Data Circle

Phishing, the art of obtaining information from users by pretending to be from a reputable known source, is surprisingly effective, despite attempts by numerous organisations (particularly banks) to educate users about this issue. Recently, the University of Manchester, where I’ve been a student for nearly five years, was hit by a barrage of emails pretending to be from IT Services (the department which runs most of the University’s email, amongst other things) which encouraged students and staff to reply with their username and password. Unbelievably for an organisation which supposedly consists of intelligent people who are working towards obtaining one of the highest qualifications in the country, more than seventy people replied with their login details. As a result, millions of spam messages were sent from University accounts, causing some major mail providers, including Hotmail, to block all incoming mail from manchester.ac.uk addresses and their subdomains.

Phishing relies upon the fact that it doesn’t matter if only one in ten thousand people are completely lacking in common sense (given the University’s size, it’s probably actually more like one in five thousand)—spam enough of them and you’ll eventually get some hits. It amazes me that people still fall for this trick, because to me it seems so painstakingly obvious that a bank would never ask for information such as your PIN, but it would appear that the message has still not got through to everyone.

The latest version of the Firefox web browser has been released. If you haven’t already upgraded, you should go to Help->Check for Updates or use your package management software to download the latest version as soon as possible, because there are a number of security fixes included in the update. The full release notes can, as always, be found on the official Mozilla website.

LiveJournal XSS Security Challenge at Slashdot

LiveJournal has launced an XSS Security Challenge which currently offers a free permanent account (like a paid account but does not have to be renewed, plus there are some other bonus features) to anyone who finds a Cross Site Scripting (XSS) security hole in the CVS code for the site. There’s also the possibility of additional rewards later on, once the Six Apart lawyers have decided on any rules for the challenge. If you know a reasonable amount about JavaScript, you could be in with a chance to not only fix a bug in software used by millions of people every day but also collect a bounty at the same time. What more could you ask for?