Change the System ID: Devices come with a default system ID called the SSID (Service Set Identifier) or ESSID (Extended Service Set Identifier). It is easy for a hacker to find out what the default identifier is for each manufacturer of wireless equipment so you need to change this to something else. Use something unique- not your name or something easily guessed. Disable Identifier Broadcasting: Announcing that you have a wireless connection to the world is an invitation for hackers. You already know you have one so you don’t need to broadcast it. Check the manual for your hardware and figure out how to disable broadcasting. Enable Encryption: WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) encrypt your data so that only the intended recipient is supposed to be able to read it. WEP has many holes and is easily cracked. 128-bit keys impact performance slightly without a significant increase in security so 40-bit (or 64-bit on some equipment) encryption is just as well. As with all security measures there are ways around it, but by using encryption you will keep the casual hackers out of your systems. If possible, you should use WPA encryption (most older equipment can be upgraded to be WPA compatible). WPA fixes the security flaws in WEP but it is still subject to DOS (denial-of-service) attacks. Restrict Unnecessary Traffic: Many wired and wireless routers have built-in firewalls. They are not the most technically advanced firewalls, but they help create one more line of defense. Read the manual for your hardware and learn how to configure your router to only allow incoming or outgoing traffic that you have approved. Change the Default Administrator Password: This is just good practice for ALL hardware and software. The default passwords are easily obtained and because so many people don’t bother to take the simple step of changing them they are usually what hackers try first. Make sure you change the default password on your wireless router / access point to something that is not easily guessed like your last name. Patch and Protect Your PC’s: As a last line of defense you should have personal firewall software such as Zone Alarm Pro and anti-virus software installed on your computer. As important as installing the anti-virus software, you must keep it up to date. New viruses are discovered daily and anti-virus software vendors generally release updates at least once a week. You also must keep up to date with patches for known security vulnerabilities. For Microsoft operating systems you can use Windows Update to try and help keep you current with patches. if(zSbL
Monday, October 22, 2012
Sunday, October 21, 2012
Hide Your Wireless Network
High-speed broadband connections don't just grow on trees. We all like getting our money's worth when it comes to our Internet connection so we often extend its reach by adding a wireless router or a wireless access point. Once we start broadcasting wireless access, our signal can potentially be picked up outside of our home by our neighbors. If we haven't secured our connection then they might be able to connect and use our Internet access.
Enter: The Wireless Internet Leech. These people live right around you or might just be passing thru so they can do a "drive-by-leeching". They have no problem connecting to your wireless network and killing your bandwidth while you pay the bill. They don't think twice about connecting to any open wireless access point they happen to find.
There are websites devoted to finding open wireless access points. Some leeches even spray graffiti or use chalk near an open wireless access point to mark or Warchalk the site so others will know where they can get free wireless access. Warchalkers use codes and symbols to indicate the SSID name, bandwidth available, encryption used, etc.
How do you prevent your neighbors and others from leeching off of your wireless internet connection?
1. Turn on WPA2 encryption on your wireless router
If you haven't already done so, consult your wireless router's manual and enable WPA2 encryption on your wireless router. You may already have encryption turned on, but you may be using the outdated and vulnerable WEP encryption. WEP is easily hacked by even the most novice hacker in less than a minute or two by using free tools found on the Internet. Turn on WPA2 encryption and set a strong password for your network.2. Change your wireless network's name (SSID)
Your SSID is the name that you give your wireless network. You should always change this name from its manufacturer set default which is usually the brand name of the router (i.e. Linksys, Netgear, D-link, etc). Changing the name helps to prevent hackers and leeches from finding specific vulnerabilities associated with your brand of router. If hackers know the brand name, then they could find an exploit to use against it (if one exists). The brand name also helps them determine what the default admin password for the router might be (if you haven't changed it).
Make the SSID something random and try to make it as long as you are comfortable with. The longer the SSID the better as it helps prevent hackers from using Rainbow Table-based attacks to try and crack your wireless encryption.
3. Turn off the "allow admin via wireless" feature of your wireless router
As an extra precaution against hackers, turn off the "allow admin via wireless" feature on your router. This will help to prevent a wireless hacker from gaining control of your wireless router. Turning this feature off tells your router to only permit router administration from a computer that is directly connected via an Ethernet cable. This means that they would pretty much have to be in your house in order to access the admin console of your router.
Your neighbors will likely be a little mad at you for turning off their free Internet gravy train. They may sneer at you and let their dog use the bathroom in your yard from now on. At least now that they are no longer getting a free ride, maybe you will have enough bandwidth to stream an HD movie without it stuttering and getting all "blocky" for a change.
Friday, October 19, 2012
Rogue Wireless Clients
You pay a pretty penny for that super fast internet connection, but you aren't seeing anywhere close to the speeds promised by your Internet service provider. It could be any number of problems. One thing that will suck the life out of your bandwidth are wireless freeloaders. They will hop on to any wireless network connection they can find and use your bandwidth to their heart's content.
How can you tell if someone is connected to your wireless network without your permission?
1. Log on to the administrative interface on your wireless router / wireless access point
In order to view the current active wireless connections using your wireless access point you will need to log in to the administrative console of your wireless router. Check your router manufacturer's user guide for detailed instructions.
2. Click on the wireless configuration / status page from your router's admin console
While all routers are different, usually the list of active wireless clients is provided on either the 'wireless configuration' page or the 'wireless status' page on most wireless routers. Look for a list of wireless clients.
You should see a table with two columns. One column will show the Media Access Control (MAC) address which is a unique identifier assigned to the network interface of whatever device is connected to your network. The other column should contain the IP addresses that were assigned to the devices by your router.
If you have DHCP enabled on your router then your router will automatically assign an IP address to any client that is authenticated (whether they hacked their way in or not). Only after the router gives the client an IP is the client able to connect to resources on your network and reach the internet.
3. Count your wireless devices
Do you only have a laptop and a smartphone that use your wireless access point yet you see 20 different clients listed in the wireless clients table? If the numbers aren't adding up, then you may have some rogue wireless clients or you may just have some devices that you forgot had wireless connections such as your XBOX or your Wi-Fi enabled camcorder.
4. Look up the MAC addresses of any suspicious devices to see what they are
So you've counted up all your wireless devices and there are two more than you think you are supposed to have. It's time to lookup the MAC addresses to see who made the device so you can learn what it might be. Visit a MAC Vendor lookup site such as MACVendorLookup.com and enter the MAC address of the suspicious device. The site will tell you who the manufacturer of the device-in-question is. If it says "Dell Inc." and you don't own any Dell computers then, chances are, someone is hijacking your connection and freeloading off your Wi-Fi.
5. Lock out the wireless freeloaders
If someone is using your wireless network without your permission then one of two things has happened, you've either turned off security completely and are allowing anyone to connect to your access point or someone has cracked your wireless encryption or cracked / guessed your wireless password.
The best way to get rid of unauthorized wireless users is to first ensure that you are using the latest wireless encryption mechanism (currently WPA2). Once you are using the latest and greatest security then you should change your wireless network's name to something other than the default because hackers have tools that make cracking the password of a known network name a fairly simple task.
After you've chosen a good network name that is not on the list of the Top 1000 Most Common SSIDs then you should create a strong wireless network password (also known as a Pre Shared Key). Performing these steps should get rid of all the freeloaders who are using your network.
Don't forget that you'll have to give out your new wireless network name and password to all your legitimate / authorized users so they can rejoin your network after you've purged all the leeches.
Thursday, October 18, 2012
Wireless Security FAQ Complex
The wireless router has becoming such as common household appliance that most people forget its even there. These devices have become so easy to setup that many of us don't bother to even change the default settings or configure the wireless security features.
Leaving your wireless router unsecured can not only leave your network open to attack, it can also subject your network to leeching neighbors who will eat away the precious bandwidth that you pay your hard earned money for.
Securing your Wireless Router can be tricky. Here are some frequently asked questions and answers to help you choose and lock down a wireless router or access point:
1. Is my Wireless Network Safe if my Wireless Router has WEP Security Turned on?
Answer: No. While Wired Equivalent Privacy (WEP) was an excellent wireless encryption standard a few years ago, it does not provide the same level of protection as newer standards such as Wi-Fi Protected Access (WPA). WEP has been cracked and can be easily circumvented by hackers using tools that are freely available on the Internet.
