My feeble attempt at keeping track of what is going on in the ever-expanding world of Computer Security -- trying to make it worthwhile reading for someone who doesn't stare at bits all day.
Friday, November 19, 2010
McAfee's 12 scams of Christmas
While my McAfee software has been pissing me off lately to the point of wanting to throw it through a window, I still think their 12 Scams of Christmas is a good warning to all users of the Interwebs. Remember, if it's free now, you'll pay for it later, maybe with the loss of your personal info.
PortKnocking
It's been a while since I've posted -- been busy with school.
A coworker mentioned something called portknocking and it sounded pretty interesting, so I did a little digging. check out this link for an in-depth description. Basically, it's a way to make your computer even more secure, sort of like adding a combination lock to your firewall. While not recommended for everyday users, it's an interesting concept. You start by configuring iptables/chains to drop all incoming packets. Then you add a rule to your chain that says something like "If I have a connection attempt on port 1024, 1025, and then 1026, then allow ssh connections." you can then ssh into your machine. When you're finished, you have a rule that says "If I have a connection attempt on port 1026, 1025, then 1024, close port 22." Done. Pretty nifty.
A coworker mentioned something called portknocking and it sounded pretty interesting, so I did a little digging. check out this link for an in-depth description. Basically, it's a way to make your computer even more secure, sort of like adding a combination lock to your firewall. While not recommended for everyday users, it's an interesting concept. You start by configuring iptables/chains to drop all incoming packets. Then you add a rule to your chain that says something like "If I have a connection attempt on port 1024, 1025, and then 1026, then allow ssh connections." you can then ssh into your machine. When you're finished, you have a rule that says "If I have a connection attempt on port 1026, 1025, then 1024, close port 22." Done. Pretty nifty.
Saturday, August 21, 2010
KeePass
So, I've finally had some time to take a look at a few of the tools I learned about in the past few weeks of school, and one that even the home user can benefit from is call KeePass. Basically it is an application that can store all of your passwords (securely) for all of your applications, websites, etc...
A couple of features that I found handy were the ability to create a random password, and the ability to copy the password to your clipboard. Keepass has a feature that will create a pseudo-random password, which you can save for any of your applications so you don't have to remember it. It also has the ability to copy that password to your clipboard so you can just paste it into the login field of your particular application. There's a catch though. It only keeps the password stored in your clipboard for a few seconds, then wipes it. This is a good thing, as I'm sure I'm not the only one guilty of requesting a password reset from a web site, getting the email, and copying and pasting the new password into my login field. The problem with this? Well, the clipboard is just a small memory space that stores things until they get overwritten. So if the last thing you've copied to your clipboard is your banking password and I have access to your computer (by any means), I can grab it either from memory or, if I have phyical access, just hit ctrl-v.
...and if you're paranoid like me, you can run KeePass from an encrypted thumb drive using TrueCrypt, so your passwords will never be on your computer; and if you lose your thumb drive, well, you've lost your passwords, but a bad guy won't be able to recover the encrypted data -- at least not in our lifetime.
Check out KeePass here:
KeePass
A couple of features that I found handy were the ability to create a random password, and the ability to copy the password to your clipboard. Keepass has a feature that will create a pseudo-random password, which you can save for any of your applications so you don't have to remember it. It also has the ability to copy that password to your clipboard so you can just paste it into the login field of your particular application. There's a catch though. It only keeps the password stored in your clipboard for a few seconds, then wipes it. This is a good thing, as I'm sure I'm not the only one guilty of requesting a password reset from a web site, getting the email, and copying and pasting the new password into my login field. The problem with this? Well, the clipboard is just a small memory space that stores things until they get overwritten. So if the last thing you've copied to your clipboard is your banking password and I have access to your computer (by any means), I can grab it either from memory or, if I have phyical access, just hit ctrl-v.
...and if you're paranoid like me, you can run KeePass from an encrypted thumb drive using TrueCrypt, so your passwords will never be on your computer; and if you lose your thumb drive, well, you've lost your passwords, but a bad guy won't be able to recover the encrypted data -- at least not in our lifetime.
