Posts

Showing posts with the label security

Is LastPass and othe software secure?

With the recent security scare with LastPass , some may fear that it's less secure than RoboForm or other password managers. In fact though we have no evidence that indicates it's less secure. Even if data is compromised, it still doesn't mean it was less secure -- it just indicates that it was the target of an attack. Every time we install software on our computers, we're making an assumption that the software is secure. Unfortunately we can never know if software is truly secure; we only know of reports that indicate software has been tested and no security issues have been detected. So the real decision on security should not be one based security tests. Rather you need to ask these questions. Is it in the companies best interest to take security seriously and devote resources to it (and have they)? What's the likeliness that they would be a target of attacks? If attacked, are they prepared to respond? Take for example Microsoft Windows vs. Apple OSX. With the ma

Free Anti-virus Software

I hope you're all using anti-virus software, and are having it self-update. I want to give a plug to Avast! Free Antivirus . I've been a user of Avast! for years, and have never gotten a virus on any of my computers. There has been the occassional trapping of a virus, but Avast! has stopped them all. If you're looking for a good, reliable, and free anti-virus software, I would recommend Avast!.

How Safe Is Your Data?

Yesterday I worked on a project where I needed to export many of our company contacts. I also expect to be out on medical leave soon, and suspect that there may be a need for someone else to access my computer while I'm away. This made me think about how secure is my sensitive data -- whether my own or the companies. After reviewing my files, it turns out I've been a bit sloppy -- there were definitely some files on my hard drive that if my laptop was stolen, customer data could be harvested. Mind you it would take some effort, but all the same, the data was accessible. So, I moved those files to my TrueCrypt volume or I deleted them. As you may recall from a March 2008 blog post , TrueCrypt is a free open-source software that you can run on your computer to provide encryption for your files. The nice thing about TrueCrypt is that the encrypted volume looks and feels just like another hard drive -- anyone can use it. The other security practice I was already using was keeping m

New "Cookies" and your Privacy

Image
On Monday this week (Sep 14, 2009), the Electronic Frontier Foundation (EFF) released the first article of a three part series on how we're being tracked on the web today. After a review of cookie technology as originally designed, the EFF article discusses new forms of cookies. The article is rich with links to more detailed sources. What I would consider the most concerning of technologies is the use of Adobe Flash cookies. Unlike the traditional browser cookie, there is no easy way to delete cookies that are stored by websites using Flash as their storage mechanism (more on this below). I'll also add that all the new "Privacy Browsing" features in the current release of browsers apparently do not always clear all your tracks. If you found this feature helpful in your web browsing, its worth digging deeper into the limitations, and not take the vendors claim of privacy without investigating yourself. I'm not anti-cookie. In fact I think it's extremely impor

Word, "This file contains macros with an expired..."

Image
I started getting this error message when I opened Word, "This file contains macros with an expired or revoked signature." In my case, this was due to a Global Template Add-in that had an expired certificate. Word behaves differently depending on the Macro Security level. Very High : You only get a message that macros are disable for this project. High : You get an initial error message of "This file contains macros with an expired or revoked signature," before the prompt of macros being disabled. Medium: You get the option to Disable or Enable the specific macro. This dialog box will also provide some clues as to the source of the problem. Low : No warning or disabling of any macros. To change the Macro Security, go to Tools >> Macro >> Security... With an expired Certificate, if you still want to use the macro or template, you either need to set the Macro Security to Medium or Low. A Low setting can open you up for other problems, while Medium require

Botnets and their interworkings

Ars technica has posted an article about a recent University of California Santa Barbara paper on findings after hijacking the Torpig botnet for 10 days. The headline is 56,000 passwords in an hour. The botnet (research) users were also able to gather 70GB of data. The goal of this particular botnet (and probably most of them) is to gather financial information. "In just ten days, Torpig apparently obtained credentials of 8,310 accounts at 410 financial institutions..." Concerned that you may be a target? "The researchers concluded that victims of botnets are usually those with poorly maintained machines and who choose 'easily guessable' passwords." I've posted many blogs on how to improve your security. Some of the basics I know people are still not getting include an up-to-date virus scanner. Those bundled, out-of-date virus scanners from McAfee and Norton have mislead many consumers. This does not have to be difficult! Go to Avast and get their free

SSL Inventor Taher Elgamal Interview

Vivian Yeo of CNet has published a greater interview with Taher Elgamal , the inventor of SSL and recent winner of the RSA Conference Lifetime Achievement Award. Mr. Taher responds to these subjects: SSL man-in-the-middle attacks and the ability to intercept session cookies Logging into sites that have expired SSL certificates How do browser makers keep users and protect them? How different do you think SSL would be if it had been invented in the current security landscape? What are you most dissatisfied about in the current security landscape? Mr. Taher also points out, "The biggest issue with Internet security today is that there are databases with a lot of important info that are available from the Internet, from the outside." I tend to agree as we hear many stories of database break-ins from stolen laptops, to guessed passwords, to poor network security. Head over to CNet and read this article for yourself.

