New version of SpoofStick for Firefox
A new version of SpoofStick is out for Firefox. Version 1.05 addresses two of the most common recent user comments:
- Addresses the recently discovered Mozilla "IDN" vulnerability described at http://www.shmoo.com/idn/ .
- SpoofStick is now a draggable, resizable toolbar button.
As always, you can download the latest version from the SpoofStick home page.
February 10, 2005 | Permalink | Comments (17)
SpoofStick Update
We’ve just released a new version SpoofStick for Internet Explorer (v. 1.02) that addresses a newly discovered IE flaw described by this Secunia advisory. As always, you can download the latest version at the CoreStreet SpoofStick homepage.
The flaw is not present in FireFox, so no update to the FireFox version of SpoofStick is necessary.
For those of you keeping count, we’ve had over 130,000 downloads of SpoofStick since the official release three months ago.
[Update: Oooh, that’s an average of about one download every minute.]
August 18, 2004 | Permalink | Comments (40)
SpoofStick on TV
A few days ago, PC World columnist Steve Bass demoed SpoofStick on G4TechTV’s “The Screen Savers”. Everyone who has come to my house since then has been forced to watch it on Tivo.
Other recent SpoofStick coverage is on the CoreStreet SpoofStick homepage.
June 27, 2004 | Permalink | Comments (0)
Washington Post reviews SpoofStick
Rebecca Rohan has written a quick and positive review of SpoofStick, CoreStreet’s free anti-phishing utility, for today’s Washington Post. Her conclusion:
SpoofStick is reassuring to have around, but it can't replace common-sense skepticism.
This is exactly right. We never intended SpoofStick to be a comprehensive solution for all the possible bad things that can happen while using your computer. SpoofStick is a straightforward tool that does one thing well: it cuts through the clutter of confusing, malicious or mislabeled URLs to tell you what web site you’re actually on. We were trying for simple and useful, and I think that’s what we got.
About 30,000 downloads so far. If anyone’s got suggestions for improvements, I’m all ears. All the other SpoofStick news can be found here.
June 7, 2004 | Permalink | Comments (1)
Latest SpoofStick coverage and version
SpoofStick continues to make a mark on the net. The latest mentions are from Network World, the Kansas City Star, the St. Petersburg Times (the one in Florida, not Russia, but see below) and the Newark Star Ledger. PC World contributing editor Steve Bass gave SpoofStick a good mention in his June 2nd newsletter, but it’s not on-line yet. Steve called me a “forthright” guy, which will have to do until I can upgrade my title to at least “honorable” by getting elected mayor of something.
International mentions of SpoofStick include IT Union in Russian and ITP Technology in Arabic. I can’t read the Arabic article, but it has this screenshot of SpoofStick looking at the "it's only a flesh wound" scene from Monty Python and the Holy Grail. I don’t find this strange at all.
We also released a minor upgrade to the IE version of SpoofStick today. Version 1.01 has the following improvements:
- The installer is signed by an official CoreStreet digital certificate. This is one of those eat-our-own-dogfood type of features since we like to promote certificate use.
- There is a new option in the configuration menu that lets you display the whole hostname of a site, rather than just the domain name.
- The installer will now refuse to install on an operating system earlier than Win2k. I expect this to take care of most of our support requests. We’ll be adding Windows 95, 98 and ME support in an upcoming release.
- SpoofStick will now pop up a warning (often more than one) if it encounters a URL trying to take advantage of the ‘@’ flaw found in unpatched versions of IE. Since this is a well known (and corrected) Microsoft bug, SpoofStick will only issue a warning and reminder to install the latest IE patch.
As always, you can get the latest version of SpoofStick at the CoreStreet SpoofStick home page.
Finally, I have made a ‘SpoofStick’ category on Vastly Important Notes, so you can see all the posts about SpoofStick on one page. Some of you have made snide insinuations about SpoofStick elbowing out all other topics on this blog (I’m looking at you, “gavin”), so I’d like to direct your attention to the diverse bounty of vastly important content in the archives.
June 4, 2004 | Permalink | Comments (3)
The Phisher King
Proving the adage that the simple wheel get the worm (err, that’s not right), the past three days have seen SpoofStick featured in The New York Times, Business Week and The Boston Globe. The Times even included a nice screenshot in the print version. We’ve had to increase our server bandwidth to handle the demand – around 20,000 copies have been downloaded so far.
I’m running dangerously low on “Phish” puns. Do the tech-media community a favor and send some in. Thanks to everyone who’s tried SpoofStick.
May 27, 2004 | Permalink | Comments (3)
SpoofStick 1.0 is here
[Update June 04: If you came directly to this page from Brian’s Buzz, Brian Livingston’s newsletter, welcome! Please see my quick reply to Brian’s comments here. SpoofStick now has its own category where you can see all the latest news and coverage. If you feel like browsing my other articles, here’s the front page.]
The general release version (1.0) of SpoofStick is now available for download for both Internet Explorer and Firefox. The 1.0 version includes a standardized UI across both platforms and a much smaller installer for the IE version.
Many thanks to the over three thousand of you who tried out the beta versions, to the dozens that gave useful feedback, and to the handful of bottom-phishers that harvested the "spoofstick" email address and clogged up my mailbox with pr0n and important information about my eBay account. This last category of people, in particular, reminds me of why we do this.
Thanks also to the bloggers and journalists – amateur and professional – who helped spread the world. I'm especially gratified to see that some of them have screenshots of SpoofStick running on their browsers. It's always good to see proof that your software actually installs.
