Your Ad Here

amazon

Monday, 6 April 2009

Site and Server Certificates

Do you trust site and server certificates? Are you sure you know what to look for? On a very basic level, most sites will have proper signed server certificates and most people will trust the without question, however, you need to be aware of a few things. In the first instance, there are a few different forms of server certificates, but I will only discuss 2 types, namely self-signed and certification Authority signed.

Server certificates are not the bits that make sites secure or not. They are only signatures that inform you whether the site, you are presently visiting, is actually who they claim to be. These certificates are generated on the computer that they are going to be used on. They are created using various options, such as the encryption type and encryption strength that will be required for the safe transmission of your data. Other information includes expiration date and owner contact details. If this is all that is done then you have a self-signed certificate. For all intents and purposes this is all that is required, but this is where things can go wrong. Any person can create a certificate for any computer, and sites designed to grab your details frequently do create such certificates to falsely lead you into giving up your details. Self-signed certificates are absolutely no guarantee that the site is legitimate and safe.

For this to be true, the self-signed certificate needs to be submitted to a certification authority (CA) who will check the legitimacy of the claim that the certificate is making. Thus, CA's are points of trust who investigate the claim of the certificate. Once the claim has been verified it will be added to a list of trusted sites, and will remain valid to the duration of the certificate. You will thus have peace of mind that your details are being transmitted securely and to the intended destination. So how can you tell which certificates are valid? Thankfully, your browser usually has built-in a database of these trusted authorities, such as Thawte and Verisign to mention only 2, and regularly updates this database. Certificates that have been revoked are usually listed too. So more often than not you will not need to do anything, except regularly update your preferred browser. Websites that have not had their certificates verified will usually pop-up a window informing you that the certificate should not be trusted, but NEVER proceed or add an exception to the list in your browser for this certificate. Doing so will compromise virtually all your other certificates.

There is, obviously much more to certificates, but this should form a basis for further research. I have mainly discussed this subject from the site visitor perspective, but the perspective from the site publisher is quite a bit more intricate. Why not research "certificate chains".

Caution and common sense to all!

Thursday, 2 April 2009

Beware the cookie monster

Tracking cookies are undesirable and should be avoided, but cookies that remember your login details are diabolical. Unfortunately, more and more websites are using cookies, or dare I say, demanding that you enable cookies, before you can do anything on the website. There are inherent dangers in doing this. Let me explain.

Cookies are designed to enhance your browsing experience. This is achieved by remembering what you looked at the last time you visited the website. It thus tries to gauge what you require and where you intend to browse to next. Hopefully, the dangers, or possibilities, are starting to spark off warning signals in your mind. It, therefore, builds up a profile of your activities. Some cookies are designed to remember your login details once you have visited a site, once again, to make your browsing experience more pleasurable. The obvious danger here is that anyone can log into your account if they have access to the computer on which you logged in on. If you use multiple computers or a publicly accessible computer, such as those found in libraries, then your login details will become compromised. It is as though you wrote those details on a piece of paper for everyone to see. I doubt that I have to elaborate anymore on this.

Some cookies report back to their authors the information they gathered. Although some authors are reputable and will only use some of the information to improve their sites, others may have more devious intent and use the data to capture as much information about you as possible. I shall illustrate using a simple example. Suppose you went to a site that demanded the installation of a cookie. This site may also contain some information you would be interested in and thus you decide to subscribe to this site. To do this you may have to enter your name and email address, and perhaps even a physical address and phone number. Already the amount of information submitted is quite astounding. The cookie grabs all the information and then starts tracking your movements. So after clicking the submit button, you go to your email account to check whether the subscription is successful. The cookie grabs your email URL, username and password. Voila! You afterwards proceed to Amazon.com or your banks website. Although both of these site have a secure login and te cookie may not be able to grab those details, it has tracked your visit to these sites, and consequently, you must have some association with this site.

In this instance, the amount of information is phenomenal, and the deviously minded will use this to create a new identity based on your own identity. And the rest is history, anxiety, tears, etc.

The final, and perhaps most malicious, cookie is the one that delivers a malicious payload. These are cookies found on bona fide looking websites that appear respectable, however, the will ask to enable cookies. Once this is done, a cookie is downloaded and installed, but this cookie contains script that downloads further into your system. From here it can observe all your activity and grab whatever details it likes. It too reports them back to the author. It can also propagate itself throughout a local network and thus infect other systems, and thereby compromise those users.

