Archive for the ‘Practical Security’ Category
This seems to have flown under the radar in recent weeks, but Google has launched a Beta site for using their search services over SSL. I have it set to my default Google search page now.
Same URL as usual, just use https instead of http.
We here at Geekamongus care about you, the visitor, so we offer some news and tips about staying secure:
iPhone
Here’s a good reason to set your iPhone to *not* auto-join Wifi networks, especially those AT&T Wifi Hotspots.
Antivirus Software
There is no need to pay for antivirus/security software for your Windows computer. Save your money. As cnet suggests, use one of the many free programs available. Personally, I prefer MSE or Avast.
Facebook
Considering there may be 1.5 million Facebook accounts up for sale on the black market, now would be a good time to rid your computer of malware and then change your Facebook password.
While you are at it, you may want to learn about (and restrict) all the personal data Facebook has unilaterally decided to share about you.
Microsoft SharePoint Security Warning
SharePoint administrators and users, beware: Serious XSS flaw haunts Microsoft SharePoint
The Google Overlords
Afraid of Google? Here’s a good way to anonymize yourself when doing Google searches or using many of their services:
Read more on the project page. Download the Firefox plugin here.
After eating lunch at a local restaurant yesterday, I noticed that when I was signing my receipt they had printed my whole credit card number on there. I hadn’t seen that happen in years, and I immediately scratched it out. I happened to be with a group of cyber security guys, and they were all in disbelief as well.
It would be very easy for a thief to pick up your receipt just after you leave, then go home and have an online shopping spree. The server or anyone else handling your receipt could do the same thing. Read the rest of this entry »
I wrote previously about Facebook hacking, which is something everyone needs to be aware of, but there is a more immediate Facebook danger which millions of people every day are already exploited by. Not only could it lead to insecurity, but your personal data is being exposed to advertisers every time you take one of those “What kind of hamburger are you” quizzes.
Facebook applications get access to all data of users who sign up, though users sign up for dozens of one-time use applications like these quizzes without thinking twice. There are hundreds of applications springing up every day, and Facebook’s model of implementing no technical sandboxing and policing applications when things go wrong is completely unscalable.
If you live in the USA, did you know that your tax dollars are being used for some really good purposes?
You better believe it. For example, the NSA provides some great guides and tools for securing your operating system, whether your are on a Mac, or running Windows, Linux, or Solaris.
Some of the guides can get a little complex (especially the Linux and Solaris ones), but even if you do some of what they suggest, you are increasing the security of your OS and are likely to learn a few things at the same time.
There are more resources from other parts of the government as well. Read the rest of this entry »
No Comments »
This article explains why you can’t trust your friends on Facebook. It demonstrates how easy it is to gain someone’s trust by using an account that they think is that of a friend. The next time your friend on Facebook asks you to borrow some money, or asks when you are going out of town, think twice. Read the rest of this entry »
1 Comment »
Ever been to a coffee shop and got worried about hopping on their public wifi network to check your email? If not, you should have been, and you should presently be concerned about wifi security anywhere you go — a topic we have covered here many times. Read the rest of this entry »
Secunia, a computing security clearinghouse, has issued a warning regarding a new, zero day vulnerability in the Internet Explorer web browser. This includes Internet Explorer 5, Internet Explorer 6, and Internet Explorer 7 on fully patched Windows XP systems.
Attackers can craft web pages in such a way to use this vulnerability to issue commands on your computer. There are active exploits currently being used on the Internet to do this.
Your safest immediate course of action is to not use Internet Explorer until a patch is issued by Microsoft. Instead, use Firefox, Safari, or Chrome. Unless you are using version 9.3 of Opera, you should quit using it as well.
On another note, there was an article in the news recently which named Firefox as the most insecure application of 2008. The article is highly biased, however, and the criteria for defining insecure applications ruled out the inclusion of Internet Explorer. Still, it’s worth a read to help raise awareness about the vulnerabilities of computing on the Internet these days.
Whatever browser you use, you should know that exploits are found in all of them. As exploits are discovered, they are usually patched as soon as possible, and it’s well worth checking for and installing the latest versions often. Until patches are released, however, it’s a good plan to switch browsers.
