mysecurepc.com blog

Having spent a few hours trying to figure out why the server was not returning a character set was frustrating. Even though I had a charset in the webpage, the server was not returning a charset.

And why is this a security risk?

A nefarious person could upload a web page in a different character set, say UTF-7, with harmful code in it. When the web page is accessed, the server accepts the UTF-7 encoding and executes the script.

Check to see if the server returns a charset by entering your web page here. On the results page, under ‘Receiving Header:’, the content-type should be something like: text/html; charset=iso-8859-1
If the charset is missing it will be: text/html

I fixed my site, which uses Apache server, by including:

AddDefaultCharset ISO-8859-1

in the .htaccess file. You can contact your host to see if they can fix it at their end, but on shared hosting it may be difficult.

I found out a little nuance in the way you login to PayPal: securely and not securely. Unfortunately, the default is not secure.

When presented to PayPal.com there is a member login and password area. If you login through this, it is *not* secure. Notice http instead of https. If you click on ‘Log In’ it will take you to a secure login web page. https shows up along with the security lock (which shows that the site credentials are for www.paypal.com

Doug

Red, yellow, green: that is how the site advisor rates websites. Green is for good sites, yellow for questionable ones, and red for avoid. Gray means the site has not been reviewed.

What is measured? The safety, not the content of the site. Adult sites may get the green light if there is no safety problem such as spyware, phishing, exploits, scams, viruses, or spam. Cookies are not considered spyware or adware but are classified as tracking or nontracking which is more benign than spyware or adware.

Once installed, the SiteAdvisor shows up in the status bar. When a site is visited, one of the aforementioned colors show up. SiteAdvisor also shows up on search result pages: a colored rating checkmark shows up next to each search result, making it easy to see if the site is nefarious or not. Currently google, ask, aol, yahoo, and msn search engines are supported.

To keep bias out of the picture, payment is not accepted by SiteAdvisor.

Sites are rated by several methods: an automatic safety analysis using a database of prescreened sites, user feedback, and manual analysis. You can join the SiteAdvisor group as a reviewer and submit your own site analysis and comments.
McAfee Site Advisor is currently available for Internet Explorer and Firefox.

Doug

I have spent several days trying to convince my business bank that its login is unsecure. Of course they do not believe me (or they do and choose not to do anything to rectify the situation since they did at one time have a secure login page).

The bank login page URL starts with http:. Why is this unsecure? Because there is no way to verify that the web page I am looking at is the bank’s login page. Someone could have intercepted the request for the bank login page and replaced it with their own (called spoofing or man-in-the-middle attack) – then when the login ID and password are entered, the bad guy gets it rather than the bank.

When you type in (or use a bookmark) http://www.my-unsecure-bank.com this request is sent to the my-unsecure-bank.com server, the web page constructed then sent back to your browser (in HTML) so it is displayed. As you can see, someone can intercept the request and return their own login page. This is easily done in wireless environments such as coffee houses or airports.

My bank tells me that the login/password information is sent securely to the bank. After looking at the HTML code (look for: … form .. action=https:// …) I agreed the login form did use a secure connection to send the login information…but how do I know the web page I’m looking at is the banks? That is when they decided to end the conversation.

BTW, if the login page starts with https:// you can verify the page is your banks by clicking on the yellow padlock and seeing that the bank is indeed listed.Which brings up another point – even if the login page URL starts with https:// (which only tells you the web page being viewed is from your bank) the login data sent to the bank may not be secured. Unfortunately, to verify the data being sent is secured involves looking at the web page’s HTML code and making sure the login form has, as it’s action, a secure URL (i.e. starting with https://)). To date, there is no visual way to ensure the web page AND the login form are both secure – and you cannot rely on your bank to help you.

Doug

Unbelievable. Banks, of all entities, having unsecure logins. If the browser lock is missing on your bank’s login page your login information is not secure. SSL, the security part of a login page, encrypts the user name and password -and- makes sure you are talking to your bank and not some other site. So if your bank’s login page shows http:// it is not secure and there is no (SSL) guarantee that you are actually on the bank’s login page – it could be a spoofed login page.
Yes, banks will say your login information is secure but if the lock and https:// is missing then it is not. Period. Note that some banks do have secure login forms but they are not the default. You have to hunt for them.
Here is a list of offending banks

Doug

My bank recently implemented a login procedure that is virtually impossible for an identity thief to access. It uses a technology called “Two-Factor Authentication”. In addition to a regular login, you must type in a code from a security card or an email sent to a mobile device.
The security card has a grid with numbers and letters so every time you login, a random grid location is given; you look at the security card and type in the entry from the grid location within 60 seconds. For example the login screen may say: A3B4. So you look in position A3 and type its entry (like a3w) and look in position B4 and type its entry (like u7t).
If the email route is chosen, an email containing ‘a3wu7t’ would be sent to your mobile device.
The security card could be printed for reference after initially logging in (before switching to two-factor authentication) and answering a few security questions. Finally, another roadblock to identity thieves.

Doug