November 18, 2011

Web Accounts Hacked?

Filed under: General Ramblings,Security Ramblings,Technical Ramblings,The Great Tech Blog-Off — PeterWallace @ 7:30 am

So I keep talking about web security and passwords but now how do web accounts get hacked? Most of the time it is a crime of opportunity, that is not to say talented individuals with advanced knowledge are not a threat, but it can be easier than you think to expose your password. Wikipedia defines crime of opportunity as a crime that is committed without planning when the perpetrator sees s/he has the chance to commit the act at that moment and seizes it. Such acts have little or no premeditation. A lot of people think ok my e-mail really is not that important anyway as all I get is e-mails from friends or forwards of jokes. But it could be used to send notices from your banking, send passwords, or resets for accounts. Here are some ways you may give out your information:

Recovery E-mail Account: A recovery e-mail account is method a lot of systems use to help you get back into an account that you have lost the password for We have all done it and signed up for a free e-mail account to use to get information sent to or set up accounts with. When you sign up for some services they may ask you for a backup e-mail. You ask the site to send you your password (some will just reset it). The site says: “Sure, it’s been e-mailed to you.” As long as you have access to that other account, you are just fine and dandy.

The interval at which you need to check your free e-mail account to keep it from falling dormant and being automatically discontinued, cancelled or even deleted varies from service to service. Here are the log-on requirements of the most prominent:

Windows Live Hotmail: 120 days
Yahoo! Mail: 4 months
Gmail: 9 months
AIM and AOL Mail: 30 days

If someone claims that account accidentally and you reset your password, then you just lost control of your main account. If it was on purpose, then the next step is to simply go through the password recovery process.

Avoid Duplicate Passwords: An easy way to get hacked is to give a site your e-mail address and then use the same password at that site. The same goes if you use the same user name and password at two or more sites. If the site does not encrypt the password, then there is a huge problem. Anyone who works for the site and has access to this information (or gains it) now has everything they need to log-in to your account. While most sites protect passwords, there are still ways for employees to get it. At the least, use a different password for your e-mail account than everything else.

Public Computers are scary! – If you must use a public computer always remember to sign out. Even better try to go back into the site to make sure you did not forget to log out. How often do you see the browser box pop up and ask you if you want to save the password? You didn’t check it did you? Also on that shared computer it may have spyware, virus, or key loggers watching for your user names and passwords. Also clear your history and Browser cache if it allows you to do that. You have no idea who was there before you and who will use it next.

Beware of your surroundings: ok you just pulled out your laptop at the coffee House/Bookstore/McDonalds and you have people around you. They could be watching what and where you are going. Also remember that cell phones and cameras are everywhere. If they can capture/record or watch you enter your password they now have keys to the kingdom.

Avoid Commonly Used Passwords: I’m going to sound like a broken record here but avoid the easy passwords. I will be trying your name, family names, pet names, favorite sports teams, and some of the other usually passwords. The longer the password the better. Also mix it up with upper case and lower case numbers, numbers and non-alpha charters. Just words of warning putting a 0 or 1 at the end of your password is very common so don’t do that. “A lot of personal information actually functions like a password and, as such, needs to be robustly protected,” said Chris Young, vice president of consumer authentication at RSA in a statement. “With a bit of sleuthing, motivated hackers can guess a password by having [a victim's] address and trying combinations that assume he’s a fan [of a particular sports team].

Written Passwords: Ok so you have all these different passwords. You write them down on a sheet or in a book. Guard them like they are a Million Dollars. I will walk up to your desk and look in the top drawers, under the keyboard, in the front of your date book or under your desktop calendar, or the best spot – the post-it note fastened to your monitor. Keep them secure very secure if you most write them down. Also avoid the online password vaults as they may also be hacked. In May 2011 a online multiplatform password manager, noticed “a network traffic anomaly,” possibly a hacker attack, so it forced its users to change their master passwords.

Use only Trusted Computers: This is almost like public computers. If you do not have control of the machine a quick log into a site may just be captured and you gave up everything. If you use the same passwords for everything you have a big problem. Your personal machine should be fully patched with all updates for the programs running and installed on your machine. Current firewalls and antivirus programs installed and running.

