Site and Server Certificates

Do you trust site and server certificates? Are you sure you know what to look for? On a very basic level, most sites will have proper signed server certificates and most people will trust the without question, however, you need to be aware of a few things. In the first instance, there are a few different forms of server certificates, but I will only discuss 2 types, namely self-signed and certification Authority signed.

Server certificates are not the bits that make sites secure or not. They are only signatures that inform you whether the site, you are presently visiting, is actually who they claim to be. These certificates are generated on the computer that they are going to be used on. They are created using various options, such as the encryption type and encryption strength that will be required for the safe transmission of your data. Other information includes expiration date and owner contact details. If this is all that is done then you have a self-signed certificate. For all intents and purposes this is all that is required, but this is where things can go wrong. Any person can create a certificate for any computer, and sites designed to grab your details frequently do create such certificates to falsely lead you into giving up your details. Self-signed certificates are absolutely no guarantee that the site is legitimate and safe.

For this to be true, the self-signed certificate needs to be submitted to a certification authority (CA) who will check the legitimacy of the claim that the certificate is making. Thus, CA's are points of trust who investigate the claim of the certificate. Once the claim has been verified it will be added to a list of trusted sites, and will remain valid to the duration of the certificate. You will thus have peace of mind that your details are being transmitted securely and to the intended destination. So how can you tell which certificates are valid? Thankfully, your browser usually has built-in a database of these trusted authorities, such as Thawte and Verisign to mention only 2, and regularly updates this database. Certificates that have been revoked are usually listed too. So more often than not you will not need to do anything, except regularly update your preferred browser. Websites that have not had their certificates verified will usually pop-up a window informing you that the certificate should not be trusted, but NEVER proceed or add an exception to the list in your browser for this certificate. Doing so will compromise virtually all your other certificates.

There is, obviously much more to certificates, but this should form a basis for further research. I have mainly discussed this subject from the site visitor perspective, but the perspective from the site publisher is quite a bit more intricate. Why not research "certificate chains".

Caution and common sense to all!

Beware the cookie monster

Tracking cookies are undesirable and should be avoided, but cookies that remember your login details are diabolical. Unfortunately, more and more websites are using cookies, or dare I say, demanding that you enable cookies, before you can do anything on the website. There are inherent dangers in doing this. Let me explain.

Cookies are designed to enhance your browsing experience. This is achieved by remembering what you looked at the last time you visited the website. It thus tries to gauge what you require and where you intend to browse to next. Hopefully, the dangers, or possibilities, are starting to spark off warning signals in your mind. It, therefore, builds up a profile of your activities. Some cookies are designed to remember your login details once you have visited a site, once again, to make your browsing experience more pleasurable. The obvious danger here is that anyone can log into your account if they have access to the computer on which you logged in on. If you use multiple computers or a publicly accessible computer, such as those found in libraries, then your login details will become compromised. It is as though you wrote those details on a piece of paper for everyone to see. I doubt that I have to elaborate anymore on this.

Some cookies report back to their authors the information they gathered. Although some authors are reputable and will only use some of the information to improve their sites, others may have more devious intent and use the data to capture as much information about you as possible. I shall illustrate using a simple example. Suppose you went to a site that demanded the installation of a cookie. This site may also contain some information you would be interested in and thus you decide to subscribe to this site. To do this you may have to enter your name and email address, and perhaps even a physical address and phone number. Already the amount of information submitted is quite astounding. The cookie grabs all the information and then starts tracking your movements. So after clicking the submit button, you go to your email account to check whether the subscription is successful. The cookie grabs your email URL, username and password. Voila! You afterwards proceed to Amazon.com or your banks website. Although both of these site have a secure login and te cookie may not be able to grab those details, it has tracked your visit to these sites, and consequently, you must have some association with this site.

In this instance, the amount of information is phenomenal, and the deviously minded will use this to create a new identity based on your own identity. And the rest is history, anxiety, tears, etc.