2. What Security Features Should I Look for When Buying a Wireless Router?
Answer: Make sure any wireless router or access point you buy supports the latest wireless encryption standards such as WPA/WPA2. Other features to look for include: Built-in firewall Media Access Control (MAC) address filtering capability Remote administration lockout feature The ability to disable Service Set Identifier (SSID) broadcasting Access time limit control Parental control Restricted “guest” network zoning 3. How do I keep Neighbors From Leeching off of my Wireless Internet Connection?
Answer: The best way to keep people from freeloading off of your wireless connection is to: Enable WPA2 encryption on your wireless router or access point and set a strong password that is not easily guessed Change the SSID (wireless network name) to something other than the default value set by the manufacturer Turn off the “Broadcast SSID” feature of your router or access point so that only those who know what the network’s name is can access it 4. How Can I Keep my Kids From Using Wi-Fi on Their iPod/DS to Access the Internet?
Answer: Kids will be kids. They are very tech-savvy and will do everything they can to circumvent any security barriers you put up. Here are a few actions you can take to make it as difficult as possible for them: Use WPA2 encryption on your router with a strong password and don’t give them the password Change your wireless router’s default administration password Disable your wireless router’s remote administration feature Locate the wireless router in your bedroom or a locked closet to prevent them from pressing the factory settings reset button Enable the parental control features of their game device or iPod Enable MAC address filtering on your wireless router and exclude the MAC address of their device(s) from those allowed access Enable the access time restrictions feature of your wireless router and limit Internet access to daytime hours only 5. Is it legal to use my neighbor’s wireless hotspot if he left it unsecured?
Answer: Is it legal for you to go in your neighbor’s house if he left the door unlocked? No, it is not legal. The same applies to his wireless access point.
Tuesday, October 16, 2012
Top 100 Security Tools
In 2000, Fyodor, creator of the NMap Scanner, conducted a survey of the readers of the nmap-hackers mailing list and compiled the Top 50 Security Tools.
Three years later, Fyodor again conducted the survey, and expanded the list to include the Top 75 Security Tools. Another three years have gone by and another survey has been done. With 3,243 readers responding, Fyodor has compiled the Top 100 Security Tools from his 2006 survey and they are now posted on the Insecure.org web site.
There are a total of 42 new tools on the list. That means that 42 out of 100 tools on the Top 100 Security Tools list did not appear on the 2003 Top 75. Thirteen of the new tools even made the top 50. Had the list been maintained at the Top 75, the length of the list in 2003, 27 of the tools (almost half) would be new to the list.
For the complete, detailed listing of all 100 tools, complete with links to download them, you should visit the Top 100 Security Tools listing on Insecure.org. I will summarize here the top 10, as well as providing a list of the new tools on the list. Nessus (vulnerability scanners) Wireshark (packet sniffers- previously known as Ethereal) Snort (IDS - intrusion detection system) Netcat (Netcat) Metasploit Framework (vulnerability exploitation tools) HPing2 (packet crafting tools) Kismet (wireless tools or packet sniffers) TCPDump {packet sniffers) Cain and Abel (password crackers or packet sniffers) John The Ripper (password crackers) Metasploit Framework Paros Proxy Aircrack Sysinternals Scapy BackTrack P0f Google WebScarab WebInspect Core Impact IDA Pro Rainbow Crack AngryIP Scanner RKHunter Ike-scan KisMAC OSSEC HIDS Tor Knoppix chrootkit Yersinia Nagios X-scan Socat QualysGuard ClamAV BurpSuite Unicornscan BASE Argus Wikto SGuil IP Filter Canvas VMware OpenVPN OllyDbg Helix Acunetix Web Vulnerability Scanner TrueCrypt Watchfire AppScan
Monday, October 15, 2012
Protected Mode
With Windows Vista, Microsoft includes the latest version of Internet Explorer, IE7. However, on Windows Vista IE7 has some new security options which help make surfing the Web even safer, namely Protected Mode.
Protected Mode is a security measure which relies on Windows Vista's new WIC (Windows Integrity Control) security to control how objects interact with each other. By default, when Protected Mode is enabled, every process and file associated with Internet Explorer is assigned a Low integrity level.
By comparison, standard users are granted a Medium integrity level and any object (file, process, etc.) that is not specifically granted a different integrity level is considered Medium by default. WIC will not let an object act on, or interact with an object of a higher integrity level than itself, so malicious processes and files from the Internet that try to infect or compromise the computer system will be rejected. Low can not overwrite or interact with Medium, so Internet Explorer loses.
There are, of course, instances where you want or need a web site to write to or work with your system. When you encounter a site like this, you might be inclined to just disable Protected Mode, even just for a little while. This is not advisable however because it leaves your whole system wide open to attack.
Like previous versions of Internet Explorer, IE7 has Security Zones which you can use to segregate web sites into different levels of trust. If you need certain processes or applets to work on a specific site and they won't work in Protected Mode, rather than turning off Protected Mode you should add the site in question to the Trusted zone, which has Protected Mode disabled by default.
Saturday, October 13, 2012
Free Vulnerability Scanners
Nessus
The "Nessus" Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner. For more details you can see the Profile: Nessus Vulnerability Scanner or the article Nessus Vulnerability Scanner: Missing Bells & Whistles?
The "Nessus" Project aims to provide to the internet community a free, powerful, up-to-date and easy to use remote security scanner. For more details you can see the Profile: Nessus Vulnerability Scanner or the article Nessus Vulnerability Scanner: Missing Bells & Whistles?
MBSA (Microsoft Baseline Security Analyzer)
In response to the avalanche of criticism Microsoft has received regarding the security of their products, Microsoft created a free tool to analyze your security configuration. Read a review of this free tool. For more details about this tool you can see Product Review: Microsoft Baseline Security Analyzer.
HFNetChk
HFNetChk is a command-line tool that enables an administrator to check the patch status of all the machines in a network from a central location.
GFi LANguard Network Security Scanner
GFI LANguard S.E.L.M. archives and analyses the event logs of all network machines and alerts you in real time to security issues, attacks and other critical events.
Tripwire
Tripwire software is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc.
NeWT
This easy-to-use windows network vulnerability scanner installs on any Windows 2000 or Windows XP computer. Multiple scanners can be managed by the Lightning Console. "NeWT" can scan any system on a local Class C network while "NeWT Pro" can be used to scan any host. "NeWT" is available as a complimentary download to the public while "NeWT Pro" is a commercially supported product from Tenable.
Friday, October 12, 2012
Foscam Surveillance Pro Review
Thanks to the proliferation of inexpensive IP security cameras from China, you can now purchase a pan-tilt capable security camera with night vision and a boat load of other features for less than 100 dollars. Check out our article on DIY iPhone-controlled Security Cameras for info on how to setup your own simple system.
Part of any good video surveillance system is having the capability to remotely view your camera feeds, which is where the Foscam Surveillance Pro App for iPhone comes in.
There are a ton of IP security camera viewing and control apps out there, some are good, some are awful. Since I had opted to purchase a Foscam brand (Foscam FI8918WW) camera, I wanted an app that had Foscam compatibility in mind. A quick search of the iTunes App Store revealed several. The Foscam Surveillance Pro app had some excellent reviewer feedback, so I gave it a try.
After installing the app, the first thing required is camera configuration information for the IP camera you wish to view. You must first choose a model of camera. While the Foscam Surveillance Pro app name would imply that it only supports Foscam-branded cameras, it actually supports many cameras from many different vendors.
After selecting a model, you must supply the IP address or host name of the camera along with the port, username, and password. Most cameras use port 80, but it depends on the setup of your particular camera. It is important to note that your camera must already be accessible via the internet before it will work with the app.
My camera's IP address is a non-public, internal IP, given to my camera by the DHCP server on my wireless access point. Since the IP is not a "real" IP, I had to enable the port forwarding option on my router and tell it that any inbound connections that are trying to come in on port 80 from the internet, should be routed to my camera's internal (DHCP-assigned) IP address. Once this is setup, all I have to do is find out what my internet service provider-assigned IP address is (by using a site such as Whatsmyip.org) and I am all set to connect to my camera from the Internet.
