Hello...and you are? » Security

Free FamilyShield filtering from OpenDNS

jess — Sun, 11 Jul 2010 19:59:15 +0000

I have been using the OpenDNS domain filtering in my house for over a year, and have been very happy with the service. They have made it even easier to use for households looking to protect kids, by rolling out FamilyShield filtering. Without even needing to sign up for an account, you can use their service for free to block the following categories of web sites:

Pornography
Phishing
Malware
Proxy and anonymizer (for the “street smart” kiddos)

You can easily set up the service by following the walk-through instructions on configuring your router or computer’s DNS servers.

Web Browsers – Trackable without cookies

jess — Tue, 18 May 2010 15:40:11 +0000

Interesting proof of concept by the Electronic Frontier Foundation to show how the fingerprint of your web browser makes you trackable, even without the use of cookies:

Panopticlick

Presidential control of the private Internet

jess — Fri, 28 Aug 2009 16:26:56 +0000

Bill would give president emergency control of Internet | Politics and Law – CNET News.

“Translation: If your company is deemed “critical,” a new set of regulations kick in involving who you can hire, what information you must disclose, and when the government would exercise control over your computers or network.”

Yikes.

New security risk in SSL implementations

jess — Thu, 30 Jul 2009 14:05:16 +0000

More holes found in Web’s SSL security protocol.

It appears most modern browsers are susceptible to a simple man-in-the-middle attack on SSL certificates, meaning your encrypted browsing sessions can be intercepted.

The article lists Firefox 3.5 as the only modern browser not affected by the attack.

Watch out for increased Internet crime

jess — Thu, 15 Jan 2009 22:08:08 +0000

I caught an interesting quote from the bottom of a Symantec news article:

Explaining why Symantec continues to invest heavily despite the recession, Bregman said that during economic downturns Internet crime rises, creating opportunities for security companies.

Probably time to re-think through how you are securing your company and personal data, and watching out for cons.

Apple pushes insecure web browser on computers

jess — Mon, 31 Mar 2008 14:12:29 +0000

Apple pushes Safari on Windows via iTunes updater (posted 3/21)

Apple has started offering Windows users its Safari 3.1 Web browser through the same online updater it utilizes for iTunes and the QuickTime video player.

Not just offering, but pushing. As in you must manually un-check the install or ignore it, or Safari will be installed the next time you run the updater to bring your iTunes up to the next release.

MacBook Air hacked in security contest (posted 3/27)

A team of security researchers has won $10,000 for hacking a MacBook Air in two minutes using an undisclosed Safari vulnerability.

Bad decision, Apple. I don’t want that accidentally pushed out on my machines, or any of the family members I help support.

If you want to prevent this from happening on your machine when you run the Apple updater, make sure the Safari option is checked, and then in the top menu, select “Tools > Ignore selected updates”.

Hiding Wireless SSIDs

jess — Thu, 20 Dec 2007 14:55:24 +0000

Myth vs Reality. Hi Jeff!

10 things to know before you register a domain name

jess — Thu, 28 Jun 2007 16:10:22 +0000

Sometimes I get asked what is involved in registering a domain name, and is there anything to be careful of. I just ran across this site which does a good job of listing out most of the concerns to watch for when choosing an organization to register a domain name with:

10 things you MUST know before you register a domain name with anyone

Firefox Extensions Auto-Update Vulnerability

jess — Wed, 30 May 2007 22:09:28 +0000

CyberNet News has the description for how someone can attack your Firefox browser using auto-updating extensions as the attack vector:

A new Firefox vulnerability has been discovered, and this time it is quite a doozy. It affects many different extensions including Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us Extension, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, and PhishTank SiteChecker.

Windows Activation Virus Alert

jess — Thu, 26 Apr 2007 18:49:12 +0000

Check out this post about a Windows Activation Virus. The virus spoofs the Windows Activation screens, and asks for credit card information to activate Windows. Pretty convincing screens.