Check out KeePass here:
KeePass
Cross-Site Request Forgery, huh?
WTF Does that mean? Well, it's kinda tricky to explain, but it's pretty frightening. Basically, as server and application security has improved over the past few years, the bad guys have begun changing their means of attack. Now that the apps and servers are more protected, they move to the weakest link; the desktop and the browser. Instead of exploiting your trust in a bank's website, it exploits the bank website's trust in your browser.
Imagine you're logged into your banking site, and surfing Facebook or your favorite blog. A bad guy can post a malicious link (even embed it in an image so you never even see it) that counts on the fact that your banking site has already authenticated you. That malicious link or image sends a request to your banking site on your behalf that transfers some ungodly amount of money to some guy in Nigeria. You don't even see it happen. Your bank isn't alerted because you were logged in sucessfully, and you've just lost your money. While the stars may have to align for a bud guy to be able to exploit this, it is still listed in OWASP's Top Ten Vulnerabilities.
Is there a fix? Kinda. The easy fix is just to make sure that you don't surf to pages that you don't fully trust while logged into a sensitive site. If you're paranoid like me, you can use completely separate browsers for "surfing" and banking.
Imagine you're logged into your banking site, and surfing Facebook or your favorite blog. A bad guy can post a malicious link (even embed it in an image so you never even see it) that counts on the fact that your banking site has already authenticated you. That malicious link or image sends a request to your banking site on your behalf that transfers some ungodly amount of money to some guy in Nigeria. You don't even see it happen. Your bank isn't alerted because you were logged in sucessfully, and you've just lost your money. While the stars may have to align for a bud guy to be able to exploit this, it is still listed in OWASP's Top Ten Vulnerabilities.
Is there a fix? Kinda. The easy fix is just to make sure that you don't surf to pages that you don't fully trust while logged into a sensitive site. If you're paranoid like me, you can use completely separate browsers for "surfing" and banking.
Saturday, July 31, 2010
Hacking smartphones
In this article on NetworkWorld, the author speaks about the ever growing field of smartphone hacking. The 'Android' is specifically mentioned, but I would assume all smartphones are open to attack. The latest developments were brought to light at this year's DEFCON conference, and mentions how a bad guy can own your phone and basically send all info stored on it anywhere they want.
The fix?
As usual, just be careful what you download. Is it a free wallpaper app, or a free ringtone? Chances are, if it's free, it's gonna cost you in the long run.
The fix?
As usual, just be careful what you download. Is it a free wallpaper app, or a free ringtone? Chances are, if it's free, it's gonna cost you in the long run.
Monday, July 26, 2010
Facebook launches security page
According to this article, Facebook has launced a new safety page.The article states that this page is dedicated to staying safe on the Internet, and asks if it "is enough?" Of course it's not enough, but it's a good addition to practicing safe 'Interwebbing.' The Facebook page has links to organizations that can help parents keep their children (and themselves) a little safer online, such as Childnet International, the National PTA, and Wired Safety.
Thursday, July 22, 2010
Home routers hackable
In this article a security researcher has been working on hacking home routers, and says millions are succeptible. The researcher will be speaking at the upcoming Black Hat conference. I'll be interested in the details. However, I'm assuming this is only possible if the router is externally accessible, but as I'm a customer of Verizon (specifically mentioned in the article) I'll be interested to see the details.
Monday, July 19, 2010
Secure Passwords
In this article, the author discusses techniques to create more secure passwords. For those of us who have had a Gmail or Facebook account hacked (myself included), it may be time to think about a way of creating more secure passwords. There are even tools available, such as Keepass to store all of your passwords. This way we don't feel the need to use the same password for multiple sites.
The author states that one of the major issues with user passwords is their simplicity. While I agree that this is a major problem, I think the largest problem is that of using the same password for multiple sites. Think of what would happen if you used the same password for gmail, ebay, facebook, and your banking site. If your gmail account is hacked, the bad guy can surf through your email, find out what bank you're a mamber of, (you get email notifications from your bank, right?) and it's all downhill from there.