After you successfully enter in your connection information into the Foscam Surveillance Pro app, all you have to do is touch the camera's name and you will be taken to the viewer. The controls available depend on the model of camera you chose during setup. If you chose a pan-tilt capable camera, you will see a virtual joystick that you can touch to move the camera around. The lag time between when you touch the joystick and when the camera actually moves will depend on how good your connection is from your iPhone.
While in viewer mode, you can rotate your phone to see a full screen landscape view from the camera. The joystick disappears in landscape view allowing you to touch an area of the screen to move the camera instead of using the virtual joystick. You can also pinch-zoom in and out on areas of interest within the camera window.
Other cool features (if supported by your specific camera) provided by the app include: Multi-camera mosaic view allowing you to view up to six camera feeds on your iPhone's screen at one timeBrightness and contrast controls that change the camera's on-board settingsMotion Sensor enable / disable / adjustMotion sensor triggered snapshot to e-mail settings controlSet and access presets for different camera positionsEnable / disable "patrol mode"
This app has been great for piece of mind, allowing me to virtually check on things at my house when I'm away. The developer is very active and resolving issues and adding new features as well.
Foscam Surveillance Pro is available for $4.99 at the iTunes App Store
Thursday, October 11, 2012
Configure Internet Explorer...
Internet Explorer offers four different zones to help you classify security level depending on how well you know or trust the site: Trusted, Restricted, Internet and Intranet or Local.
Classifying the sites you visit and configuring your Internet Explorer security settings for each zone can help to ensure you can safely surf the Web without fear of malicious ActiveX or Java applets.
Click on Tools on the menu bar at the top of Internet ExplorerClick on Internet Options from the Tools drop-down menuWhen Internet Options opens up, click on the Security tabInternet Explorer begins by categorizing sites into either Internet, Local Intranet, Trusted Site or Restricted Site zones. You can specify the security settings for each zone. Select the zone you wish to configure.You can use the Default Level button to select from the pre-defined security settings Microsoft set up in Internet Explorer. See Tips for details of each setting.MEDIUM is most appropriate for the majority of Internet surfing. It has safeguards against malicious code, but is not so restrictive as to prohibit you from viewing most web sites.You can also click on the Custom Level button and alter individual settings, starting with one of the Default levels as a baseline and then changing specific settings.LOW -Minimal safeguards and warning prompts are provided -Most content is downloadable and run without prompts -All active content can run -Appropriate for sites that you absolutely trust MEDIUM-LOW -Same as Medium without prompts -Most content will be run without prompts -Unsigned ActiveX controls will not be downloaded -Appropriate for sites on your local network (Intranet) MEDIUM -Safe browsing and still functional -Prompts before downloading potentially unsafe content -Unsigned ActiveX controls will not be downloaded -Appropriate for most Internet sites HIGH -The safest way to browse, but also the least functional -Less secure features are disabled -Appropriate for sites that might have harmful content if(zSbLTuesday, October 9, 2012
HomePlug Powerline Net Sec
There used to be two basic options for setting up a network in your home. You could either string Ethernet cables all over the place or you could invest in a wireless access point or wireless router and go wireless. Over the last few years a third option has emerged and started to catch on.
Enter: the HomePlug Powerline network. Powerline networks use your home's electrical wiring to carry network traffic at speeds that rival traditional wired network technologies. Powerline networks are super simple to implement thanks to the HomePlug Powerline Alliance who has done their best to make Powerline network products interoperable and easy for consumers to install.
The basic Powerline network consists of at least two Powerline network devices which look like little bricks that plug into your home's power outlets. Each Powerline network adapter has an Ethernet port to connect network devices to.
Say you have a computer in your basement and your Internet router is on the third floor of your house. Instead of running a network cable up to the third floor, all you would need to do is take a Powerline network adapter, plug it in near your computer in the basement, connect the cord to your computer and to the powerline adapter, and follow the same process with another Powerline adapter, plugging it into your router and a power outlet near you router. Boom. You're done!
If you want to add more devices in other rooms to the network, you just need to buy more Powerline network adapters. Some versions of the homeplug standard support of to 64 adapters. I don't think I even have half that many power outlets in my home.
So what's the catch? Well, Powerline networks get a little trickier when you move out of the realm of the single family home. This is where the security issues begin.
The HomePlug standard has security features such as encryption built in but because their main goals seem to be ease of use and interoperability, most HomePlug devices have the same network name "HomePlugAV" or something similar. This makes it easy for people to 'plug and play' devices from different companies who are part of the same HomePlug standard. Since they have the same network name they will all talk to each other without any user intervention.
The main issue with all Powerline network devices having the same out-of-the-box default network name is when you live in an apartment, dorm, or other situation where the electrical wiring is shared. If two or more different apartments start using Powerline networking products with the same network name then they are essentially sharing their network with each other which could lead to all manner of security and privacy issues.
How do you implement the security features of HomePlug Powerline Networks to create a more private network?
Change your Powerline network name
Most HomePlug Powerline network devices have a 'group' or 'security' button that will allow you to change your network's name. Usually this involves holding the security button down for s specified period of time to clear the default name and generate a new random network name.
Once the new network name is established, all the other powerline network devices must be given the new name so they can communicate with each other. Again, this is done by pressing the security button on one of the Powerline network devices for a certain number of seconds and then going to the other Powerline network devices and pressing their security button while the unit with the new network name is in 'broadcast new network name' mode.
Even though the HomePlug Standard is used by several manufacturers such as DLink, Netgear, Cisco, and others, the time you hold down the security button to accomplish creating and joining a network may be slightly different depending on the manufacturer of the HomePlug network devices you are using. Check your specific Powerline network device maker's website for details on how to create and join a network.
Use Powerline HomePlug scanning / configuration software to detect rogue devices
Some HomePlug Powerline network device makers have a software program that can detect what devices are present on your network and can configure them as well (provided you have the device passwords that are printed on each device).
If you only have two powerline network devices in your home and the software detects more than two, then you know that your network is mixing with a neighbors and that you should create your own private network by following the instructions above.
Monday, October 8, 2012
Right Of Privacy
Citizens of the United States are afforded a number of rights. These rights have evolved and developed over the centuries and have been added to the permanent record in the form of amendments to the Constitution of the United States.
As it stands right now, there are a total of 27 amendments. A couple of them cancel each other out like the 21st amendment which repeals the 18th amendment prohibition on the manufacture, sale or transportation of alcoholic beverages.
Most United States citizens are probably not aware of what is written in those amendments. They may have memorized it long enough to pass a high school government or civics class, but that data has long since been purged to make room for more important things. Many Americans are probably unaware that it was not legal for the United States government to collect income taxes until they passed the 16th amendment or that a person could be President indefinitely until the two term limit was imposed by the 20th amendment.
Not casting stones, I myself could not tell you what most of them are. Most people are familiar with “taking the fifth” which implies using one’s 5th amendment right to not “be compelled in any criminal case to be a witness against himself”. Amendments such as the 1st amendment right that essentially defines the separation of church and state, the 2nd amendment right to bear arms, or the 4th amendment protecting you from unlawful search and seizure of your property are fairly common knowledge and are mentioned frequently in the media in support of various causes.
Having read through the amendments on the Findlaw.com web site though, I can’t find any amendment that explicitly protects a United States citizen’s right of privacy. The 14th amendment is often cited as the amendment which protects what Justice Louis Brandeis called the “right to be left alone”, but upon reading it, it appears that a fair amount of interpretation has to be allowed for in order to come to the conclusion that it inherently protects our privacy. The 1st, 4th and 5th amendments are also occasionally referred to in discussions of a right of privacy.
Of course, the 10th amendment explicitly grants authority to the individual states for any power not delegated to the United States Congress or prohibited explicitly in the Constitution of the United States. So, there may very well be provisions protecting privacy in state constitutions or state laws. There are also a number of statutes and regulations at both the federal and state levels which are based at least in part on the inferred right of privacy.
Unfortunately, privacy, and the protection of sensitive or personal information, seems to be legislated on an industry by industry basis. The Privacy Act of 1974 prevents the unauthorized disclosure of personal information held by the federal government. The Fair Credit Reporting Act protects information gathered by credit reporting agencies. The Children’s Online Privacy Protection Act grants parents authority over what information about their children (age 13 and under) can be collected by web sites.