The point here is that threats do not always come into a system via email. Websites are equally dangerous. Try to stick to reputable websites, however, as this is not always possible, at least clear your cookies and restart the browser before going to another site.

Caution and common sense to all.

Monday, 30 March 2009

USB Keys and security

The use of USB keys/sticks/drives has taken off with great enthusiasm. Thankfully, the use of floppy disks to transfer data has become more or less obsolete. However, most people are surprised to discover that their USB devices may be infected. This device is no different than the floppy disks of old. Furthermore, due to their small size, they are easily lost, misplaced or stolen. All the data is usually freely available for any person to access. For a start, run a rigorous antivirus scan on all your USB keys. Then start looking into password protecting them and finally encrypt the keys. I personally prefer AXcrypt for encrypting single files, mainly because it has the capability of encrypting a file and simultaneously creating an executable decryption file that requires a phrase to decrypt it. So if you are transferring a file to another person send the actual file and the phrase in two differentways at different times. The self decyption executeable has the added benefit that the recipient does not require the AXcrypt software installed on their computer. One word of warning though, Axcrypt does not have a backdoor ... AT ALL. If you encrypted a file, delete the original file and then forget the phrase ... you will never be able to get the data back.

To encrypt an entire drive/volume/usb key or the like, I prefer to use Truecrypt. This works well, should perhaps be used on all home systems that have any personal data on them. DO NOT encrypt your entire C DRIVE. The best solution for portable secure storage is to purchase USB keys with builtin encryption. I recommend that you seriously start investing in keys with encryption. It really is worth it. For daily use I use the Integral 1GB AT key with 256BIT AES Encryption. For something more robust I recommend using an Iron Key.

Common Sense and Caution must always be exercised.

Friday, 27 March 2009

Phishing

What is phishing? It is a way of obtaining your details by deceiving you into thinking that you are entering them into a valid website. These websites are usually such good imitations of the originals, that most web users will easily be deceived. Espaecially as the website you see, mimics the website you expect to see. However, help is at hand. Most browsers do incorporate and anti-phishing element and if activated, this will flag up a warning to indicate that this site is dangerous.

Although this is useful, it is not infallible and further precautions should be taken. One such precaution is based on your ability to detect such sites where the browser has failed. Phishing sites are usually easy to detect if you know what to look for, and the URL's listed below are possibly the most valuable and informative that I have come across in a long time.

Perhaps we should be publicising Anti-phishing Phil. This is a website that teaches through the medium of play. Play the game and you will learn how to spot phishing URL's.

http://cups.cs.cmu.edu/antiphishing_phil/


http://wombatsecurity.com/antiphishing_phil/index.html



As always, please be cautious and apply common sense to your browsing and web usage.

Wednesday, 25 March 2009

Business cards

Think about this for a while. The humble business card, paraded and deposited everywhere, offers a wealth of information to those intent on stealing an identity. What information does your business card hold about you?

1) your name
2) your employer's name
3) your contact details (telephone numbers, website URLs, email address, etc.)
4) your job title

and on some business cards, the following may be found
5) your education (for example, what degree you have and from where you have it)
6) the region for your employment activities (such as, Yorkshire Regional Manager)


How much more information would I need to be able to create a false identity? Ask yourself this question. These cards hold a wealth of information, and if the are distributed randomly to every person you see, you may inadvertently hand this information directly into the paws of an identity thief. Furthermore, even more information will be gleaned if the latter is done, because suddenly the thief has extra information to create a convincing false identity. Now they have your ethnic origin, regional dialect, know whether you are married or single, wear spectacles or use a walking stick. Get the picture?

The point I am trying to make is, use your business card wisely. Don't stop using them, but be more cautious and discerning about the destination of these valuable bits of card. Furthermore, ensure that the person who receives your card, really does want it and will keep it safe. In fact, print on the reverse of the card the following message

"Dear Sir/Madam,

Should you no longer wish to retain this business card, may I respectfully request that you destroy this card in the interest of identity protection. Many thanks.


Yours Sincerely,


{your name}"

Be cautious and exercise common sense!

