Archive for the ‘Practical Security’ Category
After eating lunch at a local restaurant yesterday, I noticed that when I was signing my receipt they had printed my whole credit card number on there. I hadn’t seen that happen in years, and I immediately scratched it out. I happened to be with a group of cyber security guys, and they were all in disbelief as well.
It would be very easy for a thief to pick up your receipt just after you leave, then go home and have an online shopping spree. The server or anyone else handling your receipt could do the same thing. Read the rest of this entry »
I wrote previously about Facebook hacking, which is something everyone needs to be aware of, but there is a more immediate Facebook danger which millions of people every day are already exploited by. Not only could it lead to insecurity, but your personal data is being exposed to advertisers every time you take one of those “What kind of hamburger are you” quizzes.
Facebook applications get access to all data of users who sign up, though users sign up for dozens of one-time use applications like these quizzes without thinking twice. There are hundreds of applications springing up every day, and Facebook’s model of implementing no technical sandboxing and policing applications when things go wrong is completely unscalable.
If you live in the USA, did you know that your tax dollars are being used for some really good purposes?
You better believe it. For example, the NSA provides some great guides and tools for securing your operating system, whether your are on a Mac, or running Windows, Linux, or Solaris.
Some of the guides can get a little complex (especially the Linux and Solaris ones), but even if you do some of what they suggest, you are increasing the security of your OS and are likely to learn a few things at the same time.
There are more resources from other parts of the government as well. Read the rest of this entry »
No Comments »
This article explains why you can’t trust your friends on Facebook. It demonstrates how easy it is to gain someone’s trust by using an account that they think is that of a friend. The next time your friend on Facebook asks you to borrow some money, or asks when you are going out of town, think twice. Read the rest of this entry »
1 Comment »
Ever been to a coffee shop and got worried about hopping on their public wifi network to check your email? If not, you should have been, and you should presently be concerned about wifi security anywhere you go — a topic we have covered here many times. Read the rest of this entry »
Secunia, a computing security clearinghouse, has issued a warning regarding a new, zero day vulnerability in the Internet Explorer web browser. This includes Internet Explorer 5, Internet Explorer 6, and Internet Explorer 7 on fully patched Windows XP systems.
Attackers can craft web pages in such a way to use this vulnerability to issue commands on your computer. There are active exploits currently being used on the Internet to do this.
Your safest immediate course of action is to not use Internet Explorer until a patch is issued by Microsoft. Instead, use Firefox, Safari, or Chrome. Unless you are using version 9.3 of Opera, you should quit using it as well.
On another note, there was an article in the news recently which named Firefox as the most insecure application of 2008. The article is highly biased, however, and the criteria for defining insecure applications ruled out the inclusion of Internet Explorer. Still, it’s worth a read to help raise awareness about the vulnerabilities of computing on the Internet these days.
Whatever browser you use, you should know that exploits are found in all of them. As exploits are discovered, they are usually patched as soon as possible, and it’s well worth checking for and installing the latest versions often. Until patches are released, however, it’s a good plan to switch browsers.
In light of the latest wireless vulnerability found, which can break “WPA” using “TKIP” for encryption, I thought I would advise everyone to review your home wireless setup.
The subject of securing your wireless (or wired) networks at home could be talked about for hours on end, and depending on what hardware (model/brand) you have, your set-up and configurations may vary. Please see the documentation that came with your device or the company’s website for more information on the specific model you have. Also, don’t hesitate to call or email the vendor for help if needed.
Basically it comes down to these few things:
- Don’t broadcast your SSID if possible. (See your manual, and see this link)
- Use Wireless MAC filtering if possible. (See your manual, and see this link)
- Don’t use WEP for encryption.
- Don’t use WPA w/TKIP (this is now breakable).
- Change your WPA from TKIP to AES for encryption. (See your manual)
- If your hardware (computer and wireless router) supports it, move to WPA2. (See your manual)
General Home Computer Security Info:
- Make sure your Anti-virus application is updating/updated and enabled.
- At a minimum, make sure the Windows Firewall is enabled (unless you are on a Mac, in which case you should turn yours on too).
- Use strong passwords comprised of alpha/numeric/special characters on all your “Admin” level computer accounts.
- If you have any files or folders shared over your home network, make sure they are password protected.
There are a million resources for articles on computers and security online, but here are a few good ones if you are new or inexperienced with the subject (or just need a refresher).
Microsoft Security Resource for Home Users:
http://www.microsoft.com/protect/default.mspx
US-CERT.GOV – Home Users:
http://www.us-cert.gov/nav/nt01/
http://www.us-cert.gov/reading_room/home-network-security/
CERT.ORG – Home Users:
http://www.cert.org/homeusers/
http://www.cert.org/homeusers/HomeComputerSecurity/
http://www.cert.org/tech_tips/home_networks.html
With all that said, have a safe, secure, and happy computing day.
For years, people have loved Apples and Macs because of their relative security when compared to the likes of Microsoft, who are the target of tens of thousands of viruses, worms, trojans, and other types of malicious programming.
