Sophos
Wednesday 21st November, 2007 16:12 Comments: 1
I'm starting to find their articles quite annoying. Their most recent article is this one: Sophos advises online shoppers to use caution this holiday season. Because it's okay to throw caution to the wind the rest of the time? Even worse, check out the final bits of advice:
Sophos offers the following online shopping security recommendations:
Precautions for consumers
And then it gets worse. What the f**K is HTML encryption? I think they've confused it with a secure HTTP server (where the URLs begin with https://) that uses an additional encryption/authentication layer between the HTTP and TCP. And just because a site has a padlock in the corner or in the address bar, it doesn't mean that consumers can assume it's a legitimate site, and it's possible (although unlikely) that the site is using weaker protocols/ciphers, such as SSLv2 and/or 56-bit ciphers. A firewall is a good idea, again assuming it's configured properly. The "limit access to your server" advice is a bit silly if you're running a web server that's meant to be accessible to consumers across the world, and trying to geolocate users by their IP address to restrict access, for example, to UK shoppers is a bit messy. Checking server logs would be a good idea, but an automated solution might be more useful, you don't want to take a look at your logs on Monday morning if you were hacked the previous Tuesday, or perhaps throughout the weekend when they think there's less chance their activity will be quickly blocked.
Sophos offers the following online shopping security recommendations:
Precautions for consumers
- Read website privacy policies and procedures to ensure appropriate measures are in place
- Only buy from reputed sites
- Do not follow links from unsolicited email
- Never enter sensitive information from an internet cafe or machine that you do not know to have a fully up-to-date security policy
- Ensure you have a firewall, patches and anti-virus up to date and running
- Protect your password
- Use HTML encryption technology
- Enlist a firewall
- Limit access to your server to only those who absolutely need it
- Check your system and weblogs for suspicious activity regularly, especially when traffic is high
And then it gets worse. What the f**K is HTML encryption? I think they've confused it with a secure HTTP server (where the URLs begin with https://) that uses an additional encryption/authentication layer between the HTTP and TCP. And just because a site has a padlock in the corner or in the address bar, it doesn't mean that consumers can assume it's a legitimate site, and it's possible (although unlikely) that the site is using weaker protocols/ciphers, such as SSLv2 and/or 56-bit ciphers. A firewall is a good idea, again assuming it's configured properly. The "limit access to your server" advice is a bit silly if you're running a web server that's meant to be accessible to consumers across the world, and trying to geolocate users by their IP address to restrict access, for example, to UK shoppers is a bit messy. Checking server logs would be a good idea, but an automated solution might be more useful, you don't want to take a look at your logs on Monday morning if you were hacked the previous Tuesday, or perhaps throughout the weekend when they think there's less chance their activity will be quickly blocked.
Fab - Thursday 22nd November, 2007 11:47 This sounds like advice for Joe Bloggs. Which means they have to dumb it down as much as possible and even then it is still too complex for them. You try telling the stuff above to my parents and getting them to understand what the hell you are on about!
As for the timing, well it is the runnup to Christmas innit? People will go shopping mad and there is so much spam floating about as everyone uses email as a cheap form of advertising. And the email critique, you overlooked the phrase 'unsolicited'. If I have not signed to receive offers from that company, I would be very wary of accepting any unique £5 offers. It is just too open to abuse and consumers don't always realise that.
Not the best advice, but possibly the best they can get everyone to understand.
As for the timing, well it is the runnup to Christmas innit? People will go shopping mad and there is so much spam floating about as everyone uses email as a cheap form of advertising. And the email critique, you overlooked the phrase 'unsolicited'. If I have not signed to receive offers from that company, I would be very wary of accepting any unique £5 offers. It is just too open to abuse and consumers don't always realise that.
Not the best advice, but possibly the best they can get everyone to understand.