Sunday, 22 March 2009

Good, bad and ugly passwords

A quick post about passwords only. Password theft is on the increase and weak passwords are going to cause you all sorts of trouble. A few simple rules will assist in making passwords harder to crack:
1) use letters and numbers
2) if possible use extra characters such as $, &, £, !, and so on (however, some websites do not allow their use)
3) use uppercase and lowercase interchangeably and frequently
4) use longer passwords, preferably more the 8 characters long (the longer the better)
5) never use dictionary based words, regardless of language
6) never use as a password anything that can be associated with you (for example, UK post code, etc.)

So what is an example of a good password? This one will take some time to crack

ijDl4uFpHC!

If you feel that this is too much effort, then use the PASSWORD GENERATOR on the home page of this blog as a STARTING POINT.

Most importantly, never share you password with anyone and make certain you are not being observed entering your password. There are ways cracker use to obtain passwords, such as using keystroke loggers, but this I will cover at a later date.

Be CAUTIOUS, use COMMON SENSE, and stay SAFE!

Friday, 20 March 2009

IMPORTANT : DNSchanger threat

The DNSchanger threat is not new, but it has resurfaced and is still annoying and dangerous. To completely comprehend the severity of this threat, it is important to understand the what, how and why of DNS.

So, ... what is the DNS? DNS is geek speak for Domain Name System. This is a means of changing the meaningful names of websites, such as www.bbc.co.uk, into a numerical value understandable to the various networking equipment that constitute the infrastructure of any network, even the biggest network namely the internet. Essentially it is a database that is used to identify the elements of the network with the intention of discovering the destination, and the best route to this destination, for requests made. There is much more to DNS than can be dealt with by a blog, however, in this instance you now have enough information to understand the threat.

DHCP Is geek speak for Dynamic Host Configuration Protocol. When a computer is connected to a network or Wireless access point, It will require some settings to make it work, such an IP address, Gateway address and DNS server address. These elements are only some of the many that need to come together to permit working on a network. With the exception of Wireless, there are 2 ways of ensuring that the computer obtains these settings, namely static and dynamic. Static addresses are entered manually and are changeed manually, whereas dynamic addresses are not. In order to obtan the dynamic addresses, the newly attached computer must first be set to obtain these dynamically by enabling DHCP. Once this is done, the computer will then send a DHCP request to the DHCP server on that network. After various handshakes and authentications, the server issues all the details for the computer to use. This is called a DHCP lease. The computer is now configured to use all the proper addresses in ordser to work on the network. In an ideal world at least.

How is it done? DNSchanger is a trojan that installs itself onto a computer or other network device and waits for DNS and DHCP requests. When this trojan detects that a DHCP request has been made, it responds before the DHCP server can and issues a false DHCP lease. False because it sets up incorrect routes and destinations by claiming to be the DNS server. When the computer then requests a website, it is directed by the false DNS to go elsewhere. This is usually a website that closely matches the website that was initially requested. Some are so convincing that most people are fooled by them, however, if you scrutinize these sites, you will always discover something odd that gives it away.

Why is it done? These websites are desinged to log and grab all the details you enter, and thereby grant the malicious of this world access to your accounts. These websites are called phishing websites, and they fish for your personal data.

Keep your system and all anti-malware (anti-virus, anti-spam, etc.) completely up to date and also make a note of the following address range. DNS settings with this address range being used should be considered suspicious.

The range 85.112.0.0 to 85.127.255.254 possibly indicate a compromised computer.

Periodically, run a full antivirus scan with the latest definitions to ensure you remain safe.

As always ... be cautious and use your common sense.

Sunday, 15 March 2009

Dangerous Software : Peer to Peer

Believe it or not, but peer-to-peer software is probably one of the most dangerous items of software you could possibly run on your computer. With this type of software the risk is not only in downloading material that has a copyright on it, but in either intentionally or unintentionally serving the same software. So, if caught, you will be prosecutable on three different counts, namely acquiring illegal software, owning illegal software and distributing illegal software. Each carries with it its own penalty.

But more importantly, peer-to-peer (or P2P, as the industry knows it) runs on insecure lines and protocols which could be intercepted by crackers (the proper term for those intent on gaining access to your system or information). P2P software is usually the easiest way for a cracker to gain entry into an other secure network. One particular way of doing this is by incorporating scripts which are tagged onto the files downloaded by the P2P user who is usually unaware of this malicious addition. This addition is usually, though not empirically, referred to as the payload. Once the payload has been downloaded all that remains is for it to be activated. Once activated, the script "phones home" and then the rest is history, so too is your data and your security. If you are connected to the network at you place of employment you should receive a hostile visit from your local System Administrator (SysAdmin). If you do this on your home computer, you may not realize for some time that your computer has been compromised. Sure, the use of an antivirus and antispyware is a very good first step, however, many compromises do not appear as spyware or a virus. Furthermore, as mentioned before, no antivirus protects you against all computer viruses running rampant on the internet.Likewise for spyware.

