tag:blogger.com,1999:blog-14309455477346891412024-03-12T18:09:54.988-07:00Safe / Secure / Systems : Internet and Data Security for Regular PeopleBlavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.comBlogger31125tag:blogger.com,1999:blog-1430945547734689141.post-38043666569863716852012-09-15T20:53:00.000-07:002012-09-15T21:22:41.939-07:00Somebody's Knockin' on the DoorRecently, I set up <a href="http://www.synology.com/products/product.php?product_name=DS112j">a Synology DS-112j Diskstation NAS</a> (Network Addressable Storage Device) box at our 2nd home in Hawaii to store remote backups from the very similar DS-112 Diskstation that's on my main home network in California.
In order to get backups to work I had to open some ports on the Hawaii modem/router's firewall; one of them is port 22 which is used for SSH (SSL-based secure shell) logins and encrypted file transfer.<br />
<br />
The Diskstation has an Auto-Block feature that will "black-list" any IP address that attempts to connect to it "x" number of times in "y" minutes; I configured it to block any IP that tries 10 times in 5 minutes. In just three days, I had six addresses blocked. Details are below; I did "whois" lookups on all of them to see who they belong to:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">Host [117.79.91.252] has been blocked at [Tue Sep 4 10:03:02 2012]: </span><span style="font-family: 'Courier New', Courier, monospace;">Beijing Sanxin Shidai Co.Ltd</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Host [190.145.23.98] has been blocked at [Mon Sep 3 20:58:44 2012]: </span><span style="font-family: 'Courier New', Courier, monospace;">Telmex Colombia S.A.</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Host [203.217.144.17] has been blocked at [Mon Sep 3 09:52:59 2012]: RVRNET-IN (Hyderabad)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Host [119.226.139.254] has been blocked at [Mon Sep 3 03:39:38 2012]: SIFYNET (India)</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Host [61.136.171.198] has been blocked at [Sun Sep 2 19:17:00 2012]: CHINANET Hubei province network</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Host [74.50.27.101] has been blocked at [Sun Sep 2 16:00:14 2012]: </span><span style="font-family: 'Courier New', Courier, monospace;">ADDD2NET-DOT-COM -- Anaheim, CA</span><br />
<br />
What I believe we're seeing here is automated software scanning WAN IP addresses for common open ports (FTP, SSH, etc.), and upon finding one, the software does password "dictionary"-based login attempts (i.e. using very large lists of common passwords). What do they do once they "get in"? I have no specific idea, but I would assume that they then use LAN-targeted software to scan for other computers on the LAN, shared drives, personal/financial data, etc. and then they suck up whatever they can find. And then, they probably sell it. OR they attempt to install malware on machines that are not running firewalls and/or anti-malware software (such as Microsoft Security Essentials, which is what I use since it's free and pretty good).<br />
<br />
Fortunately I use very robust passwords on all of my routers, NAS devices, etc. but I have to admit it's still a bit unnerving to have these guys banging on my NAS's door 24/7. So I'm really liking the Auto-Block feature!<br />
<br />
At any rate, I think the implications are clear -- keep your router(s) locked down to only have open ports that are required for whatever you need to get done.
You can do an external port scan of your home network using <a href="https://www.grc.com/x/ne.dll?bh0bkyd2" target="_blank">this page</a> -- it has various kinds of scans, and you can get an idea of the "surface area" of your home network's exposure to the internet.Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-55105652915005939872011-08-29T13:44:00.000-07:002011-08-29T14:16:17.713-07:00You DO Have UPnP Disabled On Your Home Router, Right?<div style="text-align: left;">Unfortunately, the answer is probably "no" if you haven't explicitly turned it off. UPnP stands for User Plug 'n Play, which is a technology built into most or all home routers. Its purpose is to make the configuration of the router by new hardware that you add to your network as hands-off as possible. For instance, the XBox360 uses it to open certain ports (essentially, holes) on the router's firewall so that the XBox can talk to the XBox LIVE mothership and let you play games with your friends on the internet.</div><div>
<br /></div><div>UPnP was, at one time, turned on by default in most routers. I don't know if that's still the case, but you should go find out... read on.
<br />
<br /></div><div>In a very early post to this blog I put forth a list of things that you should do to improve the security of your home network. Turning off the router's UPnP was one of those suggestions, the reason being that if you have a machine on your network that gets infected with certain kinds of malware, that program can leverage the UPnP on your router to open up whatever ports on your firewall that it wants to. This can allow the malware to easily communicate with its "command and control" master Somewher Out There On The Internet and receive instructions about what bad things to do to your network and also other networks out there. Examples of what it could do: join up with a "botnet" of other infected machines (not necessarily on your network); steal personal (e.g. financial) data from the infected machine and other machines on your network; send out massive amounts of spam and/or phishing email; and work with the botnet to mount "denial of service" attacks on whomever the botnet's owners are displeased with.
<br />
<br /></div><div>But that is not what prompted me to make this post. There is a newly discovered, additional vulnerability that exists in certain routers (e.g. several very popular models made by Linksys – one of those being the router that I run my home network on!). It turns out that on those routers, the UPnP functionality can be accessed not only from the "LAN side" of the router (i.e. the side that all of your home computers and other devices are connected to, either wired or wirelessly), but also the WAN (Wide Area Network) side – which is the side that's connected to the Internet. This means that the bad guys don't have to have to infect a system on your LAN – they can attack the router directly from the WAN side and turn on ports willy nilly, effectively opening up your LAN (home network) to their bag of tricks.
<br />
<br /></div><div>To be clear: <b>this is really really bad</b>. The researcher that discovered this issue, Daniel Garcia, wrote a freely downloadable utility called UMap that found over 600,000 vulnerable routers, out of about 7 million, or almost ten percent of the routers scanned.
<br />
<br /></div><div>The good news is that you can protect your network against these external attacks by (heard this before?) disabling UPnP on your router. And, chances are that you'll never know it's turned off, unless you have one or more devices on your network (like the XBox360) that needs to have specific ports opened on the router's firewall in order to work properly.<b> In my opinion you should still turn UPnP off and open those ports manually. </b>
<br />
<br /></div><div>If you have something on your network that needs one or more ports open, the procedure to do so manually varies between router manufacturers, so you'll have to consult the router's manual on how to do so. Look for "opening ports" or "port" forwarding. The general idea is that you're going to open one or more ports, or in some cases a range of ports, for a specific IP address (for our example, that of your XBox360). Here are the ports that it needs open in order to talk with the XBox LIVE portal:</div><div><ul><li>Port 88 (UDP) </li><li>Port 3074 (UDP and TCP) </li><li>Port 53 (UDP and TCP) </li><li>Port 80 (TCP)</li></ul></div><div>On my WRT54G, setting these ports for an XBox360 that has an IP address of 192.168.2.112 looks like this:
<br />
<br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAPRX-m-kAOl4Sp27c9N4hgKEyIXltdC3Uox8K_i8RvB0dx4Sn2MneUi1m38u4XLKzMgwefzuREoVqT0wWM3PHHg5N016jOY9umlJOlIlAXKLC7e4By3tlnvCyUQKH6_DUt_u7djQCDWg8/s1600/port-forwarding-linksys.jpg" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAPRX-m-kAOl4Sp27c9N4hgKEyIXltdC3Uox8K_i8RvB0dx4Sn2MneUi1m38u4XLKzMgwefzuREoVqT0wWM3PHHg5N016jOY9umlJOlIlAXKLC7e4By3tlnvCyUQKH6_DUt_u7djQCDWg8/s400/port-forwarding-linksys.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5646383067045500290" style="display: block; margin-top: 0px; margin-right: auto; margin-bottom: 10px; margin-left: auto; text-align: center; cursor: pointer; width: 400px; height: 185px; " /></a></div><div>
<br /></div><div><div>You don't need to open port 80, as it's the port that HTTP works over, and you wouldn't be able to see any web pages if it wasn't open!! So the router opens it automatically.
