2. browser settings prevent phishing (1) enhance Firefox (Firefox).
Firefox is the best browser under Linux, Firefox, of course, there are some security implications. Denmark security product developers Secunia to 30 July exposes Web browser "Mozilla" and "MozillaFirefox" vulnerabilities. If the malicious use of security vulnerabilities that can disguise the address bar, toolbars, dialog boxes, and other user interface SSL. Can pretensions of not only the address bar, toolbars, indicates that SSL traffic encryption, etc, or even pretend to click on the encryption flag is displayed by a digital certificate. Secunia's strategy is "don't click on links to Web sites not reliable" and "don't enter personal information," we must remember that the eye is not necessarily. Upgrade to the latest version you can eliminate these security risks. In addition, javascript is set to invalid also prevent camouflage. In addition phishers in user input data, you can also use clever javascript scripts to confuse users. Phishing site provides many banks, which gives people the feeling of a credible, it was actually a kind of social engineering. Users enter account information, the phisher might chuckle at the rear, because the site has been designed through a clever script that enables the user to believe that their data is being updated. If you want to disable javascript on your site, you must download and install the plug-in NoScript, which consists of GiorgioMaone development. Use Firefox to browse Web pages, if the page uses javascript, NoScript will be in the Web page below to display a warning bar. Click the bar to the script on this site is controlled, can be either temporary or permanent, can be disabled or other scripts. This program can also disable Flash animation or other Firefox plugin. NoScript is free software, the official website is: http://www.noscript.net. Download link: http://releases.mozilla.org/pub/mozilla.org/extensions/noscript/noscript-1.1.3.4-fx+fl+mz.xpi,noscript configuration interface shown in Figure 6. Figure 6NoScript configuration interface (2) install NetcraftToolbar2004 years Internet services firm Netcraft has released its Firefox security tools plug-in. This plug-ins to help Firefox users from phishing fraud attacks. NetcraftToolbar can block another user reports of phishing fraud Web site. Netcraft last December published by NetcraftToolbar currently, was found and blocking of phishing fraud attack sites reached more than 7000. In addition to blocking phishing attack site, NetcraftToolbar also includes can help the user in Internet time pay more attention to the safety of other functions. For example, it can on the website of risk "scoring", display the Web site visits and site country information. NetcraftToolbar also can use the characters "trapping" suspicious website, shows the browser navigation buttons against attempts to hide these buttons in the pop-up window. NetcraftToolbar to Firefox support all operating systems (Linux, BSD, Windows, MaC), users can free from Netcraft Web site to download this tool bar. Official website: http://www.noscript.net, download link: http://freebsd.ntu.edu.tw/mozilla/extensions/netcrafttoolbar/netcrafttoolbar-1.1.1.1-fx.xpi,netcrafttoolbar installation file is: netcrafttoolbar-1.1.1.1.xpi. In the browser's menu select file-open file-and then select what you want to install XPI extension file. Later on you can see that the browser will ask you whether you want to install this plug-in, you can click on the "Yes", this was done to secure because by default, you cannot install a plugin from any Web site. Also note a new installation of the plugin you must restart the browser to take effect (close all browser Windows, including extensions, themes, etc). NetcraftToolbar work interface shown in Figure 7. Figure 3 7NetcraftToolbar work interface, otherwise 1. personal responsibility for phishing in nature, often in order to obtain and e-commerce related account password, and then gets some economic interests, so we should be formed from three aspects of a good habit. (1) the proper selection and keeping password password should be avoided and personal data, do not use such as social security number, birth date, phone number as the password. It is proposed to adopt letters, numbers, mixed way to improve password cracking more difficult. Try to avoid in different operating systems use the same password, the password is lost, the consequences will be disastrous. Hackers often use some characters commonly used to crack passwords. There was a United States hacker said, just use the word "password", you can open the entire us most of the computer. Other commonly used words include: account, ald, alpha, beta, computer, demo, dead, dollar, games, bod, hello, help, intro, kill, love, no, ok, oKay, please, sex, secret, superuser, system, test, work, yes. Password settings and doctrine: 1. long enough, some hyperactive finger just to add a password, you can enable an attacker to increase ten times as hard; 2. do not use full words, wherever possible, include numbers, punctuation marks and special characters, etc.; 3. mixture of upper and lower case characters; (2) do the transaction the customer response online bank transfers and payments, and other business records, periodic view "history transaction", regular print online banking statements, such as unusual transactions or accounting errors, contact your bank immediately and avoid losses. (3) the management of digital certificates online banking users should avoid public computer using Internet banking, digital certificates and other classified information from falling into the hands of others, making online identification system is breached, online account has been stolen. 