This is all stuff we hear every day but is a good reminder to check every so often. Lastly, remember the first rule of passwords: don’t ever give them out or share them! Now excuse me as I take this call from the Computer Department asking for my user name and password to reset something.

Comments (7)

November 14, 2011

Zero-day Exploit Duqu has Microsoft posting hot fix

Filed under: Computer Ramblings,Security Ramblings,Technical Ramblings,The Great Tech Blog-Off — PeterWallace @ 8:58 am

In the past few days a zero-day exploit named Duqu has surfaced. It is a word file containing malware that exploits a previously unknown flaw in windows that was sent to one if its victim companies, but still doesn’t provide much more information on what Duqu is up to or who all should be worried about it. Duqu was found in some European organizations and seemed to be going after Certificate Authorities (CAs) and industrial control-system vendors.

Microsoft and Symantec who are studying the malware have not shared any dropper information with other virus companies. Droppers are typically very small, are designed to evade detection by anti-virus and can sometimes contain exploit code used to inject themselves onto the target computer. Microsoft is working on a fix but knows it will not be ready for patch Tuesday so they released a hot fixed November 3, 2011. Even if you’re not a certificate authority or a manufacturing firm — the two industries cited publicly so far as having Duqu victims — security experts say there are some steps you can take to help protect your infrastructure from this new targeted attack.

1) Install the “hot fix” from Microsoft and Workaround. Microsoft has posted security advisory 2639658 (http://technet.microsoft.com/en-us/security/advisory/2639658) to address the recently disclosed Windows kernel vulnerability (CVE-2011-3402) exploited by the Duqu malware. The flaw lies in the Win32k TrueType font parsing engine, according to Microsoft: “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware,” Microsoft said in an advisory today.

2) Run updated anti-malware – Not all antivirus products can detect Duqu yet, but security experts say to keep updating to be sure you get protection for Duqu as soon as it’s released. They also highly encourage people not to click on attachments in email that seems suspicious, even if it comes from someone they know.

3) Scan or Filter Word Documents from unknown sources - One handy tool is Microsoft’s MOICE tool (Microsoft Office Isolated Conversion Environment), (http://support.microsoft.com/kb/935865) which checks for malformed Word documents which is how Duqu starts: with a malformed Word file. It’s playing a trick on Microsoft Word to run this code.

4) Monitor for traffic from potentially infected machines – Be on the lookout for machines trying to connect to a Duqu command-and-control server or trying to resolve to a Duqu-related domain. Two command and control servers have been taken down thus far, but there are likely new ones. The IP addresses that were found and ultimately shuttered: 206.183.111.97 and 77.241.93.160.

5) Watch for any Port 443 traffic that’s unencrypted, and keep an eye out for ~DQ files – Watching for unencrypted traffic on the HTTP-S or SSL-based traffic port can help detect malware, including a possible Duqu infection. If it’s not encrypted it’s probably bad. Meanwhile, a Duqu-infected file may start with “~DQ” in the Windows temporary file directory, so be on the lookout for that as well.

Comments (4)

November 11, 2011

Are you pwned?

Filed under: Computer Ramblings,General Ramblings,Security Ramblings,Social Ramblings,Technical Ramblings,The Great Tech Blog-Off — Tags: hack, own, Pwn, Pwned, security — PeterWallace @ 7:16 am

PWN (verb)

1. An act of dominating an opponent.

2. Great, ingenious; applied to methods and objects.

Originally dates back to the days of WarCraft, when a map designer misspelled “Own” as “Pwn”. What was originally supposed to be “player has been owned.” was “player has been pwned”.

Pwn eventually grew from there and is now used throughout the online world, especially in online games.

“I pwn these guys on battlenet”
”This strategy pwns!” or “This game pwn.”