As it relates to securing computer networks or data, the Sarbanes-Oxley Act, HIPAA and GLBA all contain at least some guarantee of an individual’s right not to have their personal or confidential information exposed. These regulations mandate that companies take steps to ensure their customer’s data is secure and impose fines and penalties on companies that fail to do so.
California’s SB-1386 places a responsibility on companies operating in that state to inform customers when their data has been exposed or compromised in any way. If it weren’t for that California law, the recent debacle at ChoicePoint might never have been disclosed.
Saturday, October 6, 2012
Reset Passwords
There are tools available to help you track and remember your many passwords. However, you have to get into your computer to begin with in order to use them. Windows XP allows you to add a password hint which you can use to trigger your memory if you forget the password, but what do you do if the hint doesn’t help? Are you locked out of your computer forever?
In most cases, the answer is “no”. You can reset the password by using an account with Administrator privileges. If you are the only one using your computer, you might think that you are just out of luck, but don’t give up just yet.
Friday, October 5, 2012
Google+ Security
You've heard all the hype about Google+. You may have even dived in, gotten yourself an account, and started building your "circles" of friends, but have you taken the time to see what kind of privacy and security features that Google has baked into Google+?
Facebook, Google+'s main competitor, has adapted its privacy and security settings over time, based on its user's concerns and other factors. Facebook has achieved a fairly robust system of opt-in, opt-out, group, and friend-based security and privacy measures that are still evolving today.
It's ultimately up to the Google+ developers as to whether they want to follow Facebook's lead or go in a completely different direction with regards to security and privacy features.
The jury is still out on whether or not Google+ has done a good job implementing its privacy and security features. We all remember Google's first major foray into the world of social networking, also known as Google Buzz. Buzz's initial privacy settings left a lot to be desired and a class action lawsuit was filed as a result. Has Google learned it's lesson? We'll have to wait and see.
Here are some tips on how you can use Google+'s currently offered security and privacy options to make your Google+ experience a safe one.
To begin, click on the gear icon in the top-right corner of your Google+ home page.
1. Restrict the visibility of your Google+ circles to increase your privacy
Unless you want everyone in the world to be able to see who your friends are, you'll probably want to limit access to this information.
To restrict who can see your friends and circles:
Click the "Profile and Privacy" link from the "Google+ Accounts" page:
Click the "Edit Network Visibility" button from the "Sharing" section of the page..
Uncheck the box for "Show People In" if you don't want anyone, including those in your circles, to be able to see who your friends are. Your other option is to leave the box checked, and choose whether you want your friends to be able to see who is in your circles, or you can allow the whole world to see this information. The current default is to allow everyone in the world to see who are in your circles.
If you want to be extra private you can prevent the fact that you have been added to other people's circles by unchecking the box that says "Show people who have added you to circles" at the bottom of the "Edit Network Visibility" pop-up box.
2. Remove global access to the parts of your personal profile that you don't want to share with the world
Identity thieves love personal details such as where you went to school, where you have worked, etc. These details are a gold mine for them. If you make these tidbits of information available for the whole world to see, you are just asking for them to use them to steal your identity. It's best to restrict access to most of these details, allowing only your friends the ability to see this information.
Anytime you see a globe icon next to something in Google+ it means that you are sharing that item with the world and not just with those within your circles.
To restrict certain parts of your profile to only be visible to people within your circles:
Click the "Profile and Privacy" link from the "Google+ Accounts" page.
Click the "Edit visibility on profile" link under the "Google Profiles" section of the page.
On the page that opens, click each item in your profile to modify its visibility settings. Click the drop-down box and change the items that you don't want revealed to the world.
Click the "Done Editing" button in the red bar near the top of the screen when you are finished modifying your profile visibility.
If you don't want your information made available to search engines, you should uncheck the "Help others find my profile in search results" box from the "Search visibility" section at the bottom of the page.
3. Restrict visibility of individual posts in your Google+ stream
Google+ allows you to restrict visibility of individual posts (i.e. status updates, photos, videos, links, etc...). When you're posting something in your Google+ stream on your homepage, look at the box underneath the text box you are typing your post into. You should see a blue box with the name of your default circle (i.e. Friends). This indicates the people that your post is about to be shared with. You can remove visibility for the post by clicking the "X" icon inside the blue box. You can also add or remove an individual's or circle's ability to see the post.
As Google+ evolves, it will undoubtedly feature additional privacy and security options. You should check the "Profile and Privacy" section of your Google+ account every month or so to make sure that you haven't been opted-in to something you would have rather been opted-out of.
Wednesday, October 3, 2012
Phishing Protection
Phishing attacks have become more sophisticated and users need simple steps they can use to protect themselves from becoming victims of phishing scams. Follow these 5 steps to avoid being a victim and protect yourself from phishing scams. Be Skeptical: It is better to err on the side of caution. Unless you are 100% sure that a particular message is legitimate, assume it is not. You should never supply your username, password, account number or any other personal or confidential information via email and you should not reply directly to the email in question. Ed Skoudis says “If the user really suspects that an e-mail is legit, they should: 1) close their e-mail client, 2) close ALL browser windows, 3) open a brand new browser, 4) surf to the e-commerce company's site as they normally would. If there's anything wrong with their account, there will be a message at the site when they log in. We need people to close their mail readers and browsers first, just in case an attacker sent a malicious script or pulled another fast one to direct the user to a different site.” Use The Old-Fashioned Way: An even safer means of verifying if an email regarding your account is legitimate or not is to simply delete the email and pick up the phone. Rather than risking that you may somehow be emailing the attacker or mis-directed to the attacker’s replica web site, just call customer service and explain what the email stated to verify if there is truly a problem with your account or if this is simply a phishing scam. Do Your Homework: When your bank statements or account details arrive, whether in print or through electronic means, analyze them closely. Make sure there are no transactions that you can’t account for and that all of the decimals are in the right spots. If you find any problems contact the company or financial institution in question immediately to notify them. Let Your Web Browser Warn You: The latest generation web browsers, such as Internet Explorer 7 and Firefox 2.0 come with built in phishing protection. These browsers will analyze web sites and compare them against known or suspected phishing sites and warn you if the site you are visiting may be malicious or illegitimate. Report Suspicious Activity: If you receive emails that are part of a phishing scam or even seem suspicious you should report them. Douglas Schweitzer says "Report suspicious e-mails to your ISP and be sure to also report them to the Federal Trade Commission (FTC) at www.ftc.gov".
Tuesday, October 2, 2012
Windows Vista Backup
If you choose Backup Files, Vista will walk you through choosing a destination to backup to (again- this is typically an external USB hard drive or a CD / DVD recorder), and then choosing the drives, folders, or files that you want to include in your backup.
Note: If you have already configured Backup Files, clicking on the Backup Files button will instantly initiate a backup. To modify the configuration, you instead need to click on the Change Settings link below the Backup Files button.
Sunday, September 30, 2012
Clickjacking
They can't be seen, they can't be reasoned with, and they want to jack your clicks. Clickjackers have been around since about 2008 but they are getting a lot more press lately thanks to a new wave of clickjacking attacks perpetrated against Facebook users.
What is Clickjacking?
Clickjacking may sound like the latest underground dance craze, but it's far from it. Clickjacking occurs when a scam artist or other internet-based bad guy places an invisible button or other user interface element over top of a seemingly innocent web page button or interface element using a transparency layer (which you can't see).
The innocent web page might have a button which reads: "Click here to see a video of a fluffy kitty being cute and adorable", but hidden on top of that button is an invisible button that is actually a link to something that you would not otherwise want to click on, such as a button that:
Tricks you into changing privacy settings on your Facebook accountTricks you into "liking" something you wouldn't normally like (a.k.a Likejacking)Tricks you into adding yourself as a Twitter follower for someone who doesn't deserve youTricks you into enabling something on your computer (such as a microphone or camera)Tricks you into running into a crowded theater and shouting "Shih Tzu" at the top of your lungs.Many times the clickjacker will load up a legitimate website in a frame and then overlay their invisible buttons on top of the real site.
How can you prevent your clicks from being clickjacked?
1. Update your Internet browser and plug-ins such as Flash
If you haven't updated your browser to the latest and greatest version available, then you are not only missing out on an upgrade that might possibly prevent you from getting clickjacked, but you are also not taking advantage of the other security updates that are part of newer versions of Firefox, IE, Chrome and other Internet browsers.