The final, and perhaps most malicious, cookie is the one that delivers a malicious payload. These are cookies found on bona fide looking websites that appear respectable, however, the will ask to enable cookies. Once this is done, a cookie is downloaded and installed, but this cookie contains script that downloads further into your system. From here it can observe all your activity and grab whatever details it likes. It too reports them back to the author. It can also propagate itself throughout a local network and thus infect other systems, and thereby compromise those users.

The point here is that threats do not always come into a system via email. Websites are equally dangerous. Try to stick to reputable websites, however, as this is not always possible, at least clear your cookies and restart the browser before going to another site.

Caution and common sense to all.

USB Keys and security

The use of USB keys/sticks/drives has taken off with great enthusiasm. Thankfully, the use of floppy disks to transfer data has become more or less obsolete. However, most people are surprised to discover that their USB devices may be infected. This device is no different than the floppy disks of old. Furthermore, due to their small size, they are easily lost, misplaced or stolen. All the data is usually freely available for any person to access. For a start, run a rigorous antivirus scan on all your USB keys. Then start looking into password protecting them and finally encrypt the keys. I personally prefer AXcrypt for encrypting single files, mainly because it has the capability of encrypting a file and simultaneously creating an executable decryption file that requires a phrase to decrypt it. So if you are transferring a file to another person send the actual file and the phrase in two differentways at different times. The self decyption executeable has the added benefit that the recipient does not require the AXcrypt software installed on their computer. One word of warning though, Axcrypt does not have a backdoor ... AT ALL. If you encrypted a file, delete the original file and then forget the phrase ... you will never be able to get the data back.

To encrypt an entire drive/volume/usb key or the like, I prefer to use Truecrypt. This works well, should perhaps be used on all home systems that have any personal data on them. DO NOT encrypt your entire C DRIVE. The best solution for portable secure storage is to purchase USB keys with builtin encryption. I recommend that you seriously start investing in keys with encryption. It really is worth it. For daily use I use the Integral 1GB AT key with 256BIT AES Encryption. For something more robust I recommend using an Iron Key.

Common Sense and Caution must always be exercised.

Phishing

What is phishing? It is a way of obtaining your details by deceiving you into thinking that you are entering them into a valid website. These websites are usually such good imitations of the originals, that most web users will easily be deceived. Espaecially as the website you see, mimics the website you expect to see. However, help is at hand. Most browsers do incorporate and anti-phishing element and if activated, this will flag up a warning to indicate that this site is dangerous.

Although this is useful, it is not infallible and further precautions should be taken. One such precaution is based on your ability to detect such sites where the browser has failed. Phishing sites are usually easy to detect if you know what to look for, and the URL's listed below are possibly the most valuable and informative that I have come across in a long time.

Perhaps we should be publicising Anti-phishing Phil. This is a website that teaches through the medium of play. Play the game and you will learn how to spot phishing URL's.

http://cups.cs.cmu.edu/antiphishing_phil/


http://wombatsecurity.com/antiphishing_phil/index.html



As always, please be cautious and apply common sense to your browsing and web usage.

Business cards

Think about this for a while. The humble business card, paraded and deposited everywhere, offers a wealth of information to those intent on stealing an identity. What information does your business card hold about you?

1) your name
2) your employer's name
3) your contact details (telephone numbers, website URLs, email address, etc.)
4) your job title

and on some business cards, the following may be found
5) your education (for example, what degree you have and from where you have it)
6) the region for your employment activities (such as, Yorkshire Regional Manager)


How much more information would I need to be able to create a false identity? Ask yourself this question. These cards hold a wealth of information, and if the are distributed randomly to every person you see, you may inadvertently hand this information directly into the paws of an identity thief. Furthermore, even more information will be gleaned if the latter is done, because suddenly the thief has extra information to create a convincing false identity. Now they have your ethnic origin, regional dialect, know whether you are married or single, wear spectacles or use a walking stick. Get the picture?

