Just in case anyone doubted that the web is a dangerous place, this article discusses the very real possibility of getting a virus just by visiting a web site with scripting enabled. See, it happens to the ubergeeks among us too. ;-)
The safest way by far to browse the web is using Firefox with the NoScript plug-in installed. I keep scripting disabled by default and only enable it on sites I trust such as my bank, Amazon, etc. For those web sites which don't display properly without scripting enabled, I resort to browsing to them in a Virtual Machine under VMware Fusion. It's far easier to restore the single file containing my virtual machine than it is to have to either restore my entire machine or reinstall software.
Using OpenDNS is also highly recommended. It helps cut down on phishing by warning you when a link has directed you to a dangerous web site.
Those of us using Macs shouldn't feel too smug. With the Mac's popularity increasing so quickly, it's only a matter of time before the people who write malicious software start targeting Macs in earnest.
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Sunday, October 26, 2008
Sunday, December 09, 2007
Wireless Keyboard Security Compromised
This post at the excellent HackADay web site discusses how the security of wireless keyboards has now been compromised. This makes it even easier for hackers to capture passwords and other information you type on your wireless keyboard. They don't need to risk physical access to install a hardware keyboard capture device or install software to perform the same function. They just need to set up a sniffer device in close enough proximity to capture your key strokes. Under ideal conditions, wireless devices can transmit far beyond their stated maximum range.
I personally use a wireless mouse, a wireless Apple Mighty Mouse which I love, but not a wireless keyboard. I see little benefit to getting rid of the wire on my keyboard since I don't need my keyboard to move so the wire never gets in the way.
Good luck to any hackers who want to derive meaningful information out of my mouse movements and clicks. Without knowing what's on the screen at any given moment, that information is next to useless. I know it's possible to spy on Van Eck radiation to read what's on a monitor from a distance but the equipment required to do so is either expensive or complicated to build. It's also a non-trivial problem to tie what's on the screen at that moment (an analog signal) with what's being typed. I'm quite satisfied that the barriers to that my monitor and mouse emanations being compromised are sufficiently high to discourage all but the most determined hacker. Realistically, you can never make something 100% secure. All you can hope to do is to raise the barriers high enough to nudge them along to easier targets. Rest assured that there are many easier targets. I can see 2 completely unsecured WiFi networks from my house and I suspect this is constrained by the distance between houses more than anything.
I personally use a wireless mouse, a wireless Apple Mighty Mouse which I love, but not a wireless keyboard. I see little benefit to getting rid of the wire on my keyboard since I don't need my keyboard to move so the wire never gets in the way.
Good luck to any hackers who want to derive meaningful information out of my mouse movements and clicks. Without knowing what's on the screen at any given moment, that information is next to useless. I know it's possible to spy on Van Eck radiation to read what's on a monitor from a distance but the equipment required to do so is either expensive or complicated to build. It's also a non-trivial problem to tie what's on the screen at that moment (an analog signal) with what's being typed. I'm quite satisfied that the barriers to that my monitor and mouse emanations being compromised are sufficiently high to discourage all but the most determined hacker. Realistically, you can never make something 100% secure. All you can hope to do is to raise the barriers high enough to nudge them along to easier targets. Rest assured that there are many easier targets. I can see 2 completely unsecured WiFi networks from my house and I suspect this is constrained by the distance between houses more than anything.
NTFS Alternate Data Streams
Quite some time ago, Microsoft quietly added the ability to embed an alternate data stream in another file. This was ostensibly done to improve interoperability with other modern file systems such as Apple's HFS. The problem is that many of the command line and GUI utilities supplied with Windows don't support (or at least easily so) manipulation of these alternate data streams, making them an ideal place to store data undetectable by normal means.
This capability can be useful for OS features such as displaying thumbnails images when a user opens a folder containing image files. That way, the thumbnail image gets deleted when the user deletes the image file itself. The user is also not confused by the presence of a multitude of files which they don't remember creating.
The negative implications of alternate data streams are twofold. First, it can make figuring out what is occupying your disk space. Second, it makes a convenient place for Malware authors to hide their malicious software. They love this functionality which has been embedded into the Windows operating system since NTFS was introduced because it frees them from the need to resort to a rootkit to hide files. To Microsoft's credit, in Vista they've added switches to the venerable "dir" command to give it the ability to detect alternate data streams. Users of older versions of Windows will need to avail themselves of a utility such as Streams from the great team at SysInternals, now part of Microsoft.
For a good summary of the security implications of alternate data streams, see this write-up at Security Focus.
This capability can be useful for OS features such as displaying thumbnails images when a user opens a folder containing image files. That way, the thumbnail image gets deleted when the user deletes the image file itself. The user is also not confused by the presence of a multitude of files which they don't remember creating.
The negative implications of alternate data streams are twofold. First, it can make figuring out what is occupying your disk space. Second, it makes a convenient place for Malware authors to hide their malicious software. They love this functionality which has been embedded into the Windows operating system since NTFS was introduced because it frees them from the need to resort to a rootkit to hide files. To Microsoft's credit, in Vista they've added switches to the venerable "dir" command to give it the ability to detect alternate data streams. Users of older versions of Windows will need to avail themselves of a utility such as Streams from the great team at SysInternals, now part of Microsoft.
For a good summary of the security implications of alternate data streams, see this write-up at Security Focus.