You should also update browser plug-ins such as Flash because some older versions may be vulnerable to clickjacking attacks.
2. Download Clickjacking Detection / Prevention Software
While some Internet browsers offer limited built-in clickjacking protection, there are several robust clickjacking detection/prevention plug-ins that are available for browsers such as Firefox. Several of them are even free. Here are a couple of the more widely known and respected ones:
Clickjacking prevention is not only the responsibility of the user. Websites and web application developers also have a role in preventing their content from being exploited by clickjackers. The Code Secure Blog has some excellent suggestions on how to write code to assist in the detection and prevention of clickjacking.
Saturday, September 29, 2012
Erase iPhone
So the new iPhone just came out and you're ready to sell or trade your old one for the latest shiny version. Wait a second, your whole life is on that phone. You wouldn't want to just hand over your phone with all your e-mails, contacts, music, photos, videos, and other personal stuff on it would you? Probably not.
Before you start camping out in the mile long line at the store you're going to buy your new one from, follow these simple steps to make sure that every trace of you and your life has been wiped from the phone:
1. Make a Backup of your iPhone's data
You may not have synced your iPhone to your computer for awhile so you may not have a current back up. If your getting a new iphone you will want to make sure that your old one is backed up so that when you restore the data to your new phone, everything will be current, and you won't have to start from scratch.
Depending on which version of iOS your using and your sync preference settings, you will either backup to your computer or the iCloud service.
Currently the iCloud service will backup almost everything that you need to restore your iPhone, but it is possible that some apps may not support backup to the iCloud. Also, some older phones such as the original iPhone and iPhone 3G don't have access to the iCloud service so we'll backup using the iPhone's docking cable. For more information about the iCloud method checkout About.com's iPod / iPhone site.
1. Connect your iPhone to the computer you normally sync it with.
2. Open iTunes and click on your iPhone from the left-hand navigation pane.
3. From the iPhone's page on the right side of the screen, click the "Back up to this computer" check box.
4. Right-click the iPhone from the window pane on the left side of the screen and click "Back Up" from the pop-up menu.
Note: If you have purchased some items on your phone and haven't transferred these purchases to your computer yet, right-click the iPhone and choose "Transfer Purchases" to transfer the purchases prior to backup.
Make sure the back up process succeeds before performing the following steps:
2. Erase all your iPhone's data and settings
Since you don't want whomever gets your phone to have access to your personal data you'll need to wipe the phone clean of all of your personal data. Follow these instructions to clear the data off of your phone.
1. Tap the settings (gear icon) from the home screen (or whatever page it happens to be located on your iPhone).
2. Tap the "General" settings menu item.
3. Choose the "Reset" menu item.
4. Tap on the "Erase All Content and Settings" menu item.
The process can take anywhere from a few minutes to several hours, so it's probably something that you don't want to do while your waiting in line to trade your phone in.
I found the hard way that just because you wiped your iPhone's data doesn't mean that everything linking you to the phone has been removed. There are some apps that may still be linked based on your phone's unique hardware ID. I sold an old iPhone to a friend of mine and completely wiped my data using the method above, however, he informed me that my Pandora account was still linked as he was seeing all of the Pandora channels I had created. He said that the same was true for several other apps as well.
If you use any apps that allow you to authenticate based on your iPhone's unique hardware ID, you should visit the apps websites to unlink the phone to your account. You can link your new phone to your account after you install the apps on your new iPhone.
Thursday, September 27, 2012
5 Steps To Block Spyware
If its not one thing, its another. That is one of those ridiculous phrases that pretty much goes without saying. Like "wherever you go, there you are." But, in this case it seems appropriate.
Allow me to elaborate. Computers on the Internet are almost constantly bombarded with viruses and other malware- so users employ antivirus software to protect themselves. Email inboxes are constantly flooded with pathetically useless spam- so users employ anti-spam programs and techniques to protect themselves. As soon as you think you have things under control you find out your system has a myriad of spyware and adware programs silently running in the background monitoring and reporting on your computer activity. Hence, "if its not one thing, its another."
The more benign spyware and adware simply monitors and tracks your the sites you visit on the web so that companies can determine the web-surfing habits of their users and try to pinpoint their marketing efforts. However, many forms of spyware go beyond simple tracking and actually monitor keystrokes and capture passwords and other functions which cross the line and pose a definite security risk.
How can you protect yourself from these insidious little programs? Ironically, many users unwittingly agree to install these programs. In fact, removing some spyware and adware might render some freeware or shareware programs useless. Below are 5 easy steps you can follow to try to avoid and, if not avoid, at least detect and remove these programs from your computer system: Be Careful Where You Download: Unscrupulous programs often come from unscrupulous sites. If you are looking for a freeware or shareware program for a specific purpose try searching reputable sites like tucows.com or download.com. Read the EULA: What is an EULA you ask? End User License Agreement. It's all of the technical and legal gibberish in that box above the radio buttons that say "No, I do not accept" or "Yes, I have read and accept these terms". Most people consider this a nuisance and click on "yes" without having read a word. The EULA is a legal agreement you are making with the software vendor. Without reading it you may be unwittingly agreeing to install spyware or a variety of other questionable actions that may not be worth it to you. Sometimes the better answer is "No, I do not accept." Read Before You Click: Sometimes when you visit a web site a text box might pop up. Like the EULA, many users simply consider these a nuisance and will just click away to make the box disappear. Users will click "yes" or "ok" without stopping to see that the box said "would you like to install our spyware program?" Ok, admittedly they don't generally come out and say it that directly, but that is all the more reason you should stop to read those messages before you click "ok". Protect Your System: Antivirus software is somewhat misnamed these days. Viruses are but a small part of the malicious code these programs protect you from. Antivirus has expanded to include worms, trojans, vulnerability exploits, jokes and hoaxes and even spyware and adware. If your antivirus product doesn't detect and block spyware you can try a product like AdAware Pro which will protect your system from spyware or adware in real time. Scan Your System: Even with antivirus software, firewalls and other protective measures some spyware or adware may eventually make it through to your system. While a product like AdAware Pro mentioned in step #4 will monitor your system in real time to protect it, AdAware Pro costs money. The makers of AdAware Pro, Lavasoft, also have a version available for free for personal use. AdAware will not monitor in real time, but you can manually scan your system periodically to detect and remove any spyware. Another excellent choice is Spybot Search & Destroy which is also available for free.
If you follow these five steps you can keep your system protected from spyware proactively and detect and remove any that does manage to get into your system. Good luck!
Wednesday, September 26, 2012
Siri Security
If you're lucky enough to have landed a new iPhone 4S, then chances are you have been playing around with the new Siri virtual assistant. You've probably been asking it all sorts of important questions like "What's the meaning of life?", or "why do my Shi Tzu dogs keep treating the cat's litter box like it's an all you can eat buffet?"
As Siri's knowledge and user base grows, there may be potential security issues. I don't think that Siri is going turn into Skynet from the Terminator movies or anything, but there are likely hackers out there who are already working on how to hack Siri and exploit any newly discovered Siri-related vulnerabilities they find.
Fortunately the hackers don't have to work very hard because it appears that there is already a potential Siri-reared security risk that is present on your iPhone 4S with it's out-of-the-box default configuration settings.
Apple has decided that users would prefer quick access over device security for the Siri feature which is why that it's default settings have been set to allow Siri to bypass the passcode lock. This makes sense for Apple as they are all about creating a great user experience. Unfortunately, allowing the Siri feature to bypass the passcode lock has the consequence of providing a thief or hacker with the ability to make phone calls, send texts, send e-mails, and access other personal information without having to enter the security code first.
There is always a balance that must be struck between security and usability. Users and software developers must make the choice on how much perceived security feature-related inconvenience they are willing to endure to keep their devices safe versus how quickly and easily they want to be able to use them.
Some people use a iPhone lock screen with a simple 4-digit code while some opt for a more complex iPhone passcode. Other people have no passcode at all because they want instant access to their phone. It's a user choice based on individual risk tolerance.
To block Siri from being able to bypass the screen lock passcode perform the following:
1. Tap on the "Settings" icon from the home screen (Grey icon with gears in it)
2. From the "Settings" menu, tap the "General" option.
3. Choose the "Passcode lock" option in the "General" menu.
4. Turn the "Allow access to Siri when locked with a passcode" option to the "OFF" position.
5. Close the "Settings" menu.
Again, whether you prefer instant access to Siri without the need to have to look at the screen to enter a passcode is completely up to you. In some cases, while you're in the car for instance, driving safetly would trump data security. So if you use your iPhone in hands-free mode a lot, then you would probably want to keep the default option, allowing the Siri passcode bypass.