The author states that one of the major issues with user passwords is their simplicity. While I agree that this is a major problem, I think the largest problem is that of using the same password for multiple sites. Think of what would happen if you used the same password for gmail, ebay, facebook, and your banking site. If your gmail account is hacked, the bad guy can surf through your email, find out what bank you're a mamber of, (you get email notifications from your bank, right?) and it's all downhill from there.
Saturday, July 10, 2010
A Q&A discussion on "secure Browser connection" warnings
Check out this article for s simple explanation on what it means when you get the "There is a problem with this site's security certificate" browser warning.
It's usually just a matter of a site not having "www" in the certificate title, but it could also be a phishing or man-in-the-middle attack. As always, just be wary of who/which companies you trust online.
It's usually just a matter of a site not having "www" in the certificate title, but it could also be a phishing or man-in-the-middle attack. As always, just be wary of who/which companies you trust online.
Friday, July 9, 2010
Yet another phishing technique
In this article the FBI is warning users that bad guys are cracking email (web-based) usernames and passwords and spamming the user's contact list with a sob story about being stuck in a foreign country with no money. This is similar to an attack on an Iowa Senator's email account earlier this week.
I'm sure it goes without saying for most of us that if you get an unsolicited email from anyone requesting money, it's most likely a phishing scheme. But these scammers are obviously on to something because it seems to keep working for them. Otherwise, they would have quit long ago. Warn your friends, warn your parents, who may not be Intarwebs savvy. Do not, under any circumstances, send money to anyone, without knowing who you are sending it to.
I'm sure it goes without saying for most of us that if you get an unsolicited email from anyone requesting money, it's most likely a phishing scheme. But these scammers are obviously on to something because it seems to keep working for them. Otherwise, they would have quit long ago. Warn your friends, warn your parents, who may not be Intarwebs savvy. Do not, under any circumstances, send money to anyone, without knowing who you are sending it to.
Wednesday, July 7, 2010
Tired of having to remove spam from your Facebook page?
According to this NY Times article, a well-known web-filtering company, Websense is offering a beta-version of a program to help track and quarrantine spam, scams, phishing, and 'questionable' content from your Facebook account. While it is still in Beta, it is free for all to use. Once the beta release is retired, it will be a pay service, but only if you're a corporation or a celeb. I'll defeintely be giving this program a try.
Based on the article, all you have to do is go to Defensio's web site while logged into your Facebook account, click on sign up, then click the big Facebook icon (or you can just do a search for Defensio on Facebook, then click on go to application).
This will take you to Defensio's Facebook page, where you'll enter your email address, then you can configure your settings. I highly recommend this to all you parents out there who's kids are on Facebook. You can block things from simple profanity to porn. Keep Facebook safe for your kids.
Based on the article, all you have to do is go to Defensio's web site while logged into your Facebook account, click on sign up, then click the big Facebook icon (or you can just do a search for Defensio on Facebook, then click on go to application).
This will take you to Defensio's Facebook page, where you'll enter your email address, then you can configure your settings. I highly recommend this to all you parents out there who's kids are on Facebook. You can block things from simple profanity to porn. Keep Facebook safe for your kids.
Tuesday, July 6, 2010
What the hell is Tabnapping?
It's one of the newer techniques employed by phishers. According to this article, a phisher can modify an open tab in your browser that is currently inactive. It works like this:
1. You log on to hotmail, gmail, or facebook, as receive what you believe to be a legitimate message with a link in it.
2. You rejoice at the fact that you can now open this link in a new tab, without having to spawn a new browser window, so you right-click (or something else for you Mac users), and select "Open in new tab."
3. The web page reads a settings telling it which site you came from; e.g. Hotmail, gmail, etc...
4. While you are browsing this web page, unaware of the fact that there is some malicious javascript on this webpage, the javascript reads the setting of which site you came from and changes the contents of your original tab, back to what looks like the login page for that site (but is actually something like http://amazon.evil.com).