<br />
<br /></div><div>One final note: once ports are opened/forwarded, they'll stay that way until you close them. It's recommended that you never have any more ports opened at a time than you really need. Trust me, there are nefarious parties out there using automated software to scan every IP address they can find for open ports, particularly some of the ones that can be easily used to to Bad Things (e.g. Microsoft's Remote Desktop, which uses port 3389). An open port is potentially a first step in hacking into a network.</div></div><div>
<br /></div><div><i>References:</i></div><div>
<br /></div><div><a href="http://www.h-online.com/security/news/item/UPnP-enabled-routers-allow-attacks-on-LANs-1329727.html">Concise, technical article on UPnP WAN vulnerability</a></div><div>
<br /></div><div><a href="http://www.upnp-hacks.org/">List of confirmed and suspected vulnerable routers/firmware revisions</a></div>Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-60303482408062514342011-06-08T10:35:00.000-07:002011-06-08T11:42:56.146-07:00RSA Security Dongles Are CompromisedFor quite a while now I've been using a couple of those "dongles" that some banks make available (sometimes for free) to increase the security of my financial accounts - one works with my credit union and with PayPal, and the other with E*Trade. These devices have an LCD display that shows a six-digit number that changes every minute or so; when I log into the banking site it will ask me for the number that the dongle is currently showing, in addition to my password.<br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVwOiGIWz-eo-hQm6YVKVnEJ4Zy5bKDPzGk7sg7lhx4Gi9MhyphenhyphenWg6B9uBcb_e5WM3BLLejae1zFPzQzuK-QlFyp5qPZDsmJuyVAqtK-zaTwBjSjslgU7XHeYLouXfCttT021dVS5G28GZKd/s1600/SID700.jpg"><img style="cursor:pointer; cursor:hand;width: 250px; height: 138px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVwOiGIWz-eo-hQm6YVKVnEJ4Zy5bKDPzGk7sg7lhx4Gi9MhyphenhyphenWg6B9uBcb_e5WM3BLLejae1zFPzQzuK-QlFyp5qPZDsmJuyVAqtK-zaTwBjSjslgU7XHeYLouXfCttT021dVS5G28GZKd/s400/SID700.jpg" alt="" id="BLOGGER_PHOTO_ID_5615909113650128098" border="0" /></a><br /></div>The bank has software that generates the same sequence of strings of numbers, based on the serial number of my particular device, so that they can verify the number I've entered.<br /><br />This is known as multi-factor authentication, where the password is one factor and the dongle's currently shown number is another. (There are also software versions of the dongle that run on the iPhone, etc.) This multi-factor approach can, <span style="font-style: italic;">when done right</span> (see below), offer a tremendous amount of login security and in fact they are used by various gub'ment agencies and the military.<br /><div style="text-align: center;"><br /></div>The dongle for my E*Trade account is made by a company called RSA. They are (or were?) a highly-respected company in the information security business. However, a few weeks back someone managed to break into their computer network and steal a bunch of data related to the dongle technology. They were very mum about just what was stolen for quite a while, but yesterday they finally <a href="http://www.net-security.org/secworld.php?id=11122">admitted that the devices are compromised</a>, and in fact just last week there was a <a href="http://www.pcmag.com/article2/0,2817,2386086,00.asp">cyber-breakin at Lockheed-Martin</a> that was made possible by the RSA breach.<br /><br />So, will I continue to use my RSA dongle? Yes I will - but the password that I use with it is a reasonably robust one so even if the bad guys can predict what number my RSA gizmo is going to spit out next, they still won't have my password. Also, I can't imagine that the people that stole the RSA tech are going to be coming after my measly bank accounts when there are far juicier targets out there. But I will say <span style="font-style: italic;">yet again</span> that you should <span style="font-style: italic;">always</span> use strong passwords for financial sites and such.<br /><br />By the way - RSA, in its ongoing damage control efforts, announced that it will provide replacements for the <span style="font-style: italic;">forty million</span> dongles that they have sold, on a request basis. Ouch!<br /><br />I'll close with a little editorial: As an RSA SecurID user, I have watched this whole thing unfold from the beginning with interest, and to this day <a href="http://www.rsa.com/node.aspx?id=3891">RSA continues to (try to) reassure its customers</a> that Everything Is OK, that their technology is safe and sound, blah blah blah - just like they did when the breach was first discovered. I will opine that the more often a company makes those assurances in a situation like this, the more concerned we should become. I suspect they're more concerned with their stock price than the security of their customer base...<br /><br />Hmmm, am I being overly cynical here?Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-74594362468250363082011-05-03T10:54:00.000-07:002011-05-03T14:11:46.559-07:00Free! (Fake) Antivirus Software!Hopefully you've heard about the plethora of fake AV programs making the rounds these days that are used to infect PCs -- I have come across this kind of thing three times in the last couple weeks and it's pretty impressive how the crooks manage to hijack the browser. Let's take a look at how it goes down.<br /><br />Let's say you're looking for images of, oh say some famous person that just got capped, and Google reports back with a bunch. You click on one, and -- well, because the one you picked points to a site that has been compromised, the fun begins.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_Bn4oB2DKyt5yHm68TPoSlAzNaZ9RGtodK8Zjn_GPinCxHvBgIcntSbWGSHCYkXPiilaPG3cxktpOevd8zC08lS9afT2uAsi4j8hvkQJbrAq7CPO0XYmoUKnA3ZV3fsh1YTNkJIipGMln/s1600/1-Caution.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 143px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_Bn4oB2DKyt5yHm68TPoSlAzNaZ9RGtodK8Zjn_GPinCxHvBgIcntSbWGSHCYkXPiilaPG3cxktpOevd8zC08lS9afT2uAsi4j8hvkQJbrAq7CPO0XYmoUKnA3ZV3fsh1YTNkJIipGMln/s400/1-Caution.jpg" alt="" id="BLOGGER_PHOTO_ID_5602550968665334930" border="0" /></a><br />From this point on, you're pretty much just along for the ride. No matter what you click on in that dialog -- even the "X" that's supposed to close the window -- you will end up with a <span style="font-style: italic;">free</span> malware scan of your system! How generous! Except that it's not really scanning anything.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie5HFMBUT3vOfAZPfmK6o0YpkmZoqBfurzWTvsfFT3tatHGTup6mE7lOkf7y-uItqNcUCms1J2eXL1seQpbheHQa2WmORoWWcC9s-ePiZ0g92Ao0gOqUbD6ghruoIizJChIqRBWbVnyiha/s1600/2-scanner.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 332px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie5HFMBUT3vOfAZPfmK6o0YpkmZoqBfurzWTvsfFT3tatHGTup6mE7lOkf7y-uItqNcUCms1J2eXL1seQpbheHQa2WmORoWWcC9s-ePiZ0g92Ao0gOqUbD6ghruoIizJChIqRBWbVnyiha/s400/2-scanner.jpg" alt="" id="BLOGGER_PHOTO_ID_5602551484468312386" border="0" /></a>That screen will crank along, pretending to find a whole slew of bad things on your system, and will eventually display this "window", saying that 405 files <span style="font-weight: bold;">was</span> found, and that you can download something called Windows Defender:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijB_lGonlFX3r_DltI-QlP1cQHsUEraqOytAY1IgXdOsFn0DAfsW1fYVl6PRtQHiwueFsDyF20z8ae2__3JZj-dmgFC1J12qkzVsVD_lEt4l6O5ja2ljp56Ysgh04baocO0buvqGnFHuV3/s1600/3-spyware-detected.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 302px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijB_lGonlFX3r_DltI-QlP1cQHsUEraqOytAY1IgXdOsFn0DAfsW1fYVl6PRtQHiwueFsDyF20z8ae2__3JZj-dmgFC1J12qkzVsVD_lEt4l6O5ja2ljp56Ysgh04baocO0buvqGnFHuV3/s400/3-spyware-detected.jpg" alt="" id="BLOGGER_PHOTO_ID_5602551997626441458" border="0" /></a>Once again, it doesn't matter what you click on -- the "Windows Security Alert" is not actually a conventional Windows dialog, it's just a simulated one that is really one big clickable area. Assuming you don't have "automatically download files" turned on in your browser (<span style="font-style: italic;">please</span> tell me you don't), after clicking pretty much anywhere, you'll get something like this <span style="font-style: italic;">-- </span>but <span style="font-style: italic;">don't</span> press Run for crying out loud!:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpjuRliBTu1bK5s6wHetLnEsTbHPu5n9aK5N4E0-DQvronrH88nws37dXT2O54plRQZ6D8Ry5jtovLiqd9LTm0nyGAXwtXkwJPcRDpn0aMKm-QUrSAKsBUfMlbqHjP8ZcaZjLj5a-8LkUM/s1600/4-file-save.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 380px; height: 165px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpjuRliBTu1bK5s6wHetLnEsTbHPu5n9aK5N4E0-DQvronrH88nws37dXT2O54plRQZ6D8Ry5jtovLiqd9LTm0nyGAXwtXkwJPcRDpn0aMKm-QUrSAKsBUfMlbqHjP8ZcaZjLj5a-8LkUM/s400/4-file-save.jpg" alt="" id="BLOGGER_PHOTO_ID_5602552475305584690" border="0" /></a><br />Hopefully by this time you've realized that things are not what they seem to be, so you decide to close and restart your browser. Nope, not gonna happen - from the point that you get that free "scan", any effort to close the browser results in<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5k2Rj8Au-RjYcohChqXs45i4pKKOIIyQUXgrHo9J7KeMfqNA2u8-xGjrdD8Lz7P_3vUoJzz08fGrXNHWnTT7MUZPZ5y5uNqGjr_81otNd68htO_eiV3zRTUAe4zW_ex2lDAevAqfcs8FX/s1600/6-are-you-sure.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 193px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5k2Rj8Au-RjYcohChqXs45i4pKKOIIyQUXgrHo9J7KeMfqNA2u8-xGjrdD8Lz7P_3vUoJzz08fGrXNHWnTT7MUZPZ5y5uNqGjr_81otNd68htO_eiV3zRTUAe4zW_ex2lDAevAqfcs8FX/s400/6-are-you-sure.jpg" alt="" id="BLOGGER_PHOTO_ID_5602552916359739346" border="0" /></a><br />At that point the only way to close IE is to use the Windows Task Manager and do an "End Task" on it.<br /><br />This whole chain of events depends on something called "scripting", which allows websites to automate some behaviors in the browser. By default, IE uses its "Medium High" security setting for Internet web sites, but this setting will allow the above sequence of events to occur. You could set IE to "High" but that locks things down to the point where the web is not very usable.<br /><br />So yet <span style="font-style: italic;">again</span> I will recommend using something other than IE as your default browser; as I've said at least a couple times my favored setup is Firefox with the NoScript plugin. If you're reading this in IE, don't wait another minute to go to http://www.mozilla.com/firefox/. Install that and then go to http://noscript.net/ and install that. By default, NoScript blocks all scripted behavior but with some simple clicks you can either temporarily or permanently allows the various scripting elements that most websites have to work. The latter option causes NoScript to remember the pages that you've allowed so that the next time you go to one it will behave the way you want it to without having to Allow it again.<br /><br />Firefox can import all of your IE Favorites (bookmarks) very quickly, and then you can set it to be your default browser by going to Options in Firefox > General tab and enabling "Always check to see if Firefox is the default browser on startup".<br /><br />Finally: even without NoScript, the fake AV thing doesn't work in Firefox - apparently this malware is targeted at IE only.Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-82209969602304839152010-12-30T10:14:00.000-08:002010-12-30T18:06:16.419-08:00I Gotcher Security/Privacy Checklist for 2011 Right Here, PalAnother year, another cou<a style="" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkbeeOkWm5TuAz52qOgHiZ9IJJ357CL6pwNrXDQZTv_fE2SEkSfHDdgp-ujWFbiWwqg3yi-RWjmP-r9xWQkk8sXMa_8p9MMDNscIU8IgEdymxupn-RkuKUTUI6IumlJdiAlsEDpukjtswD/s1600/NYE.jpg"><img style="float: left; margin: 0pt 10px 10px 0pt; cursor: pointer; width: 237px; height: 153px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkbeeOkWm5TuAz52qOgHiZ9IJJ357CL6pwNrXDQZTv_fE2SEkSfHDdgp-ujWFbiWwqg3yi-RWjmP-r9xWQkk8sXMa_8p9MMDNscIU8IgEdymxupn-RkuKUTUI6IumlJdiAlsEDpukjtswD/s200/NYE.jpg" alt="" id="BLOGGER_PHOTO_ID_5556575914995702210" border="0" /></a>-ple dollars, another couple or three or six hundred serious security flaws in Windows/MacOS X/*nix/Adobe Reader/Adobe Flash/Photoshop/Microsoft Office/Internet Explorer/Safari/Firefox/JavaScript/etc/etc that have been (and in many cases, still are) leveraged by the crooks to separate you from your money and personal/private information.<br /><br />With the roller coaster ride known as 2010 winding down, I thought I'd summarize many of the things I've posted about thus far in a "yearly review" item - let's call it the 2011 12-Step Internet Security and Privacy Checklist:<br /><br />1. <span style="font-weight: bold;">STOP USING IE</span>. Assuming you're a Windows user - surely you're not still using Internet Explorer as your default browser? (Mac-o-philes need not smirk here - I will predict that Safari will become more and more targeted by the criminal world; you have been warned.) I suggest <a href="https://www.mozilla.com/en-US/firefox/">Firefox</a> + the <a href="http://noscript.net/">NoScript plugin</a>, or possibly <a href="http://www.google.com/chrome/index.html?hl=en&brand=CHMA&utm_campaign=en&utm_source=en-ha-na-us-bk&utm_medium=ha">Google Chrome</a> + its <a href="https://chrome.google.com/extensions/detail/odjhifogjcknibkahlpidmdajjpkkcfn">NotScript plugin</a> - although I have far less experience with Chrome so I can't unequivocally recommend it.<br /><br />2. <span style="font-weight: bold;">STAY UPDATED</span>. No matter what your operating system is, make sure it's always got the latest updates. Windows can be configured to automatically download and install priority updates, or just download them and let you know that they're ready. I suggest at least the latter. The same goes for whatever browser(s) you use. (Chrome doesn't give you a choice - it updates itself transparently whenever a new version is published.)<br /><br />3. <span style="font-weight: bold;">FIX YER ACROBAT/READER SOFT</span><span style="font-weight: bold;">WARE</span>. If you use Adobe Acrobat or Adobe Reader to view .pdf files, (a) update to the latest "X" version, and then immediately do this:<br /><ul><li>open Edit > Preferences</li><li>in the JavaScript part, turn off "<span style="font-family:courier new;">Enable Acrobat JavaScript</span>"</li><li>in the Trust Manager part, turn off "<span style="font-family:courier new;">Allow opening of non-PDF file attachments with external applications</span>"</li></ul>If you're running version 9 and don't want to update to <a href="http://ardownload.adobe.com/pub/adobe/reader/win/10.x/10.0.0/en_US/AdbeRdr1000_en_US.exe">version X*</a>, please do still do the above steps.<br /><br />Adobe continues to doggedly leave these things turned on by default in each new version of Acrobat and Reader, which is just plain irresponsible on their part.<br /><span style="font-size:78%;"><br /></span><span style="font-size:78%;">* that link points at an installer that doesn't require you to first load the !@#$% Adobe Download Manager. Just say NO to ADM.<br /></span><br />4. Another thing about Acrobat and Reader - there are alternatives. I have tried <a href="http://www.foxitsoftware.com/pdf/reader/">FoxIt</a> a couple times but the rendering quality is noticeably poorer than what Adobe does. More recently I've started using the <a href="https://docs.google.com/viewer">Google Docs Viewer</a> for reading PDF files in Firefox (it works in all of the other browsers as far as I know).<br /><br />5. <span style="font-weight: bold;">WEAR PROTECTION</span>. For Windows users - now that Microsoft has its free <a href="https://www.microsoft.com/security_essentials/">MS Security Essentials</a> anti-malware software available, there is no excuse to not be running some kind of antivirus/antimalware protection. I will go further and say that I personally see no reason to pay anyone for this kind of functionality - e.g. Symantec, McAfee, etc. By all accounts MS does a very good job with MSSE.<br /><br />6. <span style="font-weight: bold;">CONNECT SECURELY</span>. There is another nice utility plugin for Firefox called <a href="https://www.eff.org/https-everywhere">HTTPSEverywhere</a>. If you do financial stuff on-line, you might've noticed that your browser's address bar will (hopefully) say something like "http<span style="color: rgb(51, 204, 0);">s</span>://www.yourbank.com" when you're logged into the financial site... The "<span style="color: rgb(51, 204, 0);">s</span>" in "https" means "secure". Many other non-financial sites support the https protocol, as well as the usual "http" protocol.<br /><br />Here's what HTTPSEverywhere does for the sites it knows about, that can support https connections: It will force you to connect with https rather than http. At the moment the list includes Facebook, Google Search, Twitter, Meebo, NY Times, Washington Post, bit.ly, Hotmail, Microsoft, Wikipedia, Wordpress.com, Google APIs, and quite a few others. When you are connected via https your connection cannot be snooped, which is very nice if you're connected to the 'net using an open wifi hotspot that does not provide a Virtual Private Network connection to the Internet.. In general you always want "https" if it's available, no matter what you're doing.<br /><br />7. <span style="font-weight: bold;">BE SELFISH</span>. Turn off any unnecessary "network shares" on all of your computers.<br /><br />8.<span style="font-weight: bold;"> USE PASSWORDS</span>. Make sure every machine on your network is login password-protected.<br /><br />9. <span style="font-weight: bold;">MASSAGE YOUR ROUTER</span>. Make sure your router (or modem/router - i.e. the box that you got from your cable or phone company that hooks you up to the internet) is properly configured.<br /><br />Typically the router configuration is accessed through a <a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7aYg5bKPzG7mLhEKEYSEjzDznfPa4AOCcLX9F7R_LpoQ2JOtPjta69TV2unE-AM8lM77jbwkbiR1OSGYEArkhTH0WaoQoNl_HLJjULZ4htNagVuXjKi3pJaFM1kWFcXwS5EfgmgRw0yx-/s1600/linksys.jpg"><img style="float: right; margin: 0pt 0pt 10px 10px; cursor: pointer; width: 200px; height: 123px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7aYg5bKPzG7mLhEKEYSEjzDznfPa4AOCcLX9F7R_LpoQ2JOtPjta69TV2unE-AM8lM77jbwkbiR1OSGYEArkhTH0WaoQoNl_HLJjULZ4htNagVuXjKi3pJaFM1kWFcXwS5EfgmgRw0yx-/s200/linksys.jpg" alt="" id="BLOGGER_PHOTO_ID_5556578015293506306" border="0" /></a>mini-web server that is built into the router - and typically it will have an address of something like 192.168.1.1.<br /><br />In that particular case, you can go to your browser and type in "http://192.168.1.1" and the web interface will show up. (Other addresses are possible; consult the router or router/modem manual for more details about your particular box.) Here are some things to keep in mind:<br /><ul><li><span style="font-style: italic;">Change the default administrative</span><span style="font-style: italic;"> pass</span><span style="font-style: italic;">word for the router</span>. E.g. for Linksys routers, all of the ones I've used have a default password of "admin". If you don't do anything else, do this.</li><li>Make sure that you're using at least WPA encryption if your router has wi-fi capability. WPA2 is better, WEP is sorta kinda better than nothing, but not much. IMO the wireless interface of a router is its weakest link in terms of people getting onto your network and possibly stealing private (e.g. financial) information from other computers connected to your network.<br /></li><li>turn off anything that says "Plug and Play".</li><li>Make sure the NAT firewall is enabled. It might just say "Firewall".</li><li>Don't have any more ports (holes) opened in your firewall than absolutely necessary. If you open one or more up and then stop using whatever program needs them open, close them.<br /></li></ul><br />10. <span style="font-weight: bold;">USE "LASTPASS"</span>. I continue to love this free, secure, backed-up-in-the-cloud password and private data manager product. I won't go into it here since I <a href="http://blave-security.blogspot.com/2010/09/escaping-password-hell-with-lastpass.html">already did that</a> not too long ago.<br /><br /><br />11. <span style="font-weight: bold;">BACK UP YER STUFF</span>. This is a huge topic, and I won't go into detail, but - do you have at least <span style="font-style: italic;">two</span>, <span style="font-style: italic;">recent</span> backup copies of all of the stuff on your computer(s)/mobile devices that you can't live without? E.g. photos, financial data files, the latest version of the Great Novel that you're working on, critical account information for on-line resources that you use (LastPass can help here), address book/contact database, etc. I say <span style="font-style: italic;">two</span> backups because many people would tell you that if you only have one copy "somewhere", you're not really backed up. You need to have <span style="font-style: italic;">two</span> copies of all of the important stuff, ideally on different kinds of media (DVD-R, CD-R, CD-RW, USB memory stick, cloud backup....), and <span style="font-style: italic;">certainly</span> not in the same location - i.e. carry one of the copies in your car or keep one at your mom's house or something.<br /><br />12. <span style="font-weight: bold;">DONT EVER CLICK ON A LINK IN AN EMAIL</span>. E.g. if you get a notice that seems to be from Microsoft or Adobe or whoever (whomever?) that you need to update something, <span style="font-style: italic;">don't click on the link that is provided. </span>Instead, navigate to the vendor's website in your browser and find the update - if it actually exists - yourself. You might even try googling it - e.g. "acrobat x update".<br /><br /><span style="font-weight: bold;">OK</span>, that's your twelve steps. I'm sure I left something important out - there are so <span style="font-style: italic;">many</span> things to worry about when you're toodling around the World Wide Web - but any and all of these things will help at least a little bit in keeping you and yours safer in the new year to come.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjZ241eaIhygSxYFG0dTis_M8iByHvL3Y3WCKJb7VbR4hnQqWHohNrZcPwoY_uR3pk6lSQzjnt697HJrdwIIOAaRh-fdclCdaSgDwnsUZRkGlegOimiich6bBfGjtvpIIYbN4iBDpJ20HV/s1600/drunk-cat2.jpg"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 200px; height: 122px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjZ241eaIhygSxYFG0dTis_M8iByHvL3Y3WCKJb7VbR4hnQqWHohNrZcPwoY_uR3pk6lSQzjnt697HJrdwIIOAaRh-fdclCdaSgDwnsUZRkGlegOimiich6bBfGjtvpIIYbN4iBDpJ20HV/s200/drunk-cat2.jpg" alt="" id="BLOGGER_PHOTO_ID_5556578424071688018" border="0" /></a>Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-52780188664395121152010-11-23T09:59:00.001-08:002010-11-23T10:15:41.823-08:00Firefox Saves the DayI just got to see a new feature in Firefox 3 at work, and it's pretty cool.<br /><br />I had an email in my GMail spam folder that looked like this:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUvKZMs0721WyZWLV-s7_hx5dP7P0wCGdieMUAU1O1Aofr9AgDo6u6FZy0V0aIW2mB5Lggd2ycnkdI1rABpoHL6piEA4UQHuzW1rX91lW9FcgiEV_IxcqF9Up-Jv4fzK7C4g2OxsezTS1E/s1600/phishing1.jpg"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 400px; height: 283px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUvKZMs0721WyZWLV-s7_hx5dP7P0wCGdieMUAU1O1Aofr9AgDo6u6FZy0V0aIW2mB5Lggd2ycnkdI1rABpoHL6piEA4UQHuzW1rX91lW9FcgiEV_IxcqF9Up-Jv4fzK7C4g2OxsezTS1E/s400/phishing1.jpg" alt="" id="BLOGGER_PHOTO_ID_5542807141275034034" border="0" /></a><br />Looks pretty legit, right? The link text appears OK. However, the actual link looks something like (part of the URL intentionally deleted):<br /><br />http://smtp.cremadescalvosotelo.com/bankofamerica=JSPR53/e-online-banking...