Add an extra layer of security for Win XP users

Image
Long time readers of my blog know that I am not very fond of Internet Explorer and Outlook Express because of their security vulnerabilities. Due to that, I switched a long time ago to Firefox and Thunderbird. Unfortunately due to my job, I find myself having to use Internet Explorer more and more. We have a 3rd-party application that we access over the Internet that requires Internet Explore. In addition, I do our web development, which requires that I test everything in Internet Explorer. Also, I have assumed responsibilities for the Webmaster role for the Cascade Blues Association (CBA), which again requires testing in Internet Explorer. It also added another email account to monitor. In order to keep the CBA account separate from my personal and work email accounts, I decided to re-load Outlook Express. So back to my point. Most users, including me, run Windows XP with Administrative privileges. For most folks it's due to not knowing any better or not knowing how to change. Fo

Another Internet Explorer vulnerability has experts recommending you switch browsers

The BBC and other news outlets reported yesterday on the latest security vulnerabilities within Microsoft's Internet Explorer. What makes this report different than a lot of others is that we finally are hearing recommendations to actually switch browsers. Right now it sounds worse than it is, but nevertheless, the risk is there. Experts claim that 10,000 websites have been exploited but that is only 0.02% of all Internet sites. The typical warning is to stay away from potentially nefarious sites such as bit torrent indexes and pornography, but as you may recall we have seen threats show up on more popular social sites such as Facebook and MySpace (see Worm virus from Facebook and MySpace ). Bottom line, no browser is completely safe all the time, but you can reduce your own risk by choosing your websites carefully, and by using a more secure browser such as Firefox or Opera . Google's Chrome and Apple's Safari are also options, though I don't believe they are as

Remember, extra security is required for wireless hotspots

Forbes reports on recent work that has identified many airport hotspots not being secure. This is a good reminder to all of us who use hotspots that we need extra security. First, if you can get on the hotspot, so can anyone else. With a little work and help from programs such as Cane and Abel, anyone can intercept everything you send and receive. Other people may just set up their laptop to look like a hotspot, so when you connect, you are actually connecting to their laptop. Again programs are readily available to make this work with relative ease. Your job, if you're going to use hotspots, is to only communicate with VPN on. VPN will encrypt data as it is sent and received between your laptop and the VPN server. If your company does not provide you with VPN or you need it for private use, try services such as PublicVPN or HotSpotVPN . For a small fee, these services will protect you . The same rule also applies to any public network that you physically connect to such as from

You're keeping up with Microsoft updates, aren't you?

Image
Ars technica reported yesterday that a recent Microsoft update, with its Malicious Software Removal Tool (MSRT), removed nearly 1 million fake anti-virus programs from users' machines. This is a good reminder to us all -- make sure you're keeping up with the Microsoft patches, which are typically released the second Tuesday of every month. Unless you're technically astute enough to critically review each and every patch, I would recommend you set it for auto-update. Here's how to do it. Go to Control Panel Click on Security Center If not already set to "ON", click on "OFF" next to Automatic Updates to change it In the "Manage security settings for category" click on "Automatic Updates" Click on the radio button next to Automatic (recommended) and set the frequency to every day at an hour when you rarely or never use your computer This is a great example to why security protection is the number one reason you should be running a

Wells Fargo login not secure enough

Updated 17-Oct-08. Some good news on the Wells Fargo security front. Though the ignoring of extra password characters is still true, you have to exceed 14 characters before you see this behavior. A 14 character password is sufficiently long enough where this should not be a significant issue. The reason behind the case insensitive username and password is so the same system can support phone interaction as well. Though this lowers the security level, it is compensated for by limiting failed logins to 3 attempts. After the 3rd failure, the user must contact the bank before they can try again. In listening to Security Now , a TWiT Network netcast, staring Steve Gibson and Leo Laporte has reported over several episodes in September that the Wells Fargo online login is not as secure as it should be. This report came from users of Secuirty Now. The first report was that the password would still work if it had extra charcters at the end of it. It was not determined to whether the length w

Is your ISP keeping you safe?

Image
Recently a new vulnerability was found in the core of the web surfing systems... the DNS server. The DNS server, short for Domain Name System, is used to translate a websites URL to a websites ip address, the addressing system of the Internet, so your web browser can find the website you are looking for. In order to manage the load of users, there are many, many DNS servers. In fact DNS is provided by ISPs -- either their own or third party systems that they have paid for -- so when you connect through your ISP, you can find the website you want. When the DNS you connect to cannot find a website, it will contact another DNS server to update its records. Likewise, websites will have DNS servers to tell other DNS servers what ip addresses are required for their website. Here's the problem at hand. It has been figured out how a hacker could tell a DNS server a wrong ip address, when the DNS server is updating its records. It does this through forcing the server to ask for a new update