PayPal Security Key
Since I do a lot of technical reading in my spare time, I find myself becoming more and more interested in computer security. One thing I'm particularly concerned about is is the use of usernames and passwords alone for authentication on web sites which contain any of my financial information. A while back while listening to the always entertaining and informative Security Now! podcast, Steve Gibson (one of the hosts) mentioned that PayPal had started offering Security Keys for a nominal fee. These keys display a number which changes in an unpredictable pattern every 30 seconds and which can be used to tighten security on your PayPal and eBay accounts.
PayPal should be commended for offering this capability and at such an affordable price. Multifactor authentication is much safer than its single factor sibling.
Find out more about the PayPal Security Key here. If you have trouble accessing this link, go to PayPal's site, click the Security Center link at the top and click on the picture of the Security Key. This program is on a timed deployment so it may not yet be available outside the U.S.
Sunday, December 02, 2007
OpenID
A new post on the Blogger in Draft blog indicates that Blogger, the service this blog and many others depend upon, may soon support OpenID for identity verification for posting.
I've been following discussions about OpenID, including one on the excellent Security Now! podcast and have been anxious to give it a try. It appears Blogger may afford my first real opportunity so I've signed up for a free account at Verisign Labs' PIP web site. There are a number of other free OpenID providers. I chose Verisign primarily because of their long history. I'd hate to commit to a provider only to have it fold because they couldn't find a way to monetize the service.
You may want to sign up for an account so you can get an URL you can remember. The URLs associated with your OpenID identity must be unique so there's benefit to having one which has your favorite user name embedded.
I've been following discussions about OpenID, including one on the excellent Security Now! podcast and have been anxious to give it a try. It appears Blogger may afford my first real opportunity so I've signed up for a free account at Verisign Labs' PIP web site. There are a number of other free OpenID providers. I chose Verisign primarily because of their long history. I'd hate to commit to a provider only to have it fold because they couldn't find a way to monetize the service.
You may want to sign up for an account so you can get an URL you can remember. The URLs associated with your OpenID identity must be unique so there's benefit to having one which has your favorite user name embedded.
Saturday, July 14, 2007
Creating strong passwords
Gina Trapani has posted a great article on LifeHacker showing how to choose strong passwords that are also easy to remember. I've been using a variation of this method for a long time and have made slight modifications based on advice I've heard from security experts.
I use 2 classes of passwords. The weakest is used for the multitude of web sites which ask you to create an account but which store no financial or personal data about you. I reserve the strong passwords for web sites which store data which could cause me financial harm if it were to be discovered.
Choose something which works for you but which offers reasonable strength. Use the Password Strength Meter at SecurityStats to test the strength of your chosen method to make sure your passwords can't be broken too easily.
I use 2 classes of passwords. The weakest is used for the multitude of web sites which ask you to create an account but which store no financial or personal data about you. I reserve the strong passwords for web sites which store data which could cause me financial harm if it were to be discovered.
Choose something which works for you but which offers reasonable strength. Use the Password Strength Meter at SecurityStats to test the strength of your chosen method to make sure your passwords can't be broken too easily.
Monday, June 18, 2007
Fighting Spyware
Jeff Atwood over at Coding Horror has an interesting article about the numerous steps necessary to fight a Spyware infestation. It goes to show that you can't trust web sites just because lots of people link to them.
I run a Firefox plug-in called NoScript which allows the user to select web sites which should be allowed to run scripting languages like Javascript, Java, and Flash. Scripting languages are very dangerous so it's imperative that users only allow their browser to run scripts from trusted web sites. I'd caution people that they should mistrust all web sites by default. Just because a friend sends you a link is not enough reason to trust a web site.
It's much easier to prevent a Spyware infestation in the first place than it is to remove one from a PC after it's gained a foothold.
I run a Firefox plug-in called NoScript which allows the user to select web sites which should be allowed to run scripting languages like Javascript, Java, and Flash. Scripting languages are very dangerous so it's imperative that users only allow their browser to run scripts from trusted web sites. I'd caution people that they should mistrust all web sites by default. Just because a friend sends you a link is not enough reason to trust a web site.
It's much easier to prevent a Spyware infestation in the first place than it is to remove one from a PC after it's gained a foothold.
Monday, May 28, 2007
OpenDNS
I've recently changed the DNS server setting on my WiFi router from the DNS servers run by my ISP with those from OpenDNS. OpenDNS runs large DNS caches which can speed up your address lookups. They also compare all URLs submitted with a phishing site blacklist to help keep you from falling prey to phishing schemes. They also correct common typing errors in URLs. For example if you type "google.ocm", they will change it to "google.com" to prevent a lookup error.
On a related note, you may notice occasionally that address loopups for an URL you've typed into your browser may fail. This can be a sign that the DNS cache on your local PC has a stale entry. Here's a site which shows how to flush your DNS cache. They've got procedures for flushing the DNS caches on Windows, Linux, and Mac computers.
On a related note, you may notice occasionally that address loopups for an URL you've typed into your browser may fail. This can be a sign that the DNS cache on your local PC has a stale entry. Here's a site which shows how to flush your DNS cache. They've got procedures for flushing the DNS caches on Windows, Linux, and Mac computers.
Subscribe to:
Posts (Atom)
-
A long time ago I was given a bit of advice that has served me well over the years. An engineer with much more experience than I had at the...
-
We lost our very special dog to an osteosarcoma a few days ago. He started limping a little over 4 months ago and it took a while to dia... -
Most of the longtime Unix users like me love grep. Regular expressions make the silly wildcards available in Windows seem completely underw...