Posts Aboutsecurity
Secure Your Passwords Across Multiple Sites
Recently, gossip site Gawker (along with all of its sub-sites) had their data breached by hackers. This exposed emails, usernames and passwords for a reported 1.2 million accounts.
Because of this breach, many users (including several CSers) have had to reset their passwords to numerous sites because they use the same login credentials across the web. While this is definitely unsafe, it's usually the easiest method for most users. There are ways around this, like the excellent 1Password app, or creating a super secure password and having your browser remember it for you. But what happens when you're away from your computer, or maybe on your mobile device and don't have access to your stored passwords? I was taught a pretty nifty trick that solves all of these problems.
Blacksheep: a new Firesheep Prophylactic
Just a quick update: Last month, I posted about the threat of firesheep, and some countermeasures you can take.
There's a new tool on the block called BlackSheep. It's pretty clever -- it's a modified version of the firesheep codebase that makes fake HTTP requests of the sort that Firesheep would normally intercept and hijack, and detects the subsequent hijacking attempts. It won't do anything to prevent the attack, but it will help verify your suspicions of the nerdy guy with the thinkgeek t-shirt in the back of the coffee shop who hasn't ordered anything in a while.
Firesheep and Web Security
You may have heard some rumblings about "firesheep", a new extension for Firefox that is making the rounds, and its implications for web security. In short, it's a new extension that enables people to snoop on other people's web sessions -- websites like facebook, et al. There seems to be a lot of confusion around what it is, how it works (or doesn't work), and how to protect yourself from it.
First, a quick primer on HTTP session hijacking -- the fundamental attack that firesheep uses:
Bad PayPal! - When security becomes ridiculous
Want to know the perfect formula on how to create a frustrating system, provide terrible customer service, and manage to drive a loyal customer to hate? Just take lessons from PayPal - they are doing a great Job at really screwing up.
Here's the magic combo:
First, PayPal created some security restrictions that 'automatically' triggered on my account. While they won't say, I'm guessing its because I accepted 20-30 payments before I attempted to make a full-withdrawal. Regardless, this sparked their security system and it asked that I certify my account (this is different than verify). To do this, I have to ADD MY PERSONAL CREDIT CARD to the account ?@?#$@#$# I also have to verify my SS#. The first step takes 1 week for the transaction to show on my personal CC#... The second step fails because they say that I've used my SS# at some point in the past.
Great USB Backup App / Utility
I just found a great backup app (utility) for my USB drive. The app that comes with PortableApps isn't very flexible and it drove me to finding something better. Luckily, I found Freebyte Backup through PortableFreeware.com. They even told me how to 'make it more portable' by avoiding the installation and simply running the .EXE & creating my own profiles. Hope this helps others looking for a stable, feature-rich USB backup utility.
Blacklists: What they are and how to avoid them
If you thought that anti-spam protection for your incoming mail would alleviate your e-mail problems forever, think again – another issue that can cause more than a few headaches are DNS BlackLists (DNSBLs), sometimes also called RBLs (Realtime Black List). DNSBLs are not a new idea, but their usage is increasing rapidly. In short, a DNSBL is an innovative use of DNS to provide access to lists of IP addresses (or other info). These lists are created on varying criteria -- for example, the IP address was caught sending spam, or it's owned by a company known for supporting/sending spam. Or perhaps the IP address hosts a mailserver not following the rules, or a web/proxy server that has been compromised in such a way that it could be used to send spam. In this way, common sources of spam can be compiled into these lists and checked by a mailserver before accepting mail. If you show up in the blacklist, your mail is rejected.
As the spam-war has escalated, DNSBLs have become a double-edged sword. They have probably saved SMTP from being utterly inundated with spam to the point that it's useless. However, blacklists have also been forced to get increasingly aggressive. It's not uncommon for an organization to find itself blacklisted, even if it didn't overtly send spam (that it knows of). If your organization becomes the unlucky member of a DNSBL, you’ll find that most (if not all) of your email is rejected by the outside world because you’re now considered a spammer. The worst part is that you may have no idea why you were blacklisted and no idea how to get de-listed!
When Bureaucracy Attacks
We try to stay away from politics here on the centresource blog, but this is one area where they have affected security and technology, so I'll keep this neat and quick: One of the more amusing gifts we've been blessed with as a result of the PATRIOT Act is the set of "security" questions that Dell has to ask now, when you order goods from them.
Watch Your Files Today
Starting tomorrow the BlackMal virus will start deleting files from infected computers. Usually when I am in need of security related information I check Security Focus first. Here is what they have to say about BlackMal:
The virus is programmed to start deleting eleven different types of files on the third of each month, starting with Friday, February 3. The files will be deleted from a computer's local hard drive as well as network-attached storage, a strategy that worried security experts enough to warn about the virus.
[snip]
SSH VPN
This is pretty cool. Check out this new feature in OpenSSH 4.3:
* Add support for tunneling arbitrary network packets over a
connection between an OpenSSH client and server via tun(4) virtual
network interfaces. This allows the use of OpenSSH (4.3+) to create
a true VPN between the client and server providing real network
connectivity at layer 2 or 3. This feature is experimental and is
currently supported on OpenBSD, Linux, NetBSD (IPv4 only) and
FreeBSD.
Your Privacy Online
There has been a growing grumbling on the internet about big sites like Google storing information about individuals' usage. Jr Colin posted a well reasoned ballast to those concerns today.
It is worth a read if you are concerned about your privacy online but don't feel a need to wear a tin foil hat just yet.