Your biggest privacy concern could be from your own ISP

Over the last 6 to 12 months there has been several battles between ISPs, users, and the government. ISPs want to choose what type of content can run on their network and how fast it should be delivered. One such example is Comcast's blocking of P2P traffic . During their FCC investigation, Comcast changed this practice, though after being ruled that it was actually illegal practice, Comcast is now challenging the ruling . For Comcast to block just P2P traffic, it had to scan all the activity on your connection to identify what part of the traffic was P2P. In the Comcast ruling, the FCC implied that it would be legal to monitor user traffic so that illegal content could be blocked such as child pornography and copyrighted material. While we would all like to see child pornography and other nefarious activity stopped, this would require the ISP to inspect everyone's content, from banking to love letters to new job applications and everything in between. It would be interesting t

Safe and Secure Internet Surfing

Image
I started my research on this blog entry thinking I was going to give you an easy, free solution to make sure you are secure when surfing from an un-secure Internet connection. First let's discuss the problem we're trying to solve. Whenever you connect to the Internet over a network that others have access to, you open yourself up for others to track and intercept your habits and data. This is called a "man-in-the-middle" attack. Take for example a free wireless hotspot. You and anyone else can get on this network ( Is your home wireless network secure? ). With an easy to find program, another user on the network can pose as the host, and all your data will pass right through their computer for easy intercept. Another very common place for this to occur is in hotels. Even though you may have a wired connection, again anyone else on the network can potentially fool your computer into being the host and intercept your data. Of course this is never known to the poor indi

Is your Windows environment secure enough?

Image
I found a new tool from Microsoft that will evaluate the security of your PC, and give instructions on how to correct potential vulnerabilities. Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. You don't need to be an IT professional to use MBSA , as instructions for correcting potential vulnerabilities are easy to follow. MBSA examines the following areas on your Windows computer: Security Updates Windows Administrative Vulnerabilities and System Issues, e.g. is Windows Firewall enabled, is the Guest Account disabled, and if are unnecessary Services turned off Internet Information Services (IIS) Administrative Vulnerabilities and System Issues, e.g. are the sample applications removed and has the IIS Lockdown patch been applied Note, many folks do not realize t

Is your home network secure?

Image
photo courtesy of http://www.conniq.com I live in an apartment complex, and I have found that some folks leave their wireless routers open for anyone to join. In addition, for those that are "locked down," the default password was never changed. Why is this? Well networking computers used to be a difficult task, but with today's advanced routers and OSs, it's easy to setup your own network -- and cheap too. You can go down to your favorite "big box" retailer and for less than $50 pick up a fast wireless router. If you already have cable Internet access, just plug-in the router, and it works (DSL requires some configuration). Unfortunately for the non-geek crowd, they are leaving themselves open to anyone who wants to access their network and the computers that are connected to it. "How?" you might ask. First, go to Google and search on " router default passwords " and click on "I'm Feeling Lucky" (or click on "Google S

Microsoft Update + ZoneAlarm = No Internet Access

With the last Microsoft patch this past Tuesday, if you were a user of ZoneAlarm , you were no longer able to access the Internet. I happen to be one of those users. I could get to my router, but not the Internet. Other devices on my network, of course, also were able to access the Internet. When I finally discovered that ZoneAlarm was the problem, I found a reference on the ZoneAlarm site . Apparently the patch was fixing quite a serious flaw in Internet addressing. "You'd have the Internet, but it wouldn't be the Internet you expect. (Hackers) would control everything." - Securosis analyst Rich Mogul I find it funny that fixing the flaw caused ZoneAlarm problems. Anyway, if you're finding this post, then you were not affected or you have solved the problem.

Is your wireless network secure?

Living in an apartment, I found that many of my neighbors have not secured their wireless network. For example, one neighbor has a nice music collection. I think this is a clear indication of how the computing environment is still too difficult for the average user. With that in mind, I recently ran across an article on Ars Technica, The ABCs of securing your wireless network , that helps explain the differences between the various networking options. The short answer is use WPA protocol to ensure adequate security. For that matter, I recently threw away a wireless print server because it didn't support WPA. So, if you're running a wireless network, be sure to change the default password on your router and use WPA communication protocol.

Encrypt sensitive files

Image
Do you have files that you do not want others to see? Perhaps you keep your tax returns archived on your hard drive. Or your employee's files at work. Using a very simple, free program you can protect those files from others accessing them using TrueCrypt . Version 5.1a was released March 17, 2008, so you know this isn't some beta software you're running. From the TrueCrypt website, here are its main features: Creates a virtual encrypted disk within a file and mounts it as a real disk. Encrypts an entire partition or storage device such as USB flash drive or hard drive. Encrypts a partition or drive where Windows is installed (pre-boot authentication). Encryption is automatic, real-time (on-the-fly) and transparent. Provides two levels of plausible deniability, in case an adversary forces you to reveal the password: 1) Hidden volume. 2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data). Encryption algorithms: AES-256, Serpent, and Twof