As the Siri feature becomes further advanced and the amount of data sources she is tapped into increases, the data security risk for the screen lock bypass may also increase. For example, if developers tie Siri into their apps in the future, Siri could unwittingly provide a hacker with your financial information if a Siri-enabled banking app is running and logged in via cached credentials and a hacker asks Siri the right questions.
Brace yourselves folks, as this technology improves and becomes more widespread, a whole new category of virtual assistant social engineering hacks and attacks will be born.
Monday, September 24, 2012
Intro to Vulnerability Scans
Similar to packet sniffing, port scanning and other "security tools", vulnerability scanning can help you to secure your own network or it can be used by the bad guys to identify weaknesses in your system to mount an attack against. The idea is for you to use these tools to identify and fix these weaknesses before the bad guys use them against you.
The goal of running a vulnerability scanner is to identify devices on your network that are open to known vulnerabilities. Different scanners accomplish this goal through different means. Some work better than others.
Some may look for signs such as registry entries in Microsoft Windows operating systems to identify that a specific patch or update has been implemented. Others, in particular Nessus, actually attempt to exploit the vulnerability on each target device rather than relying on registry information.
Kevin Novak did a review of commercial vulnerability scanners for Network Computing Magazine in June of 2003. While one of the products, Tenable Lightning, was reviewed as a front-end for Nessus, Nessus itself was not tested directly against the commercial products. Click here for the complete details and results of the review: VA Scanners Pinpoint Your Weak Spots.
One issue with vulnerability scanners is their impact on the devices they are scanning. On the one hand you want the scan to be able to be performed in the background without affecting the device. On the other hand, you want to be sure that the scan is thorough. Often, in the interest of being thorough and depending on how the scanner gathers its information or verifies that the device is vulnerable, the scan can be intrusive and cause adverse affects and even system crashes on the device being scanned.
There are a number of highly rated commercial vulnerability scanning packages including Foundstone Professional, eEye Retina and SAINT. These products also carry a fairly hefty price tag. It is easy to justify the expense given the added network security and peace of mind, but many companies simply don't have the sort of budget needed for these products.
While not a true vulnerability scanner, companies that rely primarily on Microsoft Windows products can use the freely available Microsoft Baseline Security Analyzer (MBSA). MBSA will scan your system and identify if there are any patches missing for products such as the Windows operating systems, Internet Information Server (IIS), SQL Server, Exchange Server, Internet Explorer, Windows Media Player and Microsoft Office products. It has had some issues in the past and there are occasionally errors with the results of MBSA- but the tool is free and is generally helpful for ensuring that these products and applications are patched against known vulnerabilities. MBSA will also identify and alert you to missing or weak passwords and other common security issues.
Nessus is an open-source product and is also freely available. While there is a Windows graphical front-end available, the core Nessus product requires Linux / Unix to run. The up side to that is that Linux can be obtained for free and many versions of Linux have relatively low system requirements so it would not be too difficult to take an old PC and set it up as a Linux server. For administrators used to operating in the Microsoft world there will be a learning curve to get used to Linux conventions and get the Nessus product installed.
After performing an initial vulnerability scan you will need to implement a process for addressing the identified vulnerabilities. In most cases there will be patches or updates available to cure the problem. Sometimes though there may be operational or business reasons why you can't apply the patch in your environment or the vendor of your product may not yet have released an update or patch. In those cases you will need to consider alternative means to mitigate the threat. You can refer to details from sources such as Secunia or Bugtraq or US-CERT to identify any ports to block or services to shut down that might help protect you from the identified vulnerability.
Above and beyond performing regular updates of antivirus software and applying the necessary patches for any new critical vulnerabilities, it is wise to implement a schedule for periodic vulnerability scans to make sure nothing has been missed. Quarterly or semi-annual vulnerability scanning can go a long way to helping you make sure you catch any weaknesses in your network before the bad guys do.
Sunday, September 23, 2012
How do I Report Internet Scams
Have you become a victim of an internet scam or fraud? Should you report it? The answer is yes. There are organizations out there that want to help you. Just because a crime is perpetrated via the net doesn't make it any less of a crime.
Let's look at some resources you can use to report internet-based crimes and fraud.
Answer:The Internet Crime Complaint Center is a partnership between the US Federal Bureau of Investigations and the National White Collar Crime Center. The ICCC is a good place to report more serious crimes involving: online extortion, identity theft, Computer Intrusion (hacking), Economic Espionage (Theft of Trade Secrets), and other major cyber crimes. If you don't feel the crime committed against you falls into these categories, but you still feel the crime is serious enough to report, then you can still report it to the ICCC. If it doesn't fall under one of their categories, they might be able to direct you to an agency that does handles it.
The Online Better Business Bureau of the US and Canada has a site for consumers that will aid you in making complaints against internet-based retailers and other businesses. You can also search their database to see if a merchant has other complaints against them and whether they have been resolved or not.
The USA.gov's Internet Fraud Information page is a jumping off point for the reporting of crimes including phishing attacks, Internet investment fraud, consumer complains regarding internet marketing, scam e-mails, and much more. The site will link you to the appropriate agency's who handles crime reporting for each specific type of crime.
The eBay Security Center: General Marketplace Safety site can assist you with reporting auction related fraud / and scams to the proper authorities and also provides a way for law enforcement to find out if someone is trying to auction merchandise stolen from you if you have been the victim of a property theft.
The Facebook's Security site will allow you to report account hacks, fraud, spam, scams, rogue applications and other facebook-borne threats.
Saturday, September 22, 2012
Myths of MP3's
There seems to be a great deal of confusion about what is, or is not, legal regarding music these days. People don’t seem to know where the line is between enjoying music from an artist or band that they like, or violating the copyright protection of that same music. Below is a list of common myths associated with buying, sharing and listening to digital music and what the realities are. Downloading songs for free from the Internet is fine.
Unfortunately, with very few exceptions, this is untrue. The songs are copyright protected and the owner of the copyright is owed compensation for the song. If you find music on the Internet for free, the individual or business sharing the music is most likely violating the law and if you download the song without paying for it you will be stealing.
Any song you get from the Internet is illegalThis is false. While downloading songs for free from P2P (peer-to-peer networking) services or other individual computers is illegal, selling music by the song in digital format is a perfectly viable and legal way of purchasing music. There are many great sites to purchase songs from, most notably the Apple iTunes web site. The music industry has a list of legal online digital music sites you can purchase from.
I can share my music with friends because I own the CDThe fact that you purchased a CD entitles you to listen to the music all you want, but not to share that privilege with others. You can make a copy of the CD for yourself in case you damage or lose the original. You can rip the music from the CD onto your computer or laptop and convert the music to MP3 or WMA or other formats and listen to it on portable MP3 players or other devices. Your purchase of the music entitles you to listen to it pretty much any way you want, but you can’t give copies of it to friends or family. I am not suggesting that you can't *play* the music when other people are around, but that you can't give them a copy of the music, in any format, to take with them when they leave.
Its OK though, because I gave my friend the original CDYou can sell or give away the original CD, but only as long as you no longer have any copies of the music in any format (unless of course you have another copy that has been legitimately paid for). You can not copy the CD onto your computer and load MP3’s of it onto your portable MP3 player, and then give the original CD to your best friend because you don’t need it any more.
Think of it like you bought a couch. You can use the couch in your living room if you want. You can move it to a bedroom if it works better for you there. You can remove the throw pillows and use them in a different room than the couch. But, when you give the couch to your friend, the couch is gone. You can’t *both* give the couch away *and* keep the couch at the same time, and the music that you buy should be treated the same way.
It isn’t “stealing” because I wasn’t going to pay for it anywaySome people feel that because they would never actually spend the money to buy the CD, illegally copying or downloading it from somewhere else really isn’t costing the artist or the industry any money.
Along these same lines, some people may copy or download music to try and decide if they like it enough to buy it, and just never get around to buying it. However, sites like Amazon.com now have clips or samples available to listen to of virtually every song on every CD available. Rather than crossing the ethical line, you should just visit a site like this and play the clips to help you make your purchasing decision. In the end, you may very well find that you would rather buy just one or two songs for $1 each rather than spending $15 for a CD filled mostly with music you don’t care for.