<br /><br />So obviously it's at best a personal information phishing site. Well, I decided to see where that would take me, so I clicked on it. However, Firefox saved me from myself:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxhofgfm__mkEIRATT5JBZBxpCM-0mOwBMOEggnQhvliy4rMFJTso88iQQjExDp4MPvaxFUcvE-tp8qu6bPc5DhvOqVqLa6I4C9Tvi01MYlkbWKCkb7kc8aS3V33Dd-p8qzUcLkzCIh3ch/s1600/phishing2.jpg"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 400px; height: 184px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxhofgfm__mkEIRATT5JBZBxpCM-0mOwBMOEggnQhvliy4rMFJTso88iQQjExDp4MPvaxFUcvE-tp8qu6bPc5DhvOqVqLa6I4C9Tvi01MYlkbWKCkb7kc8aS3V33Dd-p8qzUcLkzCIh3ch/s400/phishing2.jpg" alt="" id="BLOGGER_PHOTO_ID_5542808418282805314" border="0" /></a><br />Clicking on the "Why was this page blocked?" button shows this:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh092nRvvD68_zVqYDnbhESdchHBYRxibJ2MlLDNpBqfpsTQIHrKaa6WCL9mqY_MhuanuLTaKVEMBtKwPkF9FEPlis4g2bHtCfhe8XxjSp-4usi9hXnzUDHcKpuolgbt6c0LE7S7o3zb_X0/s1600/phishing3.jpg"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 400px; height: 307px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh092nRvvD68_zVqYDnbhESdchHBYRxibJ2MlLDNpBqfpsTQIHrKaa6WCL9mqY_MhuanuLTaKVEMBtKwPkF9FEPlis4g2bHtCfhe8XxjSp-4usi9hXnzUDHcKpuolgbt6c0LE7S7o3zb_X0/s400/phishing3.jpg" alt="" id="BLOGGER_PHOTO_ID_5542809018112736898" border="0" /></a>I tried this in Internet Explorer and I'm happy (and a bit surprised) to report that it gave a similar "you really don't want to go there" message.<br /><br />However, even though our browsers sometimes try to protect us from ourselves, links in emails should never be clicked on. If you get a message from your bank that wants you to log in for whatever reason, go to your browser and type in the URL that you know to be the correct one for your bank (if you don't have it bookmarked) rather than click on anything in an email.Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-51132652729021477842010-11-19T08:05:00.000-08:002010-11-19T08:55:44.864-08:00Stuxnet Worm - still in the news<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3EsAezrk8UCdIkSkM3jECeqA4e5TKgWZI8rXAXWWdTcEmVVmnk6CiNGfIHS5M1X7OayVTXObhMzjBkiPgw356LEyT9SV4JPOkEoaX2c6j15R5RlwrtZYVQikg82EgUqpD7b9_IEp2lrDC/s1600/hal9000.jpg"><img style="MARGIN: 0px 0px 10px 10px; WIDTH: 68px; FLOAT: right; HEIGHT: 200px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5541305253080087746" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3EsAezrk8UCdIkSkM3jECeqA4e5TKgWZI8rXAXWWdTcEmVVmnk6CiNGfIHS5M1X7OayVTXObhMzjBkiPgw356LEyT9SV4JPOkEoaX2c6j15R5RlwrtZYVQikg82EgUqpD7b9_IEp2lrDC/s200/hal9000.jpg" /></a> I have posted three times about the Microsoft Windows "Shortcut (LNK)" vulnerability since July. A lot has transpired since then; it's been found to be one of six security issues in Windows that are leveraged by the Stuxnet worm (some of which were previously unknown in the security community). <div><div><br />Stuxnet is in the press right now as being one of the most serious security threats ever unleashed, and is said to be a sort of "new animal" in cyber-warfare. I'll provide some links for further reading below, but the apparent intent and sophisticated behavior of Stuxnet is so, well, awesome (in a bad way) that I do want to summarize what's been learned:</div><ul><li>Its targeted behavior is very specific - although it propagates via Windows (using USB memory sticks and/or network connections), its ultimate target is a particular brand of industrial controller computer made by Siemens, that are network-connected to those Windows systems</li><li>Not only is it Seimens "SCADA"-system specific, but its end target are "variable-frequency drives" made by two specific companies, that regulate the speed and operation of electric motors</li><li>Only motors that are programmed to run within a specific speed band are targeted</li><li>The speed band corresponds to speeds used by uranium refinement centrifuges</li><li>The end result is that Stuxnet causes those motors to periodically overspeed and underspeed</li></ul><p>It's still not known who wrote Stuxnet, but there is universal agreement that its sophistication and complexity are unprecedented, and unfortunately is probably the first shot fired in a new level of cyber-warfare.</p><p>As promised, here are some links if you want to dig deeper:</p><ul><li><a href="http://www.wired.com/threatlevel/2010/11/stuxnet-clues/">Wired Magazine article</a></li><li><a href="http://en.wikipedia.org/wiki/Stuxnet">Stuxnet Wikipedia entry</a></li><li><a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf">Symantec dossier on Stuxnet</a> (very technical)</li><li><a href="http://www.h-online.com/security/news/item/Stuxnet-has-a-double-payload-1137521.html">very recent news about a possible 2nd "payload" in Stuxnet</a></li></ul><p>I promise we have not heard the end of this "worm".<br /></p><p><a href="http://www.youtube.com/watch?v=ecPeSmF_ikc">"Shall we play a game?"</a></p></div>Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-11474999981599584432010-10-28T14:51:00.000-07:002010-10-28T16:43:11.487-07:00WPA Wireless Password Cracking For Fun & ProfitMany of my friends and family have heard or read my whinings about how using WEP encryption for your wireless network is a short hair away from "extremely stupid", and that you should really be using WPA (or better, WPA2). Well, I am hoping that the message has gotten through to most folks, although I must say that when I do a site survey around my neighborhood even now, I still see the occasional WEP-"protected" hotspot pop up.<br /><br />But <em>you, </em>being smarter than the average bear, are now sitting behind a WPA-protected router at home or in your office - life is good! Welllll... maybe not. What kind of passkey did you lock it down with? Please tell me it's not your dog's name, or maybe favorite gourmet dish, or your Mom's maiden name... Is it?<br /><br />The reason why I ask is this: there is at least <a href="http://www.wpacracker.com/">one company</a> out there that offers a WPA password-cracking service, for $17 a crack. Apparently it takes 40 minutes or less if your password is in their <em>135 million word</em> "dictionary".<br /><br /><p align="left"><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 212px; DISPLAY: block; HEIGHT: 108px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5533239243867215634" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGjXrF__Mv3KFZng0gAmNuDeI4wrncJ-ace1HYiyKYeGCtHwW-nhxCWRxFrUK7Kq9Rn75AHac_7Cu5wmDMmqU71S8GOenfnx2Qgrsi-QNUY8H6vdszThLZ39AaOEEL6gdLD4wL9p6hS2sx/s400/wpacracker.jpg" /><br /><br />All that's required is to provide them with a "sniff" file of a wireless network that is to be infiltrated. This sniff (.pcap) file can be easily created using a laptop with a wireless card and open-source software such as <a href="http://www.aircrack-ng.org/doku.php?id=cracking_wpa">aircrack-ng</a> (even I've done it, purely in the interest of research and learning of course - and I did it using my own wireless router as the target).<br /><br />Now you may be saying, "but Igor, who is going to go to the trouble of trying to hack into my network?" That's a good question, but IMO the wireless part of any network is potentially its weakest link, so why not lock it down as best you can so you don't have to worry about it?<br /><br />That means you need a decent password. I won't say "excellent" or even "very good" password - you probably don't want to use the kind of gobbledegookeley password that <a href="http://blave-security.blogspot.com/2010/09/escaping-password-hell-with-lastpass.html">LastPass</a> can generate, because you might want to give some (highly) trusted person access to your wireless network. So you want a password that can be verbally relayed to someone without too much difficulty.<br /><br />Remember that the kind of WPA cracking we're talking about depends on a dictionary. Even a dictionary that has 135 million words in it is not going to have bizarre combinations of words and letters (let alone punctuation marks). So how could you create a Bizarre Combination? One suggestion is to use some kind of easily rememberable number followed by a string of easily rememberable words - yet numbers and words that are not blatantly obvious to everyone that knows you. I'll throw this out:<br /><br /><span style="font-family:courier new;font-size:85%;">the first address number you lived at that you remember + </span></p><p align="left"><span style="font-family:courier new;font-size:85%;">high school name +</span></p><p align="left"><span style="font-family:courier new;font-size:85%;">favorite gradeschool teacher</span><br /><br />So in my case (and <em>no</em> I don't use this password anywhere) it would be</p><p align="left"><span style="font-family:courier new;font-size:85%;">648ravenswoodhackworth</span></p><p>Now that's a pretty good password. Throwing in some punctuation and capitalization, e.g.</p><p><span style="font-family:courier new;font-size:85%;">648.Ravenswood.Hackworth</span></p><p>makes it far more unlikely (I would submit, impossible) for any dictionary to have that particular sequence in it. Easy Cheesy! And pretty easy to remember as well.<br /><br />Heck, write it down on a piece of paper and put it in your desk drawer - if the miscreant who's trying to break into your network has physical access to your desk drawer, you have far bigger problems that I'll attempt to address here!<br /></p>Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-39238863022550258022010-09-03T11:50:00.000-07:002010-09-08T13:39:19.981-07:00Escaping Password Hell with "LastPass"There are two or three people out there that recognize the importance of using robust passwords for important on-line resources like banks and PayPal and eBay and such (as well as using different passwords for each site). Most everyone else uses their dog's or first born child's name for every single thing they have to log into on the net... Because it's <span style="font-style: italic;">really hard</span> to remember passwords that are robust, such as <a>E5A@/6Z(aKj&^]RO+V.</a> So in the end most people don't even try.<br /><br />Admittedly, I was somewhat lax about robust passwords too, until recently - I had one password that I used for casual sites, and a much longer one that involved a combination of numbers and characters for my financial sites. But still, I used that one password at a lot of different places.<br /><br />Via episode #256 of the <a href="https://www.grc.com/securitynow.htm">Security Now podcast</a>, I've become aware of the free <a href="http://lastpass.com/">LastPass</a> product, and am now using it for all of my password needs. Here, I'll try to summarize what it does and hopefully how easy it is to use, in the hopes that you'll take the time to start using it too.<br /><br />Firstly - before we continue - here's what LastPass supports: Windows, Mac OS X, Linux, Firefox, Safari, Chrome, and even Internet Explorer 8^) . So most people will be able to use this cool utility.<br /><br />OK - onwards... The thing I like most about LastPass (which I'll call "LP" from here on out) is that all of my passwords are stored in encrypted form "in the cloud". This lets me access them from any browser that I have the LP plugin installed on, so I can be anywhere in the world. Since the encryption is done "locally" - i.e. on <span style="font-style: italic;">my</span> computer rather than by the LP site, they are extremely well protected. Not even the LP people have any way of getting my passwords unless I tell them my Master Password. When I need to use a password, LP goes up to my cloud-stored Password Vault, grabs the encrypted password, sucks it down the Internet Pipes, decrypts it, and fills in the password field on a web page.