5. You finish browsing, and close out your new tab, and return to what looks like your login page, and think "Oh, my session must have just timed out."
6. You log in, and kiss your account username and password goodbye.
Man those bad guys are sneaky...
1. You log on to hotmail, gmail, or facebook, as receive what you believe to be a legitimate message with a link in it.
2. You rejoice at the fact that you can now open this link in a new tab, without having to spawn a new browser window, so you right-click (or something else for you Mac users), and select "Open in new tab."
3. The web page reads a settings telling it which site you came from; e.g. Hotmail, gmail, etc...
4. While you are browsing this web page, unaware of the fact that there is some malicious javascript on this webpage, the javascript reads the setting of which site you came from and changes the contents of your original tab, back to what looks like the login page for that site (but is actually something like http://amazon.evil.com).
5. You finish browsing, and close out your new tab, and return to what looks like your login page, and think "Oh, my session must have just timed out."
6. You log in, and kiss your account username and password goodbye.
Man those bad guys are sneaky...
Monday, July 5, 2010
US leads in Cyber Attack Traffic
Softpedia Cyber Attack study
U...S...A... U...S...A...
I call BS! This study is based solely on originating IP. While it may be true that US PCs are the majority of the hardware behind the attack,it does not take into account the number of zombies or bots. So sure, according to this article, US PCs may be responsible for the majority of attacks, but that does not mean US citizens are responsible for the majority of attacks.Of course we also have almost 6 TIMES the number of IPs as any other country. This is just like saying Windows is less secure than Mac just because the majority of attacks are against Windows machines. Correlation does not always equal causation.
We are also responsible, according to some, for the majority of spam. However, according to a different site we aren't even on the Top 10 list of spammers.
I swear IT studies are turning into something akin to ranking the Top 10 rock bands of all time -- Less objective, more subjective. The facts are, PCs in all countries are responsible for vast numbers of Cyber-attacks, as well as spam, but the US is always an easy target seeing as we (Al Gore) spawned the Internet Revolution.
U...S...A... U...S...A
U...S...A... U...S...A...
I call BS! This study is based solely on originating IP. While it may be true that US PCs are the majority of the hardware behind the attack,it does not take into account the number of zombies or bots. So sure, according to this article, US PCs may be responsible for the majority of attacks, but that does not mean US citizens are responsible for the majority of attacks.Of course we also have almost 6 TIMES the number of IPs as any other country. This is just like saying Windows is less secure than Mac just because the majority of attacks are against Windows machines. Correlation does not always equal causation.
We are also responsible, according to some, for the majority of spam. However, according to a different site we aren't even on the Top 10 list of spammers.
I swear IT studies are turning into something akin to ranking the Top 10 rock bands of all time -- Less objective, more subjective. The facts are, PCs in all countries are responsible for vast numbers of Cyber-attacks, as well as spam, but the US is always an easy target seeing as we (Al Gore) spawned the Internet Revolution.
U...S...A... U...S...A
Sunday, July 4, 2010
Bank of Glen Burnie Phishing scheme
Local story from Maryland
For those of you who don't know what a phishing scheme is, check the definition here:
What is phishing
Beware of emails with embedded links. They're usually bad news -- Especially if they ask for personal information.
Bank of Glen Burnie phishing scheme
For those of you who don't know what a phishing scheme is, check the definition here:
What is phishing
Beware of emails with embedded links. They're usually bad news -- Especially if they ask for personal information.
Bank of Glen Burnie phishing scheme
iTunues Accounts being hacked
Do you use iTunes? Might want to check your account. It seems some folks have had their accounts hacked -- mostly people that have debit card information saved in the iTunes app itself.
iTunes accounts hacked.
iTunes accounts hacked.
Saturday, July 3, 2010
Watch out you Farmville freaks
Luckily I found the setting to disable getting Farmville updates, and generally I think the people who play Farmville non-stop are crazy. However, no one deservers to be hacked simply for having an addiction. So all of you Farmville crazies, be careful which gifts you accept.
Farmville scam
Farmville scam
Subscribe to:
Posts (Atom)