Thursday, September 20, 2012
Wireless Hack
You're using a wireless access point that has encryption so you're safe, right? Wrong! Hackers want you to believe that you are protected so you will remain vulnerable to their attacks. Here are 4 things that wireless hackers hope you won't find out, otherwise they might not be able to break into your network and/or computer:
1. WEP encryption is useless for protecting your wireless network. WEP is easily cracked within minutes and only provides users with a false sense of security.
Even a mediocre hacker can defeat Wired Equivalent Privacy (WEP)-based security in a matter of minutes, making it essentially useless as a protection mechanism. Many people set their wireless routers up years ago and have never bothered to change their wireless encryption from WEP to the newer and stronger WPA2 security. Updating your router to WPA2 is a fairly simple process. Visit your wireless router manufacturer's website for instructions.
2. Using your wireless router's MAC filter to prevent unauthorized devices from joining your network is ineffective and easily defeated.
Every piece of IP-based hardware, whether it's a computer, game system, printer, etc, has a unique hard-coded MAC address in its network interface. Many routers will allow you to permit or deny network access based on a device's MAC address. The wireless router inspects the MAC address of the network device requesting access and compares it your list of permitted or denied MACs. This sounds like a great security mechanism but the problem is that hackers can "spoof" or forge a fake MAC address that matches an approved one. All they need to do is use a wireless packet capture program to sniff (eavesdrop) on the wireless traffic and see which MAC addresses are traversing the network. They can then set their MAC address to match one of that is allowed and join the network.
3. Disabling your wireless router's remote administration feature can be a very effective measure to prevent a hacker from taking over your wireless network.
Many wireless routers have a setting that allows you to administer the router via a wireless connection. This means that you can access all of the routers security settings and other features without having to be on a computer that is plugged into the router using an Ethernet cable. While this is convenient for being able to administer the router remotely, it also provides another point of entry for the hacker to get to your security settings and change them to something a little more hacker friendly. Many people never change the factory default admin passwords to their wireless router which makes things even easier for the hacker. I recommend turning the "allow admin via wireless" feature off so only someone with a physical connection to the network can attempt to administer the wireless router settings.
4. If you use public hotspots you are an easy target for man-in-the-middle and session hijacking attacks.
Hackers can use tools like Firesheep and AirJack to perform "man-in-the-middle" attacks where they insert themselves into the wireless conversation between sender and receiver. Once they have successfully inserted themselves into the line of communications, they can harvest your account passwords, read your e-mail, view your IMs, etc. They can even use tools such as SSL Strip to obtain passwords for secure websites that you visit. I recommend using a commercial VPN service provider to protect all of your traffic when you are using wi-fi networks. Costs range from $7 and up per month. A secure VPN provides an additional layer of security that is extremely difficult to defeat. Unless the hacker is extremely determined they will most likely move on and try an easier target.
Wednesday, September 19, 2012
Prevent Identity Theft
How much information does someone really need to know in order to impersonate you to a 3rd-party? Your name? Birth date? Address? Armed with easily found information such as this, and maybe a couple other key pieces of information such as the high school you went to, your dog’s name or your mother’s maiden name, an individual might be able to access your existing accounts or establish new loans or credit in your name.
Recently, reports of security breaches in which customer data and personally identifiable information (PII) were somehow compromised seem to appear almost daily. Choicepoint, Lexis Nexis, DSW Shoe Warehouse, Ralph Lauren / HSBC, Bank of America and more have all reported massive amounts of compromised or ill-gotten customer information just in the past couple of months.
However, most identity theft or compromises of PII, including a couple of the major breaches mentioned above, have nothing to do with the Internet or lax computer or network security. Unpatched operating system vulnerabilities or hacking wizardy are involved in a relatively small number of the total cases. The Choicepoint breach resulted from poor processes to identify that the business asking for consumer information had a legitimate reason. The Bank of America breach resulted from a data backup tape being lost in transit.
Information can be pulled from your trash can. Waiters can swipe or simply write down your credit card number when you make a purchase at a restaurant. There are a variety of laws related to securing customer information including Sarbanes-Oxley, HIPAA, GLBA and others. Congress is currently investigating the breaches at Choicepoint and Lexis Nexis and considering further legislation aimed at allegedly protecting customer data. But, social engineering and good, old-fashioned theft still pose a larger threat than network security and it is up to you to monitor and protect your personal information and your credit.
Below are some tips you can follow to help secure and protect your personally identifiable information and ensure that your identity or your credit have not been compromised.
1. Watch for shoulder-surfers. When entering a PIN number or a credit card number in an ATM machine, at a phone booth, or even on a computer at work, be aware of who is nearby and make sure nobody is peering over your shoulder to make a note of the keys you’re pressing.
2. Require photo ID verification. Rather than signing the backs of your credit cards, you can write “See Photo ID”. In many cases, store clerks don’t even look at the signature block on the credit card, and a thief could just as easily use your credit card to make online or telephone purchases which don’t require signature verification, but for those rare cases where they do actually verify the signature, you may get some added security by directing them to also make sure you match the picture on the photo ID.
3. Shred everything. One of the ways that would-be identity thieves acquire information is through “dumpster-diving”, aka trash-picking. If you are throwing out bills and credit card statements, old credit card or ATM receipts, medical statements or even junk-mail solicitations for credit cards and mortgages, you may be leaving too much information laying about. Buy a personal shredder and shred all papers with PII on them before disposing of them.
4. Destroy digital data. When you sell, trade or otherwise dispose of a computer system, or a hard drive, or even a recordable CD, DVD or backup tape, you need to take extra steps to ensure the data is completely, utterly and irrevocably destroyed. Simply deleting the data or reformatting the hard drive is nowhere near enough. Anyone with a little tech skill can undelete files or recover data from a formatted drive. Use a product like ShredXP to make sure that data on hard drives is completely destroyed. For CD, DVD or tape media you should physically destroy it by breaking or shattering it before disposing of it. There are shredders designed specifically to shred CD / DVD media.
Monday, September 17, 2012
I've been hacked now what.
You opened an e-mail attachment that you probably shouldn't have and now your computer has slowed to a crawl and other strange things are happening. Your bank called you saying there has been some strange activity on your account and your ISP has just "null routed" all traffic from your computer because they claim it is now part of a zombie botnet. All this and it's only Monday.
If your computer has been compromised and infected with a virus or other malware you need to take action to keep your files from being destroyed and also to prevent your computer from being used to attack other computers. Here are the basic steps you need to perform to get back to normal after you've been hacked.
1. Isolate Your Computer
In order to cut the connection that the hacker is using to "pull the strings" on your computer, you need to isolate it so that it can't communicate on a network. Isolation will prevent it from being used to attack other computers as well as preventing the hacker from continuing to be able to obtain files and other information. Pull the network cable out of your PC and turn off the Wi-Fi connection. If you have a laptop, there is often a switch to turn the Wi-Fi off. Don't rely on doing this through software, as the hacker's malware may tell you something is turned off when it is really still connected.
2. Shutdown and remove the hard drive and connect it to another computer as a non-bootable drive
If your computer is compromised you need to shut it down to prevent further damage to your files. After you have powered it down, you will need to pull the hard drive out and connect it to another computer as a secondary non-bootable drive. Make sure the other computer has up-to-date anti-virus and anti-spyware. You should probably also download a free rootkit detection scanner from a reputable source like Sophos.
To make things a little easier, consider purchasing a USB drive caddy to put your hard drive in to make it easier to connect to another PC. If you don't use a USB caddy and opt to connect the drive internally instead, make sure the dip switches on the back of your drive are set as a secondary "slave" drive. If it is set to "master" it may try to boot the other PC to your operating system and all hell could break loose again.
If you don't feel comfortable removing a hard drive yourself or you don't have a spare computer then you may want to take your computer to a reputable local PC repair shop.
3. Scan your drive for infection and malware
Use the other host PC's anti-virus ,anti-spyware, and anti-rootkit scanners to ensure detection and removal of any infection from the file system on your hard drive.
4. Backup your important files from the previously infected drive
You'll want to get all your personal data off of the previously infected drive. Copy your photos, documents, media, and other personal files to DVD, CD, or another clean hard drive.