About 50,000 breached records appear online every week. Do any of them include your usernames and passwords? A free website – http://www.pwnedlist.com – has been created that lets you easily check if your information has been compromised. I sure would not want to be the one that sees the following message after inputting their information:

As of November 4, 2011 almost 5 Million e-mail and user names were recorded in the system. PwnedList introduces itself as

“…a tool that allows an average person to check if their accounts have been compromised. No passwords are stored in our database. You can read more about where our data comes from here. Just enter an email address or username associated with any of your accounts to see if it’s on our list. Data entered is not stored, re-used, or given to any third parties. Don’t trust us? You can also use a SHA-512 hash of your email/username as input. Just don’t forget to lowercase all characters first.”

Now this will sound like great news to a lot of people. A team of security experts are doing some good work to help the folks on the internet find out whether or not they have been compromised. That’s great but how many of you know how to do a SHA-512 Hash? Let alone what is? (You can find more information about the SHA-512 algorithm at The SHA-512 algorithm) SHA512 is a hashing algorithm that cannot be decrypted so the information they have stored may be safe.

My worry about sites like this is what is stopping a hacker from putting up a site like this to collect information? Sure the site looks good but if you’re worried that your user name or password may have been hacked it’s time to go change them. Also you’re not using the same user name and password on different sites are you? Are your passwords dictionary words? Time to change that around and create secure passwords and different ones for the different sites you are using.

Think about it is it real safe or is it fakes just trying to get your information?

Comments (5)

November 5, 2011

Passwords? Pass the Cracker please…….

Filed under: Computer Ramblings,Security Ramblings,The Great Tech Blog-Off — Tags: cracking, guessing, hacking, passwords, safety, security — PeterWallace @ 9:59 am

“Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.” -Clifford Stoll

Why are strong passwords needed?
Good computer security includes the use of strong passwords for all your accounts. Passwords can be the weakest link in a computer security scheme. Strong passwords are important because password cracking tools continue to improve and the computers used to crack passwords are more powerful. Network passwords that once took weeks to break can now be broken in hours.

Password cracking software uses one of three approaches: intelligent guessing, dictionary attacks, and automation that tries every possible combination of characters. Given enough time, the automated method can crack any password. However, it still can take months to crack a strong password.

For a password to be strong and hard to break, it should:

Contain 6 or more characters
Contain characters from each of the following three groups:

Letters (uppercase and lowercase) A, B, C,…; a, b, c,…
Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Symbols (all characters not defined as letters or numerals) ` ~ ! @ # $ % ^ & * ( ) _ + – = { } | [ ] \ : ” ; ‘ < > ? , . /

Have at least one symbol character in the second through sixth positions.
Be significantly different from prior passwords.
If there is only one letter or special character, it should not be either the first or last character in the password

Do NOT use:

Your username or any part thereof
Name(s) of yourself, family, friends, pets, or co-workers
Computer terms and names, commands, sites, companies, hardware, or software
Birthdays or other personal information such as addresses or phone numbers
A set of characters in alphabetic or numeric order (ex. abcdef), in a row on a keyboard
(ex. qwerty), or a simple pattern (ex. 123123)
Words that can be found in a dictionary
Your UCLA ID number, a bank account PIN, credit card number, etc.
Any of the above spelled backwards
Any of the above preceded or followed by a digit (ex. qwerty1, 1qwerty)

Try to change your password(s) frequently.

When typing in your password, make sure no one is watching you type. Ask anyone around you to kindly look away.

Also the top 20 most common password are as follow. Is yours among them?

123456
12345
123456789
Password
iloveyou
princess
websitename (the name of the site example Microsoft or yahoo)
1234567
12345678
abc123
Nicole
Daniel
babygirl
monkey
Jessica
Lovely
michael
Ashley
654321
Qwerty

You will notice how many people have apparently used their first names as passwords. Number 7 the password is simply the name of the site.

I advise users to choose a strong password for sites you care for the privacy of the information you store. If you’re concerned about being able to remember the code, here’s a little memory-jogging trick: Take a sentence and turn it into a password. Something like ‘This little piggy went to market’ might become ‘tlpWENT2m.’”