A large part of this has been because of the prevalence of Microsoft Windows, and the fact that Macs make up a tiny little percentage of the home or office computer realm. However, ever since Apple released the iPhone, it would seem as if they have taken a step out into the world of the unknown, venturing into new territories where no one has gone before.
The problem is, many people have already been in these territories for many years, and Apple obviously has not been paying attention. It’s like they never considered the thought that once they started venturing outside of the obscure marketshare into the eye of the general public, they too would become targeted by script kiddies, spammers, and all-around evildoers.
The fact of the matter is, Apple, Macs, iThings, and everything else they are doing IS being targeted more now than ever before, and unfortunately, Apple is sitting around wondering why instead of doing anything about it.
Take, for example, this new TechCrunch article explaining a simple way for spammers to harvest all the email addresses of MobileMe users.
From the article:
Apple knows about the problem but insists it isn’t an issue because no one has complained publicly. An Apple representative said to one of our readers: “We’ve never had a complaint from a customer about people spamming them because of their iDisk public folder name. There is no way to remove your account name from the iDisk folders. I’m very sorry.”
Um…ok. So if I use MobileMe, I can expect a lot of spam. Maybe they think I’ll get used to it.
TechCrunch goes as far as suggesting that Apple is falling apart at the seams. They suggest failures with customer service and security exploits as warning signs. The sad part is, Apple seems to either not care about fixing things, or just not get it, both of which are starting to come off as being arrogant.
Look at the recent ‘patching’ Apple did with the widely-publicized DNS spoofing vulnerability last month. While every other vendor quickly tackled the problem, Apple released a patch that fixed only their server products, leaving their entire desktop user base still vulnerable. It took them two more weeks, but on August 15 they finally patched it for everyone.
The nature of being secure, in my opinion, relies upon being open, recognizing vulnerabilities, and taking them head-on. That’s why there is such a large, active community of security-aware researchers, vendors, and system administrators out there. Apple seems to be shying away from all of this, perhaps out of naivity, perhaps out of conceit.
Whatever the case, I sincerely hope they come to their senses before it is too late.
In my revised capacity at my current job, I’ve been handling a lot of
security issues: hardening of systems, software, and processes. I’ve
also been studying for the Security+ certification, so needless to say,
security has been at the top of my mind the last 5 months, and I wish it
would be at least a little closer to the tops of the general public’s
mind.
I’m going to start a new series of blog posts here called Practical
Security in which I will pass on some of the more relevant best
practices relating to the typical internet user, in hopes of helping to
raise awareness amongst anyone who happens to read this blog. (Yes, all
4 of you).
Using Email on Public Wifi
(and the high level of risks therein)
Question:
How often do you stop at a coffee shop to check your email with your
laptop, or leech that open ‘linksys’ network while sitting at a traffic
light with your PDA to shoot off a quick note to your boss? OK, maybe
I’m the only one who does that at traffic lights, but you get my point.
If you have a portable device that can access the Internet, my guess is
that your answer is “quite often”.
Question:
How many of you have configured your email to use some sort of
encryption? (Cue the crickets chirping).
As this excellent StopDesign article explains:
What you may not realize is how easy these low security settings
allow someone else on the same network to spy on the data passing around
on that network. Just because you’re the only person who can see your
laptop screen, doesn’t necessarily mean you’re the only one who can see
the email message you just got from a friend. Just as easily as someone
could sit near you in a quiet cafe or library and overhear your entire
verbal conversation with another person, so could they “listen in” on
all the usernames, passwords, and messages passing to and from your
computer. (And everyone else’s computer for that matter.)
Kinda scary, huh? If you think about it, once they have your email
account password, it’s not too hard to go to your bank and generate a
“lost password” request, which will get sent to your email address,
which they now have control of. Or they might simply decide to send a
breakup letter to your boyfriend on your behalf if they are not feeling
so malicious. Or maybe they thought it would be funny to email your
boss and tell him how good he looks when he gets out of the shower.
By default, email is not secure!
Yes, this includes you, Mac user. Yes, this includes you, Gmail/Yahoo/Hotmail/AOL user.
Make sure your email is on a secure connection!
The Lowdown
If you use a webmail service such as Hotmail, Yahoo Mail, Gmail, or the
like, make sure your web browser (Internet Explorer, Safari, Firefox,
etc) is in “secure” mode by looking for the lock icon. Alternately (or
additionally), look at the address bar of your web browser to make sure
the address showing starts with https and not just http.
If you use Outlook, Outlook Express, Thunderbird, Mac Mail, or any other
‘program’ on your computer to manage your email, there are ways to set
up these applications to run only on secure connections using SSL, TLS,
SSH, and other methods. You may need to consult your local IT guru or
read the rest of the StopDesign article, or this well-written article entitled “5 Steps to Make Your Email Secure“.
Whatever you do, stop checking your email at Starbucks unless you know
it is secure!
No Comments »