5. Move your drive back to your PC
Once you have verified that your file backup has succeeded, you can move the drive back to your old PC and prepare for the next part of the recovery process. Set your drive's dip switches back to "Master" as well.
6. Completely wipe your old hard drive (repartition, and format)
Even if virus and spyware scanning reveals that the threat is gone, you should still not trust that your PC is malware free. The only way to ensure that the drive is completely clean is to use a hard drive wipe utility to completely blank the drive and then reload your operating system from trusted media.
After your have backed up all your data and put the hard drive back in your computer, use a secure disk erase utility to completely wipe the drive. There are many free and commercial disk erase utilities available. The disk wipe utilities may take several hours to completely wipe a drive because they overwrite every sector of the hard drive, even the empty ones, and they often make several passes to ensure they didn't miss anything. It may seem time-consuming but it ensures that no stone is left unturned and it's the only way to be sure that you have eliminated the threat.
7. Reload the operating system from trusted media and install updates
Use your original OS disks that you purchased or that came with your computer, do not use any that were copied from somewhere else or are of unknown origin. Using trusted media helps to ensure that a virus present on tainted operating system disks doesn't reinfect your PC.
Make sure to download all updates and patches for your operating system before installing anything else.
8. Reinstall anti-virus, anti-spyware, and other security software prior to any other programs.
Before loading any other applications, you should load and patch all your security related software. You need to ensure your anti-virus software is up-to-date prior to loading other applications in case those apps are harboring malware that might go undetected if your virus signatures aren't current
9. Scan your data backup disks for viruses before your copy them back to your computer
Even though you are fairly certain that everything is clean, always scan your data files prior to reintroducing them back into your system.
10. Make a complete backup of your system
Once everything is in pristine condition you should do a complete backup so that if this ever happens again you won't spend as much time reloading your system. Using a backup tool that creates a bootable hard drive image as a backup will help speed up future recoveries immensely.
Sunday, September 16, 2012
Wi-Fi Password Change
Whether you think the neighbor kid has finally hacked your wireless password and is now stealing your bandwidth, or you just feel like it's time for a change, changing your wireless network password is an easy endeavor.
You might not have messed with your wireless network's password since you setup your router years ago. Let's walk through the basic steps it takes to change / reset your wireless network router's password.
1. Determine the admin interface for your router and enter it in your browser
Most modern wireless internet routers on the market today are administered via a web browser. You simply need to find out what your wireless router's admin interface is and connect to it. You may have written the password down somewhere, if not then you will have to reset your router to its factory default password by resetting the router. This is usually accomplished by holding down the router's reset button for several seconds. Check your wireless router manufactures website or manual for detailed instructions for your specific router.
Most manufactures have a default IP sub net set at the factory. The default sub net will help you determine the router's IP address so that you can connect to it and access the administrator interface. You may need to consult your specific router's manual for the correct address. The following list contains default router IP addresses based on my research and may not be accurate for your specific make or model:
Linksys - 192.168.1.1 or 192.168.0.1
DLink - 192.168.0.1 or 10.0.0.1
Apple - 10.0.1.1
ASUS - 192.168.1.1
Buffalo - 192.168.11.1
Netgear - 192.168.0.1 or 192.168.0.227
In addition to the default router address, you may have to specify the port that the admin interface is running on by placing a ":" at the end of the IP address followed by the admin port number (i.e. :8080) if the manufacturer requires this.
2. Log in to the administrative console on the router
If you've never changed the default administrator name you can locate the default admin name (and usually the admin password as well)by visiting your router manufacturer's website or by Googling "Default Admin Password" followed by your router's brand name and model.
3. Under the wireless security configuration section, ensure that you are using the latest encryption available
If you haven't already done so you will want to change the wireless encryption from the easily hackable WEP to the much stronger WPA2 encryption. WPA2 is currently the most secure method of wireless encryption available at the time this article was published.
This would also be a good time to change your wireless network name (SSID) if you want. It's best to change it to something other than the default as hackers have precomputed cracking tables for the top 1000 most common SSIDs. Get creative and don't use any dictionary words as SSIDs with dictionary words are more likely to be cracked than an SSID with non-dictionary words..
4. Create a strong password for the Pre Shared Key (wireless network password)
After you have settled on an SSID you will need to enter in the Pre-shared Key (the wireless network password). You'll want to make this password as complex and random as possible to discourage wireless hackers. Follow our guide to creating strong passwords for some best security practices.
It's also a good idea to turn off the "allow admin via wireless" setting off so that only someone connected to the router via an Ethernet cable can administer the routers. If you turn off this feature you remove the ability to connect to the router as an administrator via wireless, which may be a slight hassle, but you gain the piece of mind that no one can mess with the admin settings of your router unless they are physically plugged into it.
Friday, September 14, 2012
iPhone Self Destruct
Every time Tom Cruise received his mission briefing in the Mission Impossible movies, the briefing message, and often times whatever was playing it, would self-destruct to prevent anyone else from viewing it. In real life this would be a great (albeit dangerous) data protection mechanism. Wouldn't it be great if your iPhone could self-destruct to keep thieves from getting to your personal data if they happened to steal your phone?
The folks at Apple must have been Mission Impossible fans because they have already provided a similar feature for iOS devices such as the iPhone and iPad, minus the explosives of course.
Your mission, should you choose to accept it, is to learn how to turn this feature on so that you can make the data on your iPhone go bye bye if someone enters the wrong passcode too many times or steals your phone.
Here's how to self-destruct (wipe) your iPhone's data in a couple of different situations:
METHOD 1: Remote Data Wipe via Find My iPhone
If you want to remotely wipe out the data on your iPhone in the event that it becomes lost or stolen:
1. Backup your iPhone's data
You should regularly backup your iPhone's data either via USB connection to iTunes or via wireless if supported by your iOS version.
2. Setup the Find My iPhone feature on your iPhone
You must first turn on the 'Find my iPhone' feature on your phone. You must also have an active iCloud account on your device for Find My iPhone to work. iCloud accounts are available for free from Apple.
In iOS 5.x or above, go to the Settings app, choose "iCloud" and turn "Find My iPhone" to "ON" if it is not already set as such. If your firmware is pre-iOS 5 then you will need to follow these instructions instead.
3. Lock access to your iPhone's Location Services settings
Savvy bad guys will know how to quickly turn the Find My iPhone feature off so you need to disable their ability to turn off locations services. This is done by enabling the iPhone's "restrictions" feature and restricting the ability to modify the "Location Services" settings.
In the iPhone "Settings" app, go to the "General" menu and turn "Restrictions" on. Set a passcode (don't pick and easy one). Scroll down to the "Allow Changes" section and touch the "Location" setting. Make sure the "Find My iPhone" option is set to "ON" and then scroll to the top of the page and choose "Don't Allow Changes".
Setting the "Don't Allow Changes" ensures that thieves can't turn off your iPhone's ability to know its location. The extra time the thief would have to take to try and crack your passcode might make him decide to ditch the phone making its recovery more likely.
In the event that you are sure you aren't going to get your phone back, use the "Remote Data Wipe" feature.
IMPORTANT NOTE:
Once you remote wipe the data on your device you will no longer be able to locate it using Find My iPhone. Remote wipe should be used only when you're convinced that you are never going to get your device back. Consider it dead to you once you remote wipe it.
METHOD 2: Self Destruct After Too Many Failed Passcode Attempts
If you want your iPhone to wipe it's data should the wrong passcode be attempted more than 10 times:
1. In the Settings App, choose the "General" menu and then select the "Passcode Lock" option.
2. Choose "Turn Passcode On", set a passcode and confirm it. You may want to consider setting a stronger passcode than the default 4-digit one.
3. At the bottom of the "Passcode Lock" settings page, turn the "Erase Data" option to "ON". Read the warning and choose the "Enable" button.
YET ANOTHER IMPORTANT NOTE:
If you have kids or someone else that uses your phone, the Erase Data on 10 failed passcode tries may not be a good idea. Your 2-year old child might try to guess the code one too many times and BOOM, your iPhone's data is wiped out. The remote wipe feature, while not as secure as the failed passcode wipe option, might make more sense in situations where you have others regularly using (or playing with) your iPhone.
Subscribe to:
Comments (Atom)