Comments (8)

November 3, 2011

In PA it Will Soon be Illegal to Text and Drive

Filed under: General Ramblings,Security Ramblings,Social Ramblings,Technical Ramblings,The Great Tech Blog-Off — Tags: cell phones, fines, law, officer, PA, Pennsylvania, police, primary offense, texting — AndrewSmither @ 8:52 am

Editor’s Note: Bill will be signed into law 60 days after governor signs. Title, intro, and end have also been updated. 11/07/2011 2:49pm

I learned yesterday through Facebook that texting while driving will soon be a ticketable offense for Pennsylvania drivers. The bill has been passed by the PA Senate and House and will soon be signed by the governor. It will go into law 60 days after he signs it. Texting while driving will be considered a primary offense, meaning if a police officer sees you doing it, the officer can pull you over. The offense will come with a 50.00 fine. The bill states any form of entering in text; texting, e-mailing, web browsing, notes, and the like. I am personally for this bill and think we should have passed it sooner. Texting while driving is very dangerous.

AAA released the following bulletin:

“AAA APPLAUDS PASSAGE OF TEXTING BAN BILL

Harrisburg, Pa. (November 1, 2011) – AAA today applauded the Pennsylvania legislature as the Commonwealth joined 34 other states with bans on texting while driving. Both houses of the legislature voted overwhelmingly to pass the bill. The new law prohibits sending or receiving text messages from a wireless communication device when a vehicle is in motion. Violation of the law is a primary offense, meaning a police officer can stop a motorist just for this offense. The offense carries a $50 fine. The law will become effective 60 days after the Governor’s signature.

AAA Reading-Berks said, “Texting while driving is a risk to ALL road users, and an overwhelming majority of the public supports the enactment of a ban.”Text messaging while driving has skyrocketed over the past few years and the trend is increasing. AAA research reported that 21 percent of drivers admitted text messaging while driving. According to the Virginia Tech Transportation Institute, a driver’s crash risk doubles when he/she looks away from the road for two or more seconds. “Text messaging is one of many distractions that can divert a driver’s attention, “said (AAA), “and teen drivers are particularly susceptible to distractions like texting, personal grooming, changing the radio/CD player and talking with passengers. For adult drivers, who provide the example for young drivers, texting while driving sends the wrong message.”

Talking on your cell phones without a hands free device will remain allowed on the PA state level. However, please note that individual city laws may be different. Cities like Erie in PA have passed laws that require hands free devices for talking on your cell phone while driving. Also note that some of these same cities already have banned texting as well; meaning you can be fined in these cities without the state law in effect yet.

Sources: Reading Eagle, AAA

Comments (22)

November 2, 2011

What can I do to stay safer online?

Filed under: Computer Ramblings,General Ramblings,Security Ramblings,The Great Tech Blog-Off — Tags: man in the middle, online safety, phishing, safety, security, spam, updates — PeterWallace @ 6:56 am

When you cross the street, you look both ways to make sure it’s safe. Staying safe on the internet is just as important. What are some of the ways you can stay safe?

1) Use Secured connections. Make sure you are opening secured connections to the pages. You do this by typing in https at the beginning of a URL. IE9 shows a lock in the address bar.

Check your address bar for an "https" connection whenever you are entering personal data online

2) Use your best judgment. You should be aware of scams that try to steal your personal information (Birth Date, Social Security Number, and Address), your money (Bank account or Credit Card) or both. This is called “phishing” because they “fish” for your information. Look for the signs that the e-mails or the website is pushing to get your private information. Is the spelling and grammar what you expect? Is the e-mail from a person you know and does it seem correct? Before giving out information or money verify that it is legit. You will not get money for little or no effort, that bank account you never knew you had is really not going to get locked, or the deals that sound too good to be true.

3) Is your Operating system secure. Your browser is only a secure as the operating system it runs on. When is the last time your computer was updated? Microsoft releases security patches on Patch Tuesday which is usually the second Tuesday of each month. Starting with Windows 98 Windows Update was released that would check for patches to windows and its components. You can set this for auto update but it is still good to check manually every so often. http://windowsupdate.microsoft.com is the address just in case you would like to check your machine.