<br /><br />But - there is a caveat: you <span style="font-style: italic;">will</span> need to have one robust Master Password - it's the "key to the kingdom" of all of the rest of your passwords. It really needs to be "strong" and you really really need to be able to remember it. And - your dog's name or mother's maiden name ain't gonna cut it. (A place to start is - combine the home phone number that you had when you were a kid with the names of your three best friends in high school - e.g. 3042732273JamesFredHomer is a pretty good password.)<br /><br />Once LP is installed (it automatically installed into both Firefox and IE for me) you can get started. I was able to import all of my passwords from the previous password vault utility that I used (Roboform ToGo), which was nice (it can also import from IE's and Firefox's password caches, as well as a bunch of other password products). Once that was done, I could go to my Password Vault in my browser:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidsaUs25VIufJuXlC6JVLjfeHWgpbtyg0Fe4IxJBTyKCCa08ukj6wO_miRdTH-ffguFccIkqhIvqTzd7l3pn44dljIBf5JXo5E8vLjPKomApZ8FGE7hDpR5Ymn_yHOqe6Cf2MoX3v6BZH6/s1600/lastpassvault.jpg"><img style="text-align: center; margin: 0px auto 10px; width: 522px; display: block; height: 168px; cursor: pointer;" id="BLOGGER_PHOTO_ID_5512773822872251490" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidsaUs25VIufJuXlC6JVLjfeHWgpbtyg0Fe4IxJBTyKCCa08ukj6wO_miRdTH-ffguFccIkqhIvqTzd7l3pn44dljIBf5JXo5E8vLjPKomApZ8FGE7hDpR5Ymn_yHOqe6Cf2MoX3v6BZH6/s400/lastpassvault.jpg" border="0" /></a>From there I can combine my passwords into Groups (e.g. "Shopping", "Travel", etc.), edit them, delete them, and even Share them (securely) with another LP user. Also, just by clicking on a site name, it will bring that site up and fill in your credentials. For new sites, LP will offer to remember the username and password for each one.<br /><br />But what I did right after installation is use LastPass's built-in password generator to create new passwords for all of the financial sites that I use. Since different sites have different requirements for passwords - and on the flip side, limitations to what characters/numbers/etc. they can understand - the LastPass generator can be easily configured:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0ulCx8ExMQSdWB0ISjnSjca2q6hA9_x1iz4DWo7yBhY9c0YEVguALeEjJ-wBH2373_NNF62Brwu0hZdTGfRaj2oYDu1d1AmLofYLWxLcAeRy5XZLIEzQg6WZKlSmIU-6G5F-t3OIBuDUo/s1600/lastpassgenerator.jpg"><img style="text-align: center; margin: 0px auto 10px; width: 282px; display: block; height: 316px; cursor: pointer;" id="BLOGGER_PHOTO_ID_5512771360815767922" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0ulCx8ExMQSdWB0ISjnSjca2q6hA9_x1iz4DWo7yBhY9c0YEVguALeEjJ-wBH2373_NNF62Brwu0hZdTGfRaj2oYDu1d1AmLofYLWxLcAeRy5XZLIEzQg6WZKlSmIU-6G5F-t3OIBuDUo/s400/lastpassgenerator.jpg" border="0" /></a>Every time "Generate" is pressed, it will generate a fresh password based on what you have setup for length and contents... The green bar gives you an idea of how secure each new password is.<br /><br />LP can guide you through the process of replacing your old, crummy, too-short passwords that you've used for the last ten years with <span style="font-style: italic;">much</span> more secure ones that it generates. And the beauty is that you don't have to remember any of them - when you next visit any of the sites that are stored in LP, it will automatically fill in the username and password fields (and it can even press the "login" button for you if you want).<br /><br />One other significant feature is that LP can fill out most web pages that want your name, phone number, credit card, credit card expiration date, credit card CVV number, ship-to address, bill-to address, etc. You can enter that stuff into LP <span style="font-style: italic;">once</span>; from that point on it will fill in all of those fields for you. And, like the contents of the Password Vault, all of that information is encrypted and safe.<br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKSn2_vfmjOJPj2XdRDHX7okXQZJAVvMnoRrdeNxdORYoEVmqnMEko5rCzGoWynE1aaSC8DIFpIK1ha_IEL0JUl4FXWtbp7mRCpkZMDBNMP7tJKv20YaeH5CEbVi8ceo7qwn8a3xQyHQKA/s1600/lastpassformfill.jpg"><img style="width: 400px; height: 246px; cursor: pointer;" id="BLOGGER_PHOTO_ID_5512781701415654210" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKSn2_vfmjOJPj2XdRDHX7okXQZJAVvMnoRrdeNxdORYoEVmqnMEko5rCzGoWynE1aaSC8DIFpIK1ha_IEL0JUl4FXWtbp7mRCpkZMDBNMP7tJKv20YaeH5CEbVi8ceo7qwn8a3xQyHQKA/s400/lastpassformfill.jpg" border="0" /></a><br /><br /></div>So I mentioned at the outset that LP is free, and everything that I've described (and quite a bit more that I won't go into, lest this become even more of a novel-length post) <span style="font-style: italic;">is</span> free. There <span style="font-style: italic;">are</span>, however, some additional features that are only in the Premium version. One of them is the ability to download and install the LP applet for the iPhone/iPad/iPod Touch, BlackBerry, Android, and Windows Mobile devices so that you can always keep your entire Vault with you. Several other Premium features are there too, as described <a href="http://lastpass.com/features_premium.php">here</a>. Now comes the bad news - it's gonna cost you... drum roll please... a buck a month. Howsa! I'm trying to think of something else that costs a buck a month... Nope, can't.<br /><br />But if you don't need any of the Premium stuff, all you have to lose by trying LastPass is the time it takes to install it and learn it, and I encourage you to give it a shot.<br /><br />Finally: a friend of ours was recently "hacked" on-line and was conned out of a few hundred dollars. She was pretty freaked out about it... I asked her what kind of password she was using. You guessed it, the names of her dogs. I told her about LastPass and was going to help her get it installed and running, but she was able to get it going on her own without any assistance (other than my suggesting ways to create an easy-to-remember Master Password). So I think that's a good testimonial that it's pretty straightforward to use.Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-57319866655464926852010-08-03T10:20:00.001-07:002010-08-03T14:59:34.263-07:00Microsoft releases "out of cycle" patch for Shortcut FlawHopefully you've already heard about this because you're Paying Attention, but just in cast you haven't: Microsoft released a fix yesterday (Monday) for the shortcut/LNK vulnerability that has been in the news over the couple weeks. I <span style="FONT-STYLE: italic">strongly</span> recommend that you get your Windows system(s) patched with this fix. I have patched my WinXP and Win7 systems with no issues, and have subsequently removed the workarounds that I had in place.<br /><br />Go to <a href="http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx">MS's Security Bulletin MS10-046</a> and select your version of Windows from the table there; that will take you to a download/instruction page - or alternatively, run Windows Update, which should get it for you automatically. You will probably have to reboot your system afterwards (I had to for both XP and Win7).<br /><br /><em>Update</em>: Microsoft has released <a href="http://blogs.technet.com/b/msrc/p/august-2010-oob-security-bulletin-q-a.aspx">a fairly technical Q&A</a> for this fix - good reading for those that want to dig into the details.Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-63201074897337178232010-07-29T12:46:00.000-07:002010-07-29T12:58:17.447-07:00Check Writing Robots Attack EarthThe annual <a href="http://www.darkreading.com/security/showArticle.jhtml?articleID=226200182&cid=RSSfeed">Black Hat conference</a> is underway in Las Vegas... This is "the" event where security researchers try to out-do one another in discovering and exploiting security flaws... One of the more interesting ones this time around involves <a href="http://www.theregister.co.uk/2010/07/28/atm_hacking_demo/">hacking ATM machines</a>, but what I wanted to share is a diagram that shows the complexity and ingenuity of a check-forging scheme that originates in Mother Russia:<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3RG9qEm9M-_bTm17MtqRy3aMpL5SxbPjx_mD1jfhs7au3BTPX6PiCypxn9KCTIdkRoa5h29wLLFSRBJhk_8KHkMT9WjjBfu80_dD_ByS8bvi9ej7Dq2lX5PLvU2_Kp_3quMwBxrKfooPH/s1600/checkbot.jpg"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 287px; height: 225px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3RG9qEm9M-_bTm17MtqRy3aMpL5SxbPjx_mD1jfhs7au3BTPX6PiCypxn9KCTIdkRoa5h29wLLFSRBJhk_8KHkMT9WjjBfu80_dD_ByS8bvi9ej7Dq2lX5PLvU2_Kp_3quMwBxrKfooPH/s400/checkbot.jpg" alt="" id="BLOGGER_PHOTO_ID_5499418294460349986" border="0" /></a>For the full story go check out the <a href="http://news.cnet.com/8301-27080_3-20011885-245.html">CNet article</a>... It continues to amaze me how quickly the sophistication of cyber-criminals is increasing!Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-37819175176078158082010-07-23T08:37:00.001-07:002010-07-30T15:38:11.826-07:00Update on MS Shortcut FlawDetails and corrections about how this vulnerability works and the seriousness of it continue to come out in the infosec world. Episode 258 of the <a href="http://www.grc.com/securitynow.htm">Security Now! podcast</a> lays it out pretty well. Some key points:<br /><ul><li>Microsoft has updated their Security Advisory at least twice this week; it now points to a Knowledge Base article that has a "Fix it" thing you can click on to make the two changes I described in the last post about this. They have also substantially revised their analysis of the flaw - originally it was thought that the AutoPlay/Autorun feature had to be turned on but as we know now, just <span style="FONT-STYLE: italic">viewing</span> a shortcut in Windows Explorer can trigger malware if it exists.<br /></li><li>It is apparently possible that even shortcuts embedded in documents (e.g. MS Word files), <span style="FONT-STYLE: italic">emails, </span>or <span style="FONT-STYLE: italic">web pages </span>could be used as vectors... Think about that for moment - yow!</li><li>The SN podcast also points to a <a href="http://blog.didierstevens.com/2010/07/20/mitigating-lnk-exploitation-with-srp/">Didier Stevens blog post</a> that describes how to use Software Restriction Policies in Windows to combat the flaw. However, it's probably a more advanced "hack" than the ones already described, and you can really screw stuff up if you don't know what you're doing with Policies. I have managed to configure two systems I have (one XP, one Win7) successfully with these changes, and tested it on one of them by trying to run an executable on a thumb drive that I have mounted... The application is blocked and a message comes up saying so.<br /></li></ul>The big question is how and when Microsoft will fix this. But - no matter what they do - older versions of Windows (e.g. Windows 2000 and XP SP2) are no longer being updated by MS with patches, so unless they make an exception for this very serious flaw, some systems will never be safe from this (unless a 3rd party makes some kind of widget available that blocks it).<br /><br /><span style="color:#33ff33;">Friday 7/30 update: MS has announced that they'e going to release an out-of-cycle patch next week for this. Details are in the </span><a href="http://blogs.technet.com/b/msrc/archive/2010/07/29/out-of-band-release-to-address-microsoft-security-advisory-2286198.aspx"><span style="color:#33ff33;">MS Security blog.</span></a>Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-42241240094636083162010-07-19T10:57:00.001-07:002010-07-20T16:40:32.154-07:00New Windows vulnerability discovered - be careful with those USB sticks!Microsoft posted information late last week about a vulnerability in Windows, that can mean that merely loading a USB memory stick onto your PC can cause bad things to happen. Basically, if the file that contains the little picture (icon) that shows up in Windows Explorer is "infected", it can cause whatever bad code that the attackers have attached to the icon file to be executed. At that point your system is pwnd 8^) and they can do whatever they want to it.