2. corporate leadership and network administrator's responsibilities when asked how to prevent phishing, a security expert to speak at once on user education. Many people want to learn through specialized before know e-mail attachments may not open either. Common sense cannot be "upgraded" intelligence cannot "installation" in the network security of this root chain, one is always the weakest link. Only caveat phishing is not enough, the security expert urges companies not to send network link's email. Enterprises should not be in the e-mail message contains a link, and you want to ensure that users are aware of this, another phishing exploit human common emotions, such as trust, fear, greed, kind, almost all of the Phishing involves social engineering techniques. Recent common practices such as to receive the mail of users fill out a form in order to get jobs, bonuses or gift. In the festive, fishing is a lot of phishing messages. Ongoing user education is required. In addition, different enterprises should share phishing information, establish a Union. In order to prevent the use of phishing sites and endanger the interests of users, in the event of the United States and United Kingdom have established specialized anti counterfeit websites and other Internet scams, such as was established in November 2003, the APWG (Anti-PhishingWorkingGroup) and in June 2004 established TECF (TrustedElectronicCommunicationsForum). Some foreign companies at the bottom of the home page also has clear links to remind the user that the E-mail scams. While many companies seem to be the home page does not have this security awareness, but also no similar organizations to specifically study the countermeasures. In addition to Linux network administrators want to configure SSL for Apache server. SSL can be used for online transactions to protect credit card numbers, stock transaction, account information, etc. When you have SSL functionality in the browser and WEB server (Apache) communication, they use digital certificates confirm the identity of the other. A digital certificate from a trusted third party, and is used to generate a public key. Hence, uses a secure server certificate of the website will be SSL-protected, its Web address with the prefix "https" instead of "http" standard prefixes. From the current phishing attackers in practice, most without this flag, if any, or it may be easier to identify counterfeit, and thus this further expose their tricks. Usually now phishers often through remote attacks some protection weak server attacks are network sniffer, note that if you believe someone has received a sniffer to your network, you can go and find some validation tools. This tool is called the time domain reflectometry meter (TimeDomainReflectometer, TDR). TDR on electromagnetic wave propagation and change. Will a TDR is connected to a network, can detect unauthorized access to network data. For prevention of sniffer attack is the best method: (1) Security topology. (2) session encryption. (3) with static ARP or corresponding tables instead of dynamic IP-MAC ARP or IP-MAC corresponding tables (4) use dedicated hardware devices. 3. service patch either your network administrator or individual users should regularly to your installed system publishers home page looks to find the latest patches. The operating system is the computer system of the soul, the underlying maintains the system, memory, processes, and other subsystems management and scheduling. If the operating system itself has a vulnerability, it would be fatal. Operating system kernel, for network security is essential. At present, the main kernel maintenance is divided into two modes: for private operating system such as Windows/Solaris, etc., due to the individual user does not have direct contact with its source code, the code by the company's internal developers to maintain their security guaranteed by the same team, the kernel modification and other applications, to patch/SP release package. For Linux this open systems, is an open structure. It should be said that the open mode is a double-edged sword. This article describes the Thunderbird and Firefox are open source software, and are constantly upgraded, the stable version and the beta version of alternating. On http://www.mozilla.org/latest ChangeLog in wrote: bugfix, securitybugfix. So often concern related bugfix and upgrade of the site, upgrade or add patches in a timely manner.
No comments:
Post a Comment