So, I've finally had some time to take a look at a few of the tools I learned about in the past few weeks of school, and one that even the home user can benefit from is call KeePass. Basically it is an application that can store all of your passwords (securely) for all of your applications, websites, etc...
A couple of features that I found handy were the ability to create a random password, and the ability to copy the password to your clipboard. Keepass has a feature that will create a pseudo-random password, which you can save for any of your applications so you don't have to remember it. It also has the ability to copy that password to your clipboard so you can just paste it into the login field of your particular application. There's a catch though. It only keeps the password stored in your clipboard for a few seconds, then wipes it. This is a good thing, as I'm sure I'm not the only one guilty of requesting a password reset from a web site, getting the email, and copying and pasting the new password into my login field. The problem with this? Well, the clipboard is just a small memory space that stores things until they get overwritten. So if the last thing you've copied to your clipboard is your banking password and I have access to your computer (by any means), I can grab it either from memory or, if I have phyical access, just hit ctrl-v.
...and if you're paranoid like me, you can run KeePass from an encrypted thumb drive using TrueCrypt, so your passwords will never be on your computer; and if you lose your thumb drive, well, you've lost your passwords, but a bad guy won't be able to recover the encrypted data -- at least not in our lifetime.
Check out KeePass here:
KeePass
Saturday, August 21, 2010
Cross-Site Request Forgery, huh?
WTF Does that mean? Well, it's kinda tricky to explain, but it's pretty frightening. Basically, as server and application security has improved over the past few years, the bad guys have begun changing their means of attack. Now that the apps and servers are more protected, they move to the weakest link; the desktop and the browser. Instead of exploiting your trust in a bank's website, it exploits the bank website's trust in your browser.
Imagine you're logged into your banking site, and surfing Facebook or your favorite blog. A bad guy can post a malicious link (even embed it in an image so you never even see it) that counts on the fact that your banking site has already authenticated you. That malicious link or image sends a request to your banking site on your behalf that transfers some ungodly amount of money to some guy in Nigeria. You don't even see it happen. Your bank isn't alerted because you were logged in sucessfully, and you've just lost your money. While the stars may have to align for a bud guy to be able to exploit this, it is still listed in OWASP's Top Ten Vulnerabilities.
Is there a fix? Kinda. The easy fix is just to make sure that you don't surf to pages that you don't fully trust while logged into a sensitive site. If you're paranoid like me, you can use completely separate browsers for "surfing" and banking.
Imagine you're logged into your banking site, and surfing Facebook or your favorite blog. A bad guy can post a malicious link (even embed it in an image so you never even see it) that counts on the fact that your banking site has already authenticated you. That malicious link or image sends a request to your banking site on your behalf that transfers some ungodly amount of money to some guy in Nigeria. You don't even see it happen. Your bank isn't alerted because you were logged in sucessfully, and you've just lost your money. While the stars may have to align for a bud guy to be able to exploit this, it is still listed in OWASP's Top Ten Vulnerabilities.
Is there a fix? Kinda. The easy fix is just to make sure that you don't surf to pages that you don't fully trust while logged into a sensitive site. If you're paranoid like me, you can use completely separate browsers for "surfing" and banking.
Subscribe to:
Posts (Atom)