If you have been compromised, you will need an entirely new arsenal at your disposal, such as rootkit revealers and hidden process detectors. You may think that you do not use any P2P software, but SKYPE is just that and only secondly is it a way of making telephone calls on the internet. While you are phoning someone you are using very little bandwidth, but SKYPE uses the remainer of your bandwidth by making your computer a SUPERNODE. Nodes are essentially computers that are used to offer the quickest path between two computers that wish to transfer files to from one to the other. SUPERNODES are similar except that they are used by many computers to transfer files to many computers. In geek speak, your computer has become a hub, which means all incoming data will be broadcast on all connections made to your computer. Suddenly, your bandwidth diminishes, your storage space is reduced, your memory is clogged up and you experience a dramatic drop in the performance of your computer which only drops more as time passes. Does this sound familiar? I sincerely hope not! Yet if it does, You will need to perform the following in the following order to have anyhope of regaining control:
1) Disconnect your computer from all networks immediately,
2) Backup your data completely because you may lose it or have to proceed to step 6 below,
3) Remove ALL P2P software completely,
4) Run full antivirus and antispyware scans, and particularly not if anything odd happens (such as not completing the full scan, parts of the antivirus not working, or anything else).
5) Restart MS Windows system in safe mode and do step 4 above again,
6) Wipe your Hard Disk Drive and reinstall, from scratch, your operating system and non P2P software. Although this is here given as the final option and last resort, it is infact the best option from the start, however, it may not always be the most practical option.

The simplest solution is to avoid P2P software entirely. There is no safe P2P software, even if you use encryption. For further reading visit
http://www.roseindia.net/community/spyware/dangers_of_peer_to_peer_systems.shtml


Remember to always be cautious, and exercise common sense! This alone will make a huge difference.

Thursday, 12 March 2009

Phone calls : please take care

Although it is becoming rare, there are still people answering phone calls with "8627995 Jason Hutchinson speaking!"

How about saying anything of the following
"hello"
"hullo"
"what"
"speak"
"this had better be good"
"if it is not urgent, ... make sure I never find you"
"I know what you are thinking ... and you are right"
"I do not suffer fools ... you have been warned!"
"this call is being traced ... you have 43 seconds ... make it good"
"What is your name and where are you calling from"
"If this is a cold call, then your number goes to the authorities"

Obviously these responses cannot be used continuously, but this is where caller ID comes in handy. Maybe you want to use these on your friends as gags, but the important point I am trying to make here is that you should not volunteer any information. If your bank has called you, then politely hangup and phone your local bank using a number that you KNOW belongs to them. I suggest the same for police stations and hospitals and so on. In the case of the last two examples, get as much information from them as possible and then phone back AFTER verifying the number using a directory service. The reason for this is that it may not be your local police department or hospital calling you. This may increase your bills, but this will still be cheaper than the misery you will experience once your identity has been stolen.

In the USA you can use http://phonenumbers.addresses.com/phone.php but in other countries try using you preferred search engine and type "reverse telephone number lookup" or variations on that. The point is that you should never trust incoming phone calls unless you know the source. "Phone spoofing", the jargon for this type of activity, has existed ever since the phone was invented in 1860 (by Antonio Meucci) ... Yes, I know that Alexander Graham Bell is always accredited with its invention, but he invented the telephone(in 1875) in its modern form which we recognise today.

Phone spoofing has always been easy, becausethe victim will never know
1) the location of the caller
2) the intention of the caller
3) the genuiness of the caller
4) and the inability to see the caller

The latter is very important because humans are very visually aware. We all, subconciously, read the expressions of people we see. This ability allows us to determine what state the person is in, ie. happy, sad, friendly, bent on malice, and so on. With telephones we lose this ability, and moreover, we also lose the ability hear the most subtle changes in speech and tone. For all these reasons, and many more, phone spoofing has a higher success rate than you may expect.

As usual, be cautious and apply common sense.