4) Download a modern browser. In addition to patches make sure you are running the most up to date browser. Older browsers will have security holes. Do you have add-ons to your browsers? Make sure they are current. Also while you’re checking on your software how current is your Anti-virus and security software? When was the last time it updated signature files? Is it current or is it expired?

5) Help spread the word The more information we can get out to family, friends, co-workers, and others the safer we will stay.

Just remember before you use the Internet, take time to understand the risks and learn to spot problems. Take a moment to be certain that the site is clean. Watch for warning signs and consider how your actions online could impact your safety or your family’s. Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer. Protect yourself and help keep the web a safer place for everyone.

Comments (13)

September 9, 2011

Typosquatting: Who is REALLY reading that email you just sent?

Filed under: Computer Ramblings,General Ramblings,Security Ramblings,Social Ramblings — Tags: domains, doppleganger, doppleganging, email, typos — Kordel Eberly @ 9:34 pm

Wired magazine recently reported that researchers at the Godai Group collected over 20GB of highly confidential and crucial information from various Fortune 500 companies, through the simple (and dastardly) technique of “TypoSquatting”.

TypoSquatting is a very basic type of exploit, that can easily be run by the most novice of hackers. It employes a “doppelganger” domain (that is, a domain that is almost identical to the target domain, but differs in extremely minor ways) to catch emails and/or web traffic that was mistyped. Effective attacks make particular use of common misspellings, extremely long domain names, and other commonly “typo’d” domains. A few examples would be “everlysystems.com” for this website, or perhaps “yajoo.com’ for a major search provider.

Execution of the attack is extremely simple – the attacker establishes the domain, creates a catch-all email account, and sits and waits (for months, years, or indefinitely) as emails come wandering in from users who simply mis-typed or mis-spelled their intended recipient. As a result, confidential conversations, trade secrets, sensitive documents, or even user credentials can be gathered and stored, with little or no interaction on the hackers part. A simple search of the collected emails can yield extremely valuable and volatile information!

I have personally experienced an even more aggressive type of attack (and more commonly known), called “Phishing”. Phishing can be accomplished many ways, but in this particular instance, the attacker combined Phishing with a Doppelganger domain, to make it appear as if a legitimate company and employee had intentionally placed a large order with a client of mine. Clicking the provided link in the persons signature took me to the company website, which was in perfect order, contained real, current information and employee profiles, and was even verifiable through the Better Business Bureau and online searches. However, careful inspection of the email revealed the attack. A barely noticeable swap of an “i” and “e” in the email address’s domain name disguised a clever ruse to defraud – copying the Sent From email domain (not the one included in the signature’s link) took you to a totally separate, “under construction’ dead-end. Replying to that email, and ESPECIALLY conducting business with the individual on the other end, would have ended badly for!

To sharpen the point, consider these details from Wired’s write-up…

“The e-mails they collected included one that listed the full configuration details for the external Cisco routers of a large IT consulting firm, along with passwords for accessing the devices. Another e-mail going to a company outside the U.S. that manages motorway toll systems provided information for obtaining full VPN access into the system that supports the road tollways. The e-mail included information about the VPN software, usernames, and passwords.

The researchers also collected an assortment of invoices, contracts and reports in their stash. One e-mail contained contracts for oil barrel sales from the Middle East to large oil firms; another contained a daily report from a large oil firm detailing the contents of all of its tankers that day.

A third e-mail included ECOLAB reports for a popular restaurant, including information about problems the restaurant was having with mice. ECOLAB is a Minnesota-based firm that provides sanitizing and food safety products and services to companies.”

So… take notice. Whenever possible, don’t hand-type that important email address. Instead, be sure to “reply’ to the senders message. If you HAVE to type it, double and triple check it against the persons business card, website, or other published source. If you must send sensitive information, always send a probing email without any sensitive data – a savvy user will understand why you sent a simple “Hi Bob, is this the best address to use?” before you send over that important item.