In light of the latest wireless vulnerability found, which can break “WPA” using “TKIP” for encryption, I thought I would advise everyone to review your home wireless setup.
The subject of securing your wireless (or wired) networks at home could be talked about for hours on end, and depending on what hardware (model/brand) you have, your set-up and configurations may vary. Please see the documentation that came with your device or the company’s website for more information on the specific model you have. Also, don’t hesitate to call or email the vendor for help if needed.
Basically it comes down to these few things:
- Don’t broadcast your SSID if possible. (See your manual, and see this link)
- Use Wireless MAC filtering if possible. (See your manual, and see this link)
- Don’t use WEP for encryption.
- Don’t use WPA w/TKIP (this is now breakable).
- Change your WPA from TKIP to AES for encryption. (See your manual)
- If your hardware (computer and wireless router) supports it, move to WPA2. (See your manual)
General Home Computer Security Info:
- Make sure your Anti-virus application is updating/updated and enabled.
- At a minimum, make sure the Windows Firewall is enabled (unless you are on a Mac, in which case you should turn yours on too).
- Use strong passwords comprised of alpha/numeric/special characters on all your “Admin” level computer accounts.
- If you have any files or folders shared over your home network, make sure they are password protected.
There are a million resources for articles on computers and security online, but here are a few good ones if you are new or inexperienced with the subject (or just need a refresher).
Microsoft Security Resource for Home Users:
http://www.microsoft.com/protect/default.mspx
US-CERT.GOV – Home Users:
http://www.us-cert.gov/nav/nt01/
http://www.us-cert.gov/reading_room/home-network-security/
CERT.ORG – Home Users:
http://www.cert.org/homeusers/
http://www.cert.org/homeusers/HomeComputerSecurity/
http://www.cert.org/tech_tips/home_networks.html
With all that said, have a safe, secure, and happy computing day.
For years, people have loved Apples and Macs because of their relative security when compared to the likes of Microsoft, who are the target of tens of thousands of viruses, worms, trojans, and other types of malicious programming.
A large part of this has been because of the prevalence of Microsoft Windows, and the fact that Macs make up a tiny little percentage of the home or office computer realm. However, ever since Apple released the iPhone, it would seem as if they have taken a step out into the world of the unknown, venturing into new territories where no one has gone before.
The problem is, many people have already been in these territories for many years, and Apple obviously has not been paying attention. It’s like they never considered the thought that once they started venturing outside of the obscure marketshare into the eye of the general public, they too would become targeted by script kiddies, spammers, and all-around evildoers.
The fact of the matter is, Apple, Macs, iThings, and everything else they are doing IS being targeted more now than ever before, and unfortunately, Apple is sitting around wondering why instead of doing anything about it.
Take, for example, this new TechCrunch article explaining a simple way for spammers to harvest all the email addresses of MobileMe users.
From the article:
Apple knows about the problem but insists it isn’t an issue because no one has complained publicly. An Apple representative said to one of our readers: “We’ve never had a complaint from a customer about people spamming them because of their iDisk public folder name. There is no way to remove your account name from the iDisk folders. I’m very sorry.”
Um…ok. So if I use MobileMe, I can expect a lot of spam. Maybe they think I’ll get used to it.
TechCrunch goes as far as suggesting that Apple is falling apart at the seams. They suggest failures with customer service and security exploits as warning signs. The sad part is, Apple seems to either not care about fixing things, or just not get it, both of which are starting to come off as being arrogant.
Look at the recent ‘patching’ Apple did with the widely-publicized DNS spoofing vulnerability last month. While every other vendor quickly tackled the problem, Apple released a patch that fixed only their server products, leaving their entire desktop user base still vulnerable. It took them two more weeks, but on August 15 they finally patched it for everyone.
The nature of being secure, in my opinion, relies upon being open, recognizing vulnerabilities, and taking them head-on. That’s why there is such a large, active community of security-aware researchers, vendors, and system administrators out there. Apple seems to be shying away from all of this, perhaps out of naivity, perhaps out of conceit.
Whatever the case, I sincerely hope they come to their senses before it is too late.