<br /><br />At the moment there is no fix and the workarounds are fairly technical. More information and details can be found at <a href="http://www.h-online.com/security/news/item/Microsoft-confirms-USB-trojan-hole-1040028.html">The H Security page</a> as well as Microsoft's <a href="http://www.microsoft.com/technet/security/advisory/2286198.mspx">Security Advisory about it</a>. So until MS releases a patch, be <span style="FONT-STYLE: italic">extremely</span> careful about loading USB memory sticks onto your PC or laptop - know where they came from. Don't take candy <span style="FONT-STYLE: italic">or </span>USB drives from strangers!<br /><br /><span style="FONT-STYLE: italic">7/19 update:</span><a href="http://www.darkreading.com/vulnerability_management/security/attacks/showArticle.jhtml?articleID=226000012"> SANS has raised their Infocon Alert level to Yellow</a> just because of the Shortcut bug.<br /><br /><em>7/20 update: </em>This flaw has gotten more press than anything I remember seeing since the <a href="http://blave-security.blogspot.com/2009/03/conficker-lead-story-on-60-minutes-last.html">Conficker worm</a>, which happened shortly after I started this blog. Furthermore, more than one industry expert is saying that this flaw is not easily fixable... I've been doing some more research on it, and despite first deciding that I would not make any modifications to my machines to protect against it, just a while ago I changed my mind and m<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqynpkciWkKQsbhhLo0M4pttIfKCrgW2bjqR18VnbAJ7RJirFmECmBR-s8379L2nTIG2r8ab7E_MPrkHXo9f2J9xAtoAoVxJ1QGrWzUiMvPaVEKXttrTWLv2I7KTJC-fR9R0JGSLvUtQ9x/s1600/Shortcut+LNK+Registry+Key+fix.jpg"></a>ade the two mods recommended by Microsoft to my Windows 7 work laptop. One of the mods is to delete a Windows registry key (after making a backup of it), which will suppress the display of icons on shortcuts in Windows Explorer (thus precluding running malicious code that might be embedded in the icon file).<br /><br /><img style="TEXT-ALIGN: center; MARGIN: 0px auto 10px; WIDTH: 400px; DISPLAY: block; HEIGHT: 108px; CURSOR: hand" id="BLOGGER_PHOTO_ID_5496135659063158978" border="0" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3CKQWsXnY4WZC2BuPCpMBU8IjUkdboGaKylK0o6dTNyitlK4CuW3l0Yo7eQkacJkwBTBADJCfpAS7NDNvyPN-nEncLxNhsWCvis0wa3IJyQEfoX0jHcUQy1in1Bk5x7eIFgpUz26fz4-f/s400/Shortcut+LNK+Registry+Key+fix.jpg" /><br />The other is to disable (and stop, if it's already running) a Windows "service" called WebClient, using the <span style="font-family:courier new;"><em>services.msc</em></span> application. (In all likelihood you do not need this service running, unless you utilize the "WebDAV Client Service", which has to do with the interoperability of web page authoring tools. Or something like that.)<br /><br />As I said before these mods are not the sort of thing that most people do often or even at all with their Windows installations, but if you follow the instructions carefully in the <a href="http://www.microsoft.com/technet/security/advisory/2286198.mspx">Microsoft Security Advisory</a>, you should be fine. As long as you make the backup of the registry key as described in that document, both actions are reversible, and I therefore recommend doing them.Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-77739148284606763392010-06-21T13:40:00.000-07:002010-06-21T14:41:34.709-07:00Urgent - possible Craigslist malware alertI just came across something that looks very questionable, and am sufficiently alarmed about it that I am making this post without doing my normal research first. I have not heard about this particular malware distribution approach before, and I very nearly did a bad bad thing just a few minutes ago (i.e. allowing an unknown executable to download and run).<br /><br />The story: I posted a number of things on Craigslist today, two of which were guitar amplifiers. I received two responses within minutes of each other, on those amps, from two completely different email addresses - one being a Hotmail account, and the other a Live account. Both have the exact same message body:<br /><div style="text-align: center;"><pre wrap="">"Will you trade for this?"</pre></div>In each email, that "question" was followed by a URL (which I am not publishing for obvious reasons). I clicked on the links, which have the form "www.hostsimages.info/<alphanumeric>" (followed by alphanumeric values)<alphanumeric value="">, and both took me to the same final URL, which looks like this:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVAmRGj_x49XDuW5xu7iPqrxH60Sp2-OlASw2gr4xRmUZpfIwqrpljBTntG10FJoThAFmSNORjy51XiLYRtu4i_NyU62097y0ki-pSwU37OzQuM8s1Dx005C6LX9PvN2lWd2GI7Pn9gWas/s1600/malware_site.jpg"><img style="display: block; margin: 0px auto 10px; text-align: center; cursor: pointer; width: 400px; height: 258px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVAmRGj_x49XDuW5xu7iPqrxH60Sp2-OlASw2gr4xRmUZpfIwqrpljBTntG10FJoThAFmSNORjy51XiLYRtu4i_NyU62097y0ki-pSwU37OzQuM8s1Dx005C6LX9PvN2lWd2GI7Pn9gWas/s400/malware_site.jpg" alt="" id="BLOGGER_PHOTO_ID_5485334060754362626" border="0" /></a><br />It's hard to see in the image, but the page looks like it has some images that it wants to load, but can't for some reason. Also, Firefox has posted a message in the yellow banner bar that says:<br /><br /></alphanumeric><div style="text-align: center;"><div style="text-align: left;"><alphanumeric value=""><span style="font-size:85%;"><span style="font-family:courier new;">This website needs to install the following add-on: 'Flash Image Loader' from 'AdobeFlash'. Please download the Flash Image Loader by clicking here...</span></span></alphanumeric><br /></div><alphanumeric value=""></alphanumeric></div><alphanumeric value=""><br />Now, I've never heard of "Flash Image Loader" but it sounds legitimate enough - what I didn't notice until later is that it is supposedly sourced by a company called "AdobeFlash". <span style="font-style: italic;"><span style="font-style: italic;"><span style="font-style: italic;"></span></span> </span>Hmmmm. <span style="font-style: italic;">Fortunately</span> before clicking on the yellow bar, which would've downloaded a file, I looked at Firefox's status bar while hovering my mouse cursor over that message, and the actual download URL shown is "images201.com/imagex.exe". I have no idea what that executable is, but it sure isn't from Adobe and could literally be anything. (Googling "imagex.exe" comes up with a few things, but none of them have anything to do with Flash or Adobe.)<br /><br /></alphanumeric>In sum, what seems to be happening here is that some people up to no good are (either manually, or more probably by using automation) monitoring Craigslist postings, and responding with an email that has been cleverly constructed to lead people to a malicious site that downloads an executable on their machines.<br /><br /><alphanumeric value="">So - I think I dodged a bullet here. What is quite ironic is that on a recent episode of my favorite security podcast <a href="http://www.grc.com/securitynow.htm">Security Now</a>, Steve Gibson declared that he never ever clicks on links that he gets via email. I remember chuckling to myself when I heard that, because I do it all the time and haven't had anything bad happen - hey, I'm a smart guy that sees this stuff coming! Well, I learned a lesson today for sure.<br /><br />Finally: speaking of "Security Now", Steve has a post up on his blog about a recently discovered Adobe Flash exploit that <span style="font-style: italic;">everyone</span> - yes even you Mac types (and Linux types...) needs to know about and take the appropriate steps for. Acrobat and (Acrobat) Reader are also affected, and the bad guys are already taking advantage of it. You can read about that <a href="http://steve.grc.com/2010/06/06/adobe-flash-forward-to-v10-1/">here</a>.<br /><br /><br /><br /></alphanumeric></alphanumeric>Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com4tag:blogger.com,1999:blog-1430945547734689141.post-38606927620694118712010-01-20T12:58:00.001-08:002010-01-20T13:38:16.251-08:00Do you have a spare $447,000 laying around?Today's topic is not new news - the incident happened last July - but I've thought about it many times since hearing about it. This makes me ever more paranoid about doing any financial transactions online... I still do them just because it's so dang convenient, but I wonder how long the model that's in place (authenticated "secure" browser sessions) can continue to work.<br /><br />Full details can be found in a <a href="http://www.technologyreview.com/computing/23488/?a=f">Technology Review article</a>, but the gist of this is that a construction company in Mountain View, California was liberated of $447K from its commercial bank account, while one of its employees was signed in to it.<br /><br />You might think "oh someone got his password" - but the company had implemented what everyone thought was the Safe And Secure thing to do: the account was set up to not only require a normal password, but also a second, "one time" password that is generated by a small electronic device or card that the person logging in has to have in his or her physical possession (I have <a href="https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside">one that I use with my PayPal account)</a>.<br /><br />Unfortunately, his system had been infected with a malware program that basically waited for him to sign into the commercial account, and then <span style="font-style: italic;">while he was signed in</span>, perform transactions in the background to withdraw and transfer the loot to several Bad Guy Accounts.<br /><br />So - what to do? <insert> I'm going to sound like one of those magical round plastic disc things that everyone used to have, that had music on them (I think they were called "phonograph records") - I've said most of this before... But I feel reasonably secure in doing these things on my systems:<br /><ul><li>keeping antivirus software updated (I'm now using Microsoft's new and free <a href="http://www.microsoft.com/Security_Essentials/">Security Essentials</a> on almost all of my PCs)</li><li>making sure the web browser is up-to-date<span style="font-style: italic;"></span><br /></li><li>disabling scripting (JavaScript and ActiveX) in the browser. I use <a href="http://noscript.net/">NoScript</a> in Firefox, which lets me selectively enable or disable scripts on a per-site basis</li><li>keeping browser plugins and standalone programs such as Adobe Acrobat and Flash updated</li><li>using a one-time password device on all financial accounts that support it, in order to have the magic that's called Dual Factor Authentication. Paypal and eBay, as well as many other banks/institutions support these, and sometimes a device that is obtained from one place can be used elsewhere - for instance, the Verisign device that I got from PayPal is supported by my credit union</li></ul>I'll close by saying that I think some of my friends roll their eyes when I start yammering about these things - all I'll say is, "don't come cryin' to me when something very bad happens because you weren't taking precautions."<br /><br />Hmmm, I think my Dad told me that, a long time ago.<br /><br /><br /></insert>Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com1tag:blogger.com,1999:blog-1430945547734689141.post-8397740443161517782010-01-01T09:09:00.000-08:002010-01-01T09:59:47.451-08:00GSM Phone Security - Not So Secure AnymoreHappy new year to everyone! Really. I would like to think it will be better than that last one!