Comments (0)

August 24, 2011

Background Check for Social Media

Filed under: Security Ramblings,Social Ramblings,The Great Tech Blog-Off — AndrewSmither @ 10:48 am

When applying for a new job, most employers will have you agree to a criminal background check and/or a drug test. Jobs involving working with children usually involve an FBI check as well as fingerprinting in addition. Did you know many employers are also using credit checks, especially for higher positions? They do this to see how you are with your own money and how you would be with the businesses’ money. There is also another method being used. It is a method that they do not need your permission for; a social media background check. Would you pass? If an epmployer did an internet search for you, what would they find? Are you posting appropriate things on your Facebook or other social media sites? Would the “internet you” be the same as the “employee you?” Companies can now use sites like http://www.socialintel.com/home to do internet/social media checks on you as a potential employee. Even while you are an employee companies are doing social media background checks. Why? Whether you realize it or not, your image outside of work reflects on where you work. People know you, and they know who you work for; what do they think of your work place when they see the real you off hours? Want to know how to take steps to improve your internet image or what your internet image looks like? Check out unsubscribe.com and reputation.com. Both offer a free service, which I personally have already signed up for. Reputation.com offers a paid service which I am honestly considering.

Comments (0)

August 23, 2011

Easy/Quick Scan Credit Cards: Safe?

Filed under: General Ramblings,Security Ramblings,The Great Tech Blog-Off — AndrewSmither @ 12:04 pm

A recent report on a televised interview with CEO of AllClear ID reveals the security risks behind the growing easy/quick scan credit cards. These cards are known as RFID: radio frequency identification. If you have a credit card that allows you to wave it near a small terminal and complete the process without swiping the card, you have a RFID credit card. This is similar to the technology found in E-ZPass. The interview reveals with some knowledge that can be found on the internet and about $100.00 dollars worth of equipment, someone can easily pick up your card’s signal which contains all of it’s information; making you an easy target for identity theft/fraud. Solution? Leave the RFID card at home and use cash/check or regular credit cards when making physical trips to the store. Leave the RFID cards for online purchases only. Or, you could invest in a stainless steel wallet or RFID card protector that would hide the signal when it’s not being used.

Sources:

Interview

Wallet/Card Protectors

Comments (1)

August 4, 2011

Identity Theft, Are Your Children Safe?

Filed under: Computer Ramblings,General Ramblings,Security Ramblings,Social Ramblings,The Great Tech Blog-Off — AndrewSmither @ 3:31 pm

I personally have had encounters with Identity Theft; twice online, once when my wallet was lost/stolen. Ever since then, I have subscribed to an Identity Theft Protection through my Discover Card. After Playstation Network was hacked, they sent out a formal e-mail to all accounts on the network stating personal information may have been obtained. They recommended subscribing to a similar service but this one was free for a year on them. I decided to take them up on their offer as it would add a second layer of protection and give me a chance to see how another company does it. The company Playstation recommended was All Clear ID, which offers a free and a pro version.

As part of the All Clear ID, I get newsletters in my e-mail inbox on security tips. The latest newsletter raised the question of children’s safety from Identity Theft. Do you think they would be safe since they are children? Do you think they would be less likely to be targeted? If so, you are wrong. Children are 51 times more likely to have their identity stolen than you! Slightly over 10% of children have had their SSN used by someone without parental permission. This was alarming for me, and by writing this post I hope to help spread the news of this discovery. I have learned that Credit Reports were never intended to check for children. Generally when a company checks your credit, it verifies the social security, name, and current standing in credit; it does not look for birth date conflicts. A featured real issue in the newsletter explained an All Clear ID client discovered his child had 42 open accounts under his/her name. These accounts included mortgages, credit cards, auto loans, and the like. The open accounts started when the child was 3 years old. Through All Clear ID the parent was able to close all outstanding accounts and only has one left pending. This was done as a check before the child was going to apply for college and would have greatly hindered the college loan process had it not been taken care of in time.

I would highly recommend anyone to at least take All Clear ID up on their free version. I would look at it the same way with AV/AS protection on your computer. A free one is better protection than none at all. If you are now wondering about your own child, please read over the sources below as I did and take advantage of their free Child ID Scan. They can also be covered under your Identity Protection with All Clear ID.

Sources:

All Clear ID, Children 51% More Likely, Free Child ID Scan

Discover

Comments (0)

« Newer Posts — Older Posts »