrix in part descriptions or throughout promotional means such as in features and benefits sections on websites.

Top 5 Reasons Why CAT5 KVM Switches Solve Common KVM Switch Limitations
Simplifying server rack environments by introducing a CAT5 KVM to help ease server cabinet clutter is an example of how beneficial UTP cabling can be.

08.10.05


Spear-Phishing - New Angles On An Old Game

By Trevor Bauknight

It usually doesn't take long for emerging trends in business IT security to reach the point at which a new name for a given phenomenon is required to set it apart.

A relatively recent variation on the familiar e-mail phishing scams that targets small cells within a particular enterprise rather than millions of random people has reached that point. Last week, BusinessWeek reported on the growing phenomenon of "spear-phishing" and, while they charge for that information, we don't think you should have to pay to keep your sensitive information private.

A New Scam?

...Not really. If you know how phishing works, you already know how spear-phishing works. The difference lies only, as you might have guessed, in the skill and more focused target of the scammer. "Regular" phishing relies on casting a wide net knowing that, out of the millions of people who receive the e-mails, only a few will invariably respond. But spear-phishing relies more on the ability of the scammer to win the trust of a small group of people for at least long enough to grab all the sensitive information she can.

Different groups may be targeted, but the scheme seems to be most effective at targeting small groups within some large business enterprise network, and so this form of phishing has some characteristics that set it apart. Spear-phishing e-mail can be more difficult to catch because Subject and From headers are going to carry familiar text and because its circulation doesn't attract the attention of large clearinghouses of known scam information. Target e-mail addresses may be gathered from corporate directories, web sites and telephone conversations rather than from spammers dealing in huge lists of working addresses.

The e-mails themselves may appear to be actual corporate documents but often carry trojan-horse keystroke-logging programs or links to fake websites set up to look like the real thing. The scammers could well be disgruntled former employees, vendors or others who have had access to the physical premises. And while some are using such techniques to target non-corporate groups like participants in eBay auctions, the goal of most spear-phishing scams is to collect sensitive commercial data.

Central to the success of a spear-phishing scheme is the artful use of what has come to be called "social engineering". Kevin Mitnick, notorious hacker turned security consultant (http://www.mitnicksecurity.com), made the term famous with his seminal book on the subject _The Art of Deception: Controlling the Human Element of Security_. Briefly, social engineering is the art of winning the trust of a mark through familiarity, charm, feigned exasperation, the use of proper jargon and so on. Once convinced that the scammer is who he is pretending to be, the mark will reveal some useful bit of information that can then be exploited.

The textbook example of spear-phishing goes like this: A group or an individual obtains, through social engineering or physical or electronic access, some corporate document that can be used to convince even knowledgeable insiders to enter usernames and passwords at a faked extranet site or to open an attachment that contains a keylogging trojan-horse program.

The e-mail goes to a small group within the corporate network and a much higher percentage of recipients respond because the source appears to be legitimate internal corporate communication. Armed with a few working logins, the spear-phisher accesses corporate intellectual property, personnel files or other sensitive data, which can fetch a high price on the black market.




Avoiding the Spear

It's probably true that no institution or enterprise is secured against all the possible variations on the phishing scheme, but there are several steps you and your business can take to guard against becoming a victim.

Business data security starts at the top and should permeate all levels of your IT structure. Establish policies of information exchange that preclude the ability of a spear-phisher to obtain key bits of data, such as internal documents, to which she is not entitled and don't veer from those policies under any circumstances. Eliminate unnecessary traces of former employees and turn off their electronic and physical access to your business properties. Above all, don't attempt to communicate with employees the same way the spear-phishers will try, such as through e-mail bearing links to internal websites or attached documents.

The most effective thing you can do to prevent your business from turning into a shallow pond is to keep informed and pay attention to things like abnormally slow computers, strange entries in e-mail logs (especially source-IP addresses that don't match those on your internal networks) and unusual patterns of website traffic.

Several groups have set up shop on the Web to provide you with as much up-to-date information as possible. We recommend, especially, the website of the Anti-Phishing Working Group (http://www.antiphishing.org) and the Trusted Electronic Communications Forum (http://www.tecf.org/). Here at Cafe ID (http://www.cafeid.com), we maintain a one-stop shop of up-to-date resources and information on every aspect of Internet security and identity protection.

If you think you've already been a victim of some form of phishing attack, a great place to start undoing the damage is at the Internet Fraud Complaint Center (http://www.ifccfbi.gov/index.asp). Local law enforcement is another excellent place to turn. If your customers' or employees' personal information is compromised, by all means notify them immediately of the potential trouble so that they can take the steps necessary to keep themselves safe from exploitation.

As businesses become more and more dependent upon the Internet and its protocols for both public and internal communications, it becomes more and more important to keep an eye on emerging trends like spear-phishing. But the best thing to keep in mind is that these sorts of problems aren't new and they rely on some of the oldest forms of deception known to man. Social engineering is as old as bureaucracy, and there's little reason to suggest that we're getting any better at dealing with it.

About the Author:
Trevor Bauknight is a web designer and writer with over 15 years of experience on the Internet. He specializes in the creation and maintenance of business and personal identity online and can be reached at trevor@tryid.com. Stop by http://www.cafeid.com for a free tryout of the revolutionary SiteBuildingSystem and check out our Flash-based website and IMAP e-mail hosting solutions, complete with live support.

About ITManagementNews
ITmanagementNews answers questions for IT managers. Our experts offer real-world advise and cutting edge technology for the enterprise. ITmanagementNews is focused on Delivering IT Solutions

ITManagementNews is brought to you by:

SecurityConfig.com NetworkingFiles.com
NetworkNewz.com WebProASP.com
DatabaseProNews.com SQLProNews.com
ITcertificationNews.com SysAdminNews.com
LinuxProNews.com WirelessProNews.com
CProgrammingTrends.com DevWebPro.com


-- ITManagementNews is an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
2005 iEntry, Inc. All Rights Reserved Privacy Policy Legal

archives | advertising info | news headlines | free newsletters | comments/feedback | submit article
Delivering IT Solutions ITManagementNews News Archives About Us Feedback ITManagementNews Home Page About Article Archive News Downloads WebProWorld Forums Jayde iEntry Advertise Contact