<br /><br />This has been <a href="http://www.physorg.com/news181399011.html">in the press</a> recently: Although it's not trivial to do - a snoop needs about $1000 worth of equipment to accomplish it - but the security scheme that digital cell phones use - "GSM" - has been cracked. This means if you're an AT&T (don't get me started about that company!) or T-Mobile subscriber in the US, your calls can no longer be considered to be private. (Verizon, Sprint, etc. use <a href="http://www.phonescoop.com/glossary/term.php?gid=8">CDMA</a> technology, which is totally different than GSM.)<br /><br />The researcher that published the technique is being lambasted quite a bit for doing it, but I believe his intentions are noble - as is so often the case in big business, companies are loathe to do anything that costs them money and prefer to ignore Elephants In The Living Room until they're forced to do something.<br /><br />Now, another blogger <a href="http://blogs.zdnet.com/hardware/?p=6568">asserts</a> that there's nothing to worry about, and that the phone companies will move to the <span style="font-style: italic;"></span> stronger 128-bit encryption protocol (the current protocol is "only" 64 bit) - but it could be said that the publication of the decryption technique will at least hurry them along a bit, and even with that, who knows when this will actually be 100% deployed across the country?<br /><br />***<br /><br />While we're on the subject - the cordless landline phones I use in my home are Panasonic "DECT 6.0" phones - I got them at Costco, but DECT 6.0 phones are sold "everywhere". In <span style="font-style: italic;">theory</span> my phones provide secured communications that can't be monitored, but I have seen mention here and there that some phone manufacturers <span style="font-style: italic;">don't enable the encryption that DECT provides. </span>So when I order a pizza (mmmmm, Fast Pizza Delivery pizza!) over the phone and give them my credit card information, I really have no idea whether that conversation could be monitored by some crook with a sophisticated radio receiver (e.g. <a href="http://en.wikipedia.org/wiki/GNU_Radio">GNU Radio</a>).<br /><br />So for the moment, since I'm stuck with AT&T Wireless for the time being, and because I use DECT 6.0 phones at home, I have no assurance that my conversations are secure. You might say "well who cares - I have nothing to hide!" - well, how many times do you use your cell or home wireless phone to perform financial transactions with your bank, broker, credit card company,...?Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-38541852087057479622009-08-25T08:55:00.000-07:002009-08-25T09:51:57.179-07:00An Acrobat (PDF) Reader AlternativeI wrote about an Adobe zero-day exploit a while back... They've been in the security news quite a bit lately; their huge success with Acrobat as a document distribution standard <span style="font-style: italic;">and</span> the Flash media player becoming more and more common has ironically made their products a favored target of <span class="blsp-spelling-error" id="SPELLING_ERROR_0">malware</span> creators.<br /><br />I finally got fed up with how large Acrobat Adobe Reader has gotten - the version 9 installer for <span class="blsp-spelling-error" id="SPELLING_ERROR_1">XP</span> is 35.7 MB (vs. 21MB for v8, 15MB for v6, ...) - so recently I installed a free alternative called <a href="http://www.foxitsoftware.com/downloads/index.php"><span class="blsp-spelling-error" id="SPELLING_ERROR_2">Foxit</span></a>. The latest version, 3.1, has a 5MB installer that results in a 7.2MB installation. Compare this to the <span style="font-style: italic;"><span style="font-weight: bold;">206MB</span> </span>Acrobat Reader installation that is on my PC!!! (<span class="blsp-spelling-error" id="SPELLING_ERROR_3">wtf</span>?)<br /><br />But the best news is that <span class="blsp-spelling-error" id="SPELLING_ERROR_4">Foxit</span> starts up much faster than Acrobat Reader. I view <span class="blsp-spelling-error" id="SPELLING_ERROR_5">PDFs</span> all the time, and so far I have not had any issues with this application. It does have a tiny advertisement window as shown below (The blue area in the upper right corner), but this only seems to advertise <span class="blsp-spelling-error" id="SPELLING_ERROR_6">Foxit's</span> own payware products, which seems fair given that the reader is free.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXWfl5J_PU7jfzDFTuJinE8xASkrkiCujgKaEm5Hh8XRqL78ED5pe62vnNPu9c3n5E3pKqncVcA0fue_zFogNU_4WbFEAOMlsJFZtbpTQF0C5HQjqVD6F3Pjze9VeJJkS79atZG0d6NnlM/s1600-h/foxitscreenshot.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 239px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXWfl5J_PU7jfzDFTuJinE8xASkrkiCujgKaEm5Hh8XRqL78ED5pe62vnNPu9c3n5E3pKqncVcA0fue_zFogNU_4WbFEAOMlsJFZtbpTQF0C5HQjqVD6F3Pjze9VeJJkS79atZG0d6NnlM/s320/foxitscreenshot.jpg" alt="" id="BLOGGER_PHOTO_ID_5373939382348012994" border="0" /></a><br />I'll also mention that <span class="blsp-spelling-error" id="SPELLING_ERROR_7">Foxit</span> is potentially a better choice than Acrobat Reader since most exploits that are targeted at Acrobat do not manifest themselves in <span class="blsp-spelling-error" id="SPELLING_ERROR_8">FoxIt</span>. However, <span class="blsp-spelling-error" id="SPELLING_ERROR_9">Foxit's</span> popularity as an Acrobat alternative has made <span style="font-style: italic;">it</span> the target of the <span class="blsp-spelling-error" id="SPELLING_ERROR_10">malware</span> authors, but it appears that the <span class="blsp-spelling-error" id="SPELLING_ERROR_11">Foxit</span> folks take security seriously and are prompt to release updates, as discussed <a href="http://www.foxitsoftware.com/pdf/reader/security.htm">here</a>.<br /><br />For the moment Foxit is available for Windows, Linux, and some handheld OSs, but not the Mac.Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com1tag:blogger.com,1999:blog-1430945547734689141.post-9014318640619848072009-07-29T10:31:00.000-07:002009-07-29T21:47:17.965-07:00Why you should switch to FirefoxExecutive summary: If you're using Internet Explorer v7 or earlier as your web browser, you should seriously consider switching to Firefox. Even if you're using the new v8 of IE, you're still not going to have as much protection from malware as with FF and the NoScript plugin.<br /><br />--<br /><br />I have been using Firefox as my primary browser for several years, and generally try to avoid Internet Explorer as much as possible. (Sometimes, though, it's not possible - my previous employer only supported IE for all of its Oracle infrastructure.) IE, being the most popular browser in the world - primarily because it is essentially built-in to Microsoft Windows - has been the primary target of cybercriminals for quite a while. Also, I like the fact that Firefox's user community has developed any number of (occasionally) useful plugins for it.<br /><br />One (free) Firefox plugin that I run religiously on all of my systems is <a href="http://noscript.net/">NoScript</a>. Although there's a little bit of a hassle factor involved with using it, I feel a lot more "protected" from malicious web sites with it turned on. With its default settings, it will initially block all JavaScript, Java, Flash, etc. content and require you to specifically allow that content to be downloaded and displayed. You have the option of temporarily allowing content from a specific site, or adding the site to a "white list" of sites that will always be allowed through. (It protects against several other potential exploits, such as cross-site scripting.)<br /><br />What prompted me to finally write something about Firefox and NoScript (this has been on my to-do list for a while) is the zero-day Adobe exploit that I posted about earlier today. NoScript can protect you from the exploit described in that post.<br /><br />Finally: At the top I mentioned IE v8, which was released recently. I was hoping that Microsoft would take some steps to improve IE's resistance to malware, and I think they've made some good progress, but I found <a href="http://blogs.zdnet.com/security/?p=1421">an article</a> that seems to indicate that IE still has a ways to go. So although I'll continue to evaluate IE v8 on my Vista install as an intellectual exercise, I'll be keeping Firefox (and NoScript) as my favored "surfboard" for the indefinite future.Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-46325021509443166692009-07-29T10:07:00.001-07:002009-07-29T10:28:11.294-07:00Urgent: Majority of Windows systems vulerable to Flash/Acrobat zero-day exploitFirstly - you may be hearing the term "zero day exploit" more often these days in discussions about security issues. It basically means that the exploit under discussion is already being taken advantage of by the crooks.<br /><br />Anyway, <a href="http://www.itbusiness.ca/it/client/en/Home/News.asp?id=53983&PageMem=2">here's all of the details</a> about the Flash/Acrobat Reader weakness. What is a little different about this one is that more than a few "legitimate" web sites have become infected with malicious Flash content, and so it's quite possible to be exposed to Eeeevil Stuff even if you're not snooping around the darker corners (and <a href="http://en.wikipedia.org/wiki/Series_of_tubes">tubes</a>) of the Internet. (Flash is used everywhere these days - e.g. <a href="http://blogs.chron.com/makingmovies/archives/2006/04/youtube_and_the.html">YouTube basically runs on it</a>.) Also, unlike some earlier exploits, disabling Javascript in Acrobat (which you should do - it's turned on by default when Acrobat Reader is installed) does not provide protection against this malware.<br /><br />What seems almost criminal about this is that Adobe has apparently known about this defect for <span style="font-style: italic;">seven months</span>. However, the exploit that actually takes advantage of it is apparently much more recent. I guess they decided to wait until really bad stuff happened before actually fixing their software...Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-69280543156247010912009-07-21T11:05:00.000-07:002009-07-21T11:49:39.830-07:00A Pathetic Example of a Hacker...First: the good news - this guy is probably wearing a bright orange jumper at the moment. The bad news - the accused was a security guard at a Texas hospital, and in his idle moments, he figured out how to break into some of the hospital computers - including the system that controls the hospital's heating and air conditioning systems. It doesn't seem that killing anyone was his real goal, but it gets hot down there and if he <span style="font-style: italic;">had</span> wanted to turn off the AC on a hot day, he could've, causing all kinds of problems for the hospital. Fortunately his ego got the better of him and he posted Youtube videos of his adventures and other clues which led to his sudden wardrobe adjustment.<br /><br />The whole story is <a href="http://www.theregister.co.uk/2009/07/01/hospital_hacker_arrested/">here</a>, which has a <a href="http://www.warezscene.org/hacking/795880-hvac-server-hacked.html">link to his last couple posts</a> (prior to getting arrested!) on a hacker forum that he was a member of. (The best part about that thread is where someone labeled him a Massive Chunk of Fail after he was caught - that made me cackle.)<br /><br />While we're on the topic of computers and health care - did you hear about the MRI machines that were <a href="http://news.cnet.com/8301-1009_3-10226448-83.html">infected with the Conficker worm</a> a while back? Of course, that only happened because the machines <span style="font-style: italic;">had an internet connection</span>. Doh!Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-12048182709701241032009-07-10T11:35:00.000-07:002009-07-29T10:29:23.426-07:00New "zero day" Microsoft IE exploitThis has been in the news quite a bit over the last few days, but the nature of it prompts me to briefly post about it: there is a vulnerability in Internet Explorer versions 6 and 7 that can cause your Windows XP or Server 2003 system to be "hacked" <span style="font-style: italic;">just by visiting a site that is serving up the exploit - </span>you don't even have to click on anything<span style="font-style: italic;">.