Here’s some of what the web had to say:
Jon Udell - InfoWorld (screenshot, great write-up and first external mention of SpoofStick!)
Chris Lindquist - CIO.com(nice article, and the title makes SpoofStick sound downright superheroic)
Adam Gaffin - NetworkWorldFusion
Mark Ayzenshtat - Marked for Dearth (also did the programming)
Asa Dotzler - Adot's Notblog* (Asa drives big traffic)
Under The Sun (first Bible quote associated with SpoofStick)
Tara Calishan - ResearchBuzz (helped debug the press release)
Robin Bloor - Bloor Research (SpoofStick made him switch to Firefox from IE)
Nick Codignotto - Primordial Ooze (screenshot)
Mozdev extension room
Mozilla News
Chris Walken - talkaboutshareware.com (I'm pretending it's Christopher Walken)
inetinfo (with phish stick joke!)
John Ludwig - a little ludwig goes a long way
ExecTechNews
beaglebot - linkfilter.net
kayodeok
[expletive deleted]happens
Of course, nothing can top the comment from Carol Baraoudi that I wrote about on May 3rd.
Download SpoofStick 1.0 for Microsoft Internet Explorer and Mozilla Firefox here.
May 10, 2004 | Permalink | Comments (7)
If Wishes Were Phishes
CoreStreet has officially released SpoofStick, a free anti-phishing utility for IE and Firefox today. Here’s the press release and previous discussion on this blog. The quote from Carol Baraoudi, super-perceptive author of the multi-million selling Harry Potter The Internet for Dummies books says it all:
“I love SpoofStick,” said Carol Baraoudi, CEO of Baroudi Bloor International and author of the Internet for Dummies. “E-mail fraud is on the rise—innocent people are being duped every day— it makes me crazy. SpoofStick lets you see just where you're being taken - in every sense of the word. I want the world to be using SpoofStick. I want everybody using SpoofStick today!”
Some great press and blog coverage so far. I’ll round up the best in the next few days.
There isn’t anything new, so if you’ve got the latest beta versions (0.06), you don’t need to reinstall. Otherwise, download SpoofStick.
Enjoy.
May 3, 2004 | Permalink | Comments (2)
SpoofStick for IE is out
SpoofStick for Microsoft Internet Explorer is now available. SpoofStick is a simple, free browser plug-in that help keep users safe from spoofed websites and “phishing” scams by prominently displaying the actual domain name of whatever site you’re on.
SpoofStick has been available for the Mozilla Firefox browser for the past few weeks and has made a splash in the community. This version should work on IE 6 running on Microsoft Windows XP and 2000. The Firefox version will run on Windows, OS X and Linux.
These are beta versions, and we’d love to get your feedback. Please post your comments here, or send email to “spoofstick AT corestreet DOT com”.
See my introduction of SpoofStick: part 1 and part 2.
Download SpoofStick v. 0.06 BETA for Internet Explorer or Mozilla Firefox here.
April 23, 2004 | Permalink | Comments (0)
More SpoofStick
A new version of the SpoofStick beta for FireFox has been released. SpoofStick is a free utility that helps fight spoofed websites and identity “phishing”. See the original post for more details.
This version (0.05) tweaks the size display settings to make the small size smaller, the large size larger and the medium size more medium. It’s also smarter about handling multiple-name URLs (like https://web.da-us.citibank.com/signin/citifi/scripts/login2/user_setup.jsp) and international domains (like http://www.ox.ac.uk/).
We’ve gotten some good feedback on SpoofStick in the past couple of days. To answer the most common question: yes, SpoofStick does work on a Mac with Firefox for OS X. Here’s proof:
Although, I thought you Mac users had too many post graduate degrees to be fooled by fake websites.
Thanks for all the feedback, and keep it coming.
Download SpoofStick v. 0.05 BETA for Mozilla Firefox here.
April 8, 2004 | Permalink | Comments (3)
Smack web spoofers with SpoofStick
Identity “phishing” and spoofed websites are a big problem for IT security and brand management these days. There are several heavyweight technical proposals to make it harder for attackers to steal identity information by faking websites and emails, but the problem will continue to grow until the industry coalesces around some standards. CoreStreet has come up with a simple way for users to detect when they might be on a spoofed website, and we’re making it available for free. We call it SpoofStick™
SpoofStick is a small browser extension that prominently displays the domain name of the website you’re currently visiting. That’s it. Most current “spoofing” attacks entail tricking a user into following a mislabled link (like this one to http://www.cnn.com/) and then hoping that some percentage of visitors won’t decipher the complex URL to figure out that they’re not in Kansas anymore. SpoofStick makes it easy to foil this type of attack because it clearly shows you only the most important information about where you are. Like this:
Instead of trying to figure out if this is a real eBay url:
Just let SpoofStick do the work for you.
Spoofstick isn’t a very high-tech, comprehensive solution, but it’s a good start. The goal was to solve 50% of the problem. I’m going to install it on my parents’ computer and sleep a bit easier at night. Instead of learning how to pattern recognize HTTP syntax, all they’ll have to do is check SpoofStick every time they enter any information into a website.
SpoofStick is currently available in BETA form, and only for Mozilla Firefox. An IE version is around the corner. SpoofStick is free and currently unsupported. Nobody at CoreStreet is responsible if anything bad happens while you’re using SpoofStick – or at most other times, for that matter. Please email comments or suggestions to spoofstick@corestreet.com.
Download SpoofStick v. 0.04 BETA for Firefox here.
[Thanks to my brother, Mark Ayzenshtat for doing most of the heavy lifting on this release.]
April 5, 2004 | Permalink | Comments (13)