Sunday, 8 March 2009

Minimum requirements for safer computing

Upon purchasing your computer, it is likely that you were told to invest in a good solid anti-virus and firewall package. It is even likely that you were told to download some form of spyware or malware removal tool. All these are the standard bits of advice given, and they are good, but undeniably not comprehensive enough.

The first thing you should remember is that any computer is only as safe as the latest updates and upgrades. For starters, keep your operating system fully patched with the latest updates. Do the same for the anti-virus, firewall and anti-spyware. These are usually divided into types of downloads, namely definition updates and engine upgrades. The former contains the actual signatures/definitions the the software uses to scan the computer for malicious software, and the latter includes bits code used to enhance the performance and functionality of the software that will search for malicious code. Thus, only by keeping both completely up to date, do you stand any chance of keeping yourself safe.

However, antivirus, firewall and antispyware alone will not guarantee that you will be safe from malicious code. Furthermore, no single antivirus package will provide you with protection from all the viruses on the internet. Installing a second antivirus onto the computer is always an option, but I would not recommend doing this because you will waste system resources and possibly cause your computer to enter into a nonrecoverable state. The same applies to firewalls and anti-spyware. Some reputable antivirus vendors do online scans of your computer for virus signatures. One such example is Panda Security, but other exist and here you need to exercise caution and only consider reputable vendors.

So what else can you do to secure yourself? Well, ... a great many things, but first and foremost you should remove ALL software that you are no longer using or ever will use. These programs that are no longer being used are also no longer being updated, which make them a serious security risk to you. Any software you use should be the latest version available, or at the very least a version that is still being supported by the manufacturer.

Most computers also run services and servers that are normally unnecessary and may safely be turned off or removed without altering your computing experience. If you are uncertain about which of these are not required then make Google your very best friend. Many of these services and servers are used to compromise your computer.

To complete the minimum requirements for safer computing, do the following:
  • ensure that ALL user accounts have a complex alphanumeric password
  • disable the guest and all unused accounts
  • never use the administrator account unless it is specifically required to make system wide alterations
  • periodically (usually once a week for daily users) FORCE updates on all software on your computer
  • NEVER open emails from origins unknown and especially NEVER open attachments BEFORE scanning them with an antivirus
  • Disable all autoruns and scripting (such as javascript)
Obviously there is always more you can do, but for now lets deal with things in bitesize chunks.

Always be cautious and use common sense!

Value your Identity

I will not beat around the bush. Your identity is the most valuable possession that you have. Most people will claim their loved ones are their most valued possessions, but they can hardly be your POSSESSIONS. Your identity on the other is most definitely your possession, but it is not so uniquely. Identity theft is growing and you should take all the warnings very seriously.

Identity theft is nothing new. It has existed since dawn of consciousness and will continue ad infinitum. The more complex we make identities to be stolen, the more ingenious those who wish to hijack our identities become. This is a vicious circle and it will get worse. The important thing to remember is that your identity is your most valuable possession. If it is stolen it will affect you, your family, your community AND your fellow citizens in adverse ways. I am not exaggerating these repercussions. They are very real.

Guarding your identity is difficult and complex, however, you can make an immediate positive step towards keeping your identity safe by the application of 2 fundamental qualities that you already possess, namely COMMON SENSE and CAUTION. These are things I cannot teach you. You already own them. What I will do is help you with the remaining bits that will help keep your identity safe.

Unfortunately, there is no single panacea available to combat identity theft. In fact, the identities of deceased people have been used, reused and abused. Furthermore, it is not confined to the Internet alone. Your household garbage bins hold a plethora of information about you and all other members of your household. What would you do if the identity of your children is stolen?

What makes matters worse is that in most countries, you are still responsible for all the mischief created using your identity. So here is the first bit of advice that you should follow! Purchase some comprehensive identity theft insurance as soon as possible. Make sure that this insurance covers the following
  • ALL your credit, debit and store cards
  • ALL your travel documents (passports, identity cards/documents, driver licence, etc.) and certificates (birth, marriage, driving licence, etc.)
  • Confidential records (employment, hospital, education, etc.)
  • Any other items that the above did not cover
  • Ensure that your insurance give you access to proper legal aid/advice
  • And above all ... ensure that this insurance covers you against all liability due to a misuse of your stolen identity and assigns a case worker to deal with it all on your behalf.
Be cautious and always use your common sense!