Everything, Everything

2020: J F M A M
2019: J F M A M J J A S O N D
2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
Sophos
Wednesday 21st November, 2007 16:12 Comments: 1
I'm starting to find their articles quite annoying. Their most recent article is this one: Sophos advises online shoppers to use caution this holiday season. Because it's okay to throw caution to the wind the rest of the time? Even worse, check out the final bits of advice:

Sophos offers the following online shopping security recommendations:

Precautions for consumers
  • Read website privacy policies and procedures to ensure appropriate measures are in place
  • Only buy from reputed sites
  • Do not follow links from unsolicited email
  • Never enter sensitive information from an internet cafe or machine that you do not know to have a fully up-to-date security policy
  • Ensure you have a firewall, patches and anti-virus up to date and running
  • Protect your password
Precautions for online shopping sites
  • Use HTML encryption technology
  • Enlist a firewall
  • Limit access to your server to only those who absolutely need it
  • Check your system and weblogs for suspicious activity regularly, especially when traffic is high
Where to start? Policies mean nothing unless the website sticks to them. Anyone can say they won't sell off your details and then sell or abuse them anyway - cybercriminals are hardly likely to tell the truth. I think they mean only buy from reputable sites (ones with a good reputation, which is still a bit too generic for my liking), as reputed means "commonly put forth or accepted as true on inconclusive grounds" (e.g. a fake website that looks legitimate?). It's probably a good idea not to follow links from emails, but what if you signed up to the mailing list and received a unique link that gives you a £5 discount on your purchase? I'll skip the AV issue, but a well configured firewall and up to date software is good advice - as is running as a standard or low level user. A large number of problems are caused by users that run as Administrator. And, perhaps it'd be more useful if they told you how to protect your password.

And then it gets worse. What the f**K is HTML encryption? I think they've confused it with a secure HTTP server (where the URLs begin with https://) that uses an additional encryption/authentication layer between the HTTP and TCP. And just because a site has a padlock in the corner or in the address bar, it doesn't mean that consumers can assume it's a legitimate site, and it's possible (although unlikely) that the site is using weaker protocols/ciphers, such as SSLv2 and/or 56-bit ciphers. A firewall is a good idea, again assuming it's configured properly. The "limit access to your server" advice is a bit silly if you're running a web server that's meant to be accessible to consumers across the world, and trying to geolocate users by their IP address to restrict access, for example, to UK shoppers is a bit messy. Checking server logs would be a good idea, but an automated solution might be more useful, you don't want to take a look at your logs on Monday morning if you were hacked the previous Tuesday, or perhaps throughout the weekend when they think there's less chance their activity will be quickly blocked.
Avatar Fab - Thursday 22nd November, 2007 11:47
This sounds like advice for Joe Bloggs. Which means they have to dumb it down as much as possible and even then it is still too complex for them. You try telling the stuff above to my parents and getting them to understand what the hell you are on about!

As for the timing, well it is the runnup to Christmas innit? People will go shopping mad and there is so much spam floating about as everyone uses email as a cheap form of advertising. And the email critique, you overlooked the phrase 'unsolicited'. If I have not signed to receive offers from that company, I would be very wary of accepting any unique £5 offers. It is just too open to abuse and consumers don't always realise that.

Not the best advice, but possibly the best they can get everyone to understand.
© Robert Nicholls 2002-2020
The views and opinions expressed on this site do not represent the views of my employer.
HTML5 / CSS3