</span> The Microsoft Security Advisory about it is a pretty technical read, so check out <a href="http://www.techtree.com/India/News/Microsoft_Admits_IE_Vulnerability_Gives_Solution/551-104070-643.html">this link</a> first for information that is actually readable 8^) . There is a link there that will use MS's relatively new "Fix It" technology to download a ".msi" installer file that will install a workaround. I just tried this and it is pretty easy to do!<br /><br />Here is yet another example of why it might be smart to use a browser other than Internet Explorer - most casual (and some not-so-casual) Windows users have it as their default, and sometimes only browser. I have been using Firefox for several years - it's not perfect, and as it becomes more popular it's getting its own share of attention from the crooks, but it's still not as prevalent as IE by about two-thirds. Other alternatives are Opera and Google Chrome (neither of which I've used much).<br /><br />If you <i>insist</i> in using IE, at least update to the latest version, IE 8 (read about it <a href="http://www.microsoft.com/windows/internet-explorer/default.aspx">here</a>). You might already have it, as MS has made it a critical update for most or all Windows versions - which I'm not sure I agree with. I suppose (and hope) that their motivation might be that it has enough significant security updates so as to make it "critical" for most IE users.Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-15819789584264970422009-05-15T17:03:00.000-07:002009-05-15T17:37:56.118-07:00Back Up or Be Stupid - your choiceOne of my hobbies is flight simulation, and persuant to that, I've been reading the Avsim flight sim community web site for well over ten years. The URL is http://www.avsim.com, but as I'm typing this at about 5PM PDT on Friday, the site is <span style="font-weight: bold;">dead and gone</span>.<br /><br />It's gained that unenviable status because some, uh, (gotta watch my language here) nefarious, lowlife, twisted, gin'd up, lilly-livered, one-eyed son of a prarie dog (a.k.a. hacker) managed to bring down not one but <span style="font-style: italic;">both</span> of their servers. The problem is that apparently the administrators of that site were using these systems to back each other up, and the hacker <span style="font-style: italic;">deleted the main partitions on the hard drives of both</span>. I don't want to opine whether or not their backup "strategy" was a dumb one - although more than a few Avsim subscribers have already done so (and I do question why they didn't have an off-site master backup somewhere) - but it brings home in a dramatic and tragic way that we all really need to back up our important data. You know that, I know that, we all know that, but the fact is that probably every minute of the day someone somewhere loses data that is precious and irreplaceable, yet gone forever.<br /><br />Now, my own backup strategy is fairly lame - periodically, I back up my most important data on this (home office) system to a USB memory stick, and less periodically I duplicate that stick's contents to another one, and keep that second stick "somewhere else" (e.g. in my car) just in case the house burns down. However - and it's really embarrassing to admit this - but at this moment all of my memory sticks are in the house "somewhere" (I<span style="font-style: italic;"> think</span> I know where they all are). So if this great old house that we live in (that still has some knob-and-tube wiring) burns up, I'm S.O.L. I guess I know what I'll be doing tomorrow...<br /><br />So maybe I'm writing this as much to myself as to you, but at any rate, here's yet another reminder to make a copy of your really important Data Stuff.<br /><br />Here's an idea: go to your favorite big-box warehouse - e.g. Costco - and buy one of those 2-packs of 4GB SanDisk (or whatever) USB flash drives. Back up everything that you care about onto one (assuming it will all fit), and then do a direct copy of everything on that drive to the other one. Keep the second one at your office, in your glovebox, whatever - just somewhere <span style="font-style: italic;">else</span> than the first one. Voila! with that $40-ish investment and a little time, you'll probably be better off than you are right now.<br /><br />Another idea, which I have not yet tried but sounds like a hella good deal, is to use a web-based backup service. One that I'm aware of, <a href="http://www.carbonite.com/">Carbonite.com</a>, backs up as much data as you can throw at it (from a single hard drive, anyway) for about $5 a month, and via a background process keeps the backed up data "sync'd" with any changes you make on your computer. There are at least a few other, similar companies - just google "remote backup" for more information.<br /><br /><em></em>Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com1tag:blogger.com,1999:blog-1430945547734689141.post-20058038870461926472009-05-13T15:18:00.000-07:002009-05-13T15:48:48.131-07:00To Update or Not To Update?Early on in this blog, I encouraged you to keep Microsoft Windows updated with whatever Critical Updates that Microsoft pushes out. (BTW these are typically pushed on <a href="http://en.wikipedia.org/wiki/Patch_Tuesday">Patch Tuesday</a>, unless something really serious comes up that Microsoft deems worthy of immediate attention. If you've got Automatic Notification turned on for Windows Updates - which you should - it's practically a sure thing that you'll get a popup on every single Patch Tuesday that there's new stuff to go get.)<br /><br />However, for many years I took the attitude with my systems' <span style="font-style: italic;">applications</span> that "if it ain't broke, don't fix it". As a for-instance: until fairly recently I had been loathe to update Adobe Acrobat Reader to a newer version, because all that newer Acrobat versions have seemed to do is get way bigger and more unstable, so I was running version 5 until only a couple months ago on one of my PCs (the current version is 9.1).<br /><br />I really wish I could continue with that mindset, but unfortunately (if your system is connected to the internet, anyway) it just really isn't advisable anymore. New exploits (cracks in the armor) are being found at a dizzying rate for practically any popular application that in any way interacts with your network/the internet.<br /><br />However, keeping everything updated on a rigorous basis can be a serious pain in the okole, as I realized only yesterday. In general I am not a big Apple Quicktime player fan, but because iTunes installs it automatically (and because some media on the web is in ".mov" QT format), it's on all of my systems. On some of those systems, I have iTune's automatic update notification turned off because I don't run iTunes on them on a regular basis - and so the QT format on at least one of them is fairly old. That's a bad thing, because according to the QT wikipedia entry, all versions prior to v7.5.5 have a <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">cross-site scripting</a> vulnerability. I won't go into CSS here, but the point is that I have potentially opened myself up to Bad Stuff that I might inadvertently encounter just by clicking the "play" button on a video at some site that I'm not terribly familiar with.<br /><br />It's unfortunate that we've come to this point, because Acrobat is not the only application by a long shot that seems to get bloated with every new release - in many cases, with things that we don't care about, but that the creators stick in there just to keep it New And Fresh.<br /><br />I thought about making a list of applications that you should consider keeping an eye on, but I've decided that it would be very long but yet ultimately incomplete. So just be mindful of the applications you use in your web journeys, not forgetting things like Quicktime (and Acrobat) that you might never run directly, but that are auto-run by your browser when you click on something neat.Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-3436603578599313352009-04-20T09:42:00.000-07:002009-07-29T10:30:37.052-07:00Coffee Shops, HotSpots, and TheeAssuming that no-one manages to sneak up and splice a connection onto your home or office LAN cabling (although I'm sure it's been done!), the wireless connection to your network is the potentially the weakest spot in it - which is why using an effective wireless encryption scheme (best: WPA2 w/ AES; almost worthless: WEP) is very important in keeping your network closed to the villains.<br /><br />However, when you're traveling for business and doing the hotel gig, or choking down a thermonuclearly-heated Starbuck's latte as you update your Facebook page, you might not have the luxury of being able to use an encrypted wireless connection on your laptop. At the very least, if you going to connect to a public wi-fi hotspot that doesn't offer some kind of encryption and/or VPN, make sure that your firewall is turned on and that you have un-shared any shared folders, or (probably easier) turned off sharing entirely.<br /><br />The trend seems to be that responsible public hotspot providers are requiring you to set up an encrypted connection to their wireless hotspots, but for those that aren't (or just as an additional layer of protection), you can take advantage of Virtual Private Networking. Currently I'm evaluating a "free" way to do this on Windows XP with Firefox 3.0 - I put "free" in quotes because the service does insert ads here and there but it's not very intrusive in my experience (with version 1.14 anyway). It's called Hotspot Shield, by a company called <a href="http://anchorfree.com/">AnchorFree</a>. There is a Mac version available too, but I have not tried it yet.<br /><br />The basic concept is that Hotspot Shield, when enabled via the System Tray icon that it installs, sets up a secure, encrypted "tunnel" in your browser from your laptop to their network; from there you can surf the web as usual. Data that travels to and from your laptop is in the tunnel and is not readable by anyone that's trying to snoop your network connection.<br /><br />There are other ways to do this - most cost money and I may eventually move in that direction but this seems like an easy way for the Road Warrior to get some extra protection with a minimum amount of effort.<br /><br />By the way, this discussion has focused on wireless connections, but note that some hotels only have wired connections in their rooms. This by no means says that you're safe - depending on how conscientious they are about how their network is set up, it could be said that you're more vulnerable in this situation since you don't even have the option of WPA encryption. So here again, using VPN along with your trusty firewall can provide a decent amount of protection against malware and/or data theft.Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com0tag:blogger.com,1999:blog-1430945547734689141.post-52417699710066637562009-04-05T10:25:00.001-07:002009-04-05T10:35:40.956-07:00Cryptography: Tambourines and Rubber HosesDid you know that secure passwords can, with the proper training, be discovered via a procedure that involves a tambourine? It says so <a href="http://www.elcomsoft.com/tambourine.html?r1=pr&r2=april1">right here</a>. There's a link there that also talks about the <a href="http://en.wikipedia.org/wiki/Rubber_hose_cryptanalysis">rubber hose method</a>, which is one of the least computationally-intensive approaches that has been developed. (Thanks to JJ for the link!)<br /><br />I am reminded of one of the songs that's in the Sony PSP game Lumines 2 (awesome!) - "<a href="http://www.youtube.com/watch?v=3ncgg4eGYO0">Black Tambourine</a>". I never realised until just now that it's by Beck, or that it has at least a tenous link to cryptanalysis!Blavehttp://www.blogger.com/profile/16455565484546473242noreply@blogger.com1