The point I am trying to make is, use your business card wisely. Don't stop using them, but be more cautious and discerning about the destination of these valuable bits of card. Furthermore, ensure that the person who receives your card, really does want it and will keep it safe. In fact, print on the reverse of the card the following message

"Dear Sir/Madam,

Should you no longer wish to retain this business card, may I respectfully request that you destroy this card in the interest of identity protection. Many thanks.


Yours Sincerely,


{your name}"

Be cautious and exercise common sense!

Good, bad and ugly passwords

A quick post about passwords only. Password theft is on the increase and weak passwords are going to cause you all sorts of trouble. A few simple rules will assist in making passwords harder to crack:
1) use letters and numbers
2) if possible use extra characters such as $, &, £, !, and so on (however, some websites do not allow their use)
3) use uppercase and lowercase interchangeably and frequently
4) use longer passwords, preferably more the 8 characters long (the longer the better)
5) never use dictionary based words, regardless of language
6) never use as a password anything that can be associated with you (for example, UK post code, etc.)

So what is an example of a good password? This one will take some time to crack

ijDl4uFpHC!

If you feel that this is too much effort, then use the PASSWORD GENERATOR on the home page of this blog as a STARTING POINT.

Most importantly, never share you password with anyone and make certain you are not being observed entering your password. There are ways cracker use to obtain passwords, such as using keystroke loggers, but this I will cover at a later date.

Be CAUTIOUS, use COMMON SENSE, and stay SAFE!

IMPORTANT : DNSchanger threat

The DNSchanger threat is not new, but it has resurfaced and is still annoying and dangerous. To completely comprehend the severity of this threat, it is important to understand the what, how and why of DNS.

So, ... what is the DNS? DNS is geek speak for Domain Name System. This is a means of changing the meaningful names of websites, such as www.bbc.co.uk, into a numerical value understandable to the various networking equipment that constitute the infrastructure of any network, even the biggest network namely the internet. Essentially it is a database that is used to identify the elements of the network with the intention of discovering the destination, and the best route to this destination, for requests made. There is much more to DNS than can be dealt with by a blog, however, in this instance you now have enough information to understand the threat.

DHCP Is geek speak for Dynamic Host Configuration Protocol. When a computer is connected to a network or Wireless access point, It will require some settings to make it work, such an IP address, Gateway address and DNS server address. These elements are only some of the many that need to come together to permit working on a network. With the exception of Wireless, there are 2 ways of ensuring that the computer obtains these settings, namely static and dynamic. Static addresses are entered manually and are changeed manually, whereas dynamic addresses are not. In order to obtan the dynamic addresses, the newly attached computer must first be set to obtain these dynamically by enabling DHCP. Once this is done, the computer will then send a DHCP request to the DHCP server on that network. After various handshakes and authentications, the server issues all the details for the computer to use. This is called a DHCP lease. The computer is now configured to use all the proper addresses in ordser to work on the network. In an ideal world at least.

How is it done? DNSchanger is a trojan that installs itself onto a computer or other network device and waits for DNS and DHCP requests. When this trojan detects that a DHCP request has been made, it responds before the DHCP server can and issues a false DHCP lease. False because it sets up incorrect routes and destinations by claiming to be the DNS server. When the computer then requests a website, it is directed by the false DNS to go elsewhere. This is usually a website that closely matches the website that was initially requested. Some are so convincing that most people are fooled by them, however, if you scrutinize these sites, you will always discover something odd that gives it away.

Why is it done? These websites are desinged to log and grab all the details you enter, and thereby grant the malicious of this world access to your accounts. These websites are called phishing websites, and they fish for your personal data.

Keep your system and all anti-malware (anti-virus, anti-spam, etc.) completely up to date and also make a note of the following address range. DNS settings with this address range being used should be considered suspicious.

The range 85.112.0.0 to 85.127.255.254 possibly indicate a compromised computer.

Periodically, run a full antivirus scan with the latest definitions to ensure you remain safe.

As always ... be cautious and use your common sense.