Secunia Software Inspector

jess — Fri, 26 Jan 2007 03:12:29 +0000

For the last year or so, I’ve used Secunia to keep track of the latest software vulnerabilities that have been discovered. Recently, they released a new, free web-based service called the Secunia Software Inspector. The tool will scan your computer for software that has reported vulnerabilities, and it alerts you of what to do to update your software or address the issue. I don’t know how comprehensive its software list is, but it seems to at least catch major browsers, plug-ins and e-mail clients.

On both my work and home computers, the scanner let me know of a vulnerability for the installed version of Apple QuickTime, as well as remnants of old, trouble-some Adobe Flash installs. I did end up having to go research how to remove old versions of Flash player on my own though. It’s helpful to note Adobe provides a global Flash uninstaller.

The Software Inspector is by no means a replacement for a good anti-virus package or firewall, but it is a nice free service to help keep your machine a little more clean and secure.

Trillian Basic 3 – Fake password security

jess — Wed, 10 Jan 2007 15:24:25 +0000

For awhile now, I’ve used the Trillian Basic instant messaging client, since I have contacts on Yahoo, MSN/Live, and AIM. There have been times when entering the startup password for Trillian, I thought – “Ooops, I fat-fingered that”, only to have Trillian continue to log in. I would shrug and move on, thinking I must have typed it correctly. Yesterday, I was logging into Trillian, and knew that I fat-fingered the password – and Trillian logged in! No errors! Hrmm.. So I did a couple tests:

I used a completely bogus password – Trillian started right up.
I tried no password, and yep, Trillian logged right in, no problems.

So the password prompt in Trillian is useless for security as far as I am concerned. This makes me highly question my continued use of Trillian. Does anyone else notice this with their install of Trillian? I’m using Trillian Basic 3.1 (build 121). In the meantime, I’m thankful I have Trillian and its data saved in a TrueCrypt encrypted volume. That still retains some of the security I was assuming was there in the first place.

Rustock.A and Advances in Rootkits

jess — Fri, 14 Jul 2006 07:36:43 +0000

Forget DRM, it’s gonna be scarier things like the new generation of rootkits that are going to drive me off of Windows at home.

How to create a free SSL certificate from CAcert.org

jess — Sat, 04 Jun 2005 00:50:53 +0000

Having an SSL certificate on your domain for encrypted traffic may be very attractive, but like me, you may get turned off at spending around $400 for personal use. CAcert.org to the rescue! They are making SSL certificates available for free. Awesome! Now I can use a valid SSL certificate for traffic on this domain. Read on for tips on how to do this yourself..
One caveat to this process, is that CAcert is currently not ‘known’ to browsers. This means you will get a warning from the browser stating it doesn’t know the signer of the SSL certificate. You can either always accept this warning, or you can tell your browser who CAcert is by installing their own certificate. To do this, go to CAcert’s Root Certificate page, and click the appropriate link for your browser. The link for IE is obvious, but for Firefox I chose the PEM format. Firefox then presented me with a helpful prompt that completed the install. After that, no more warnings! (Note: for this exact reason alone, I currently would not recommend using CAcert for commercial business, as you could make your potential customers nervous with the warning.) With that taken care of, let’s move on..

While not a complete step-by-step walkthrough, this is essentially how I created a signed SSL certificate for collicott.net from CAcert.org.

Requirements

A host with openssl installed.
A registered account with CAcert.org
Access to your web server’s config to reference/install the SSL certificate

Creating an SSL certificate

First, I logged into my host, and created a key for the hostname I wanted to use SSL on. This key will subsequently be used to create a certificate request we will send to CAcert. Obviously, in these examples, replace out collicott.net with your hostname.

$ openssl genrsa -out www.collicott.net.key 1024

Important: Ideally, you should keep this file in a location where others cannot access it.

After the key is created, we want to use it to create a certificate request file to submit to CAcert. Perform this action on the *.key file (on a single line):

$ openssl req -new -key www.collicott.net.key -out www.collicott.net.csr

When you create this certificate request file, you will be asked for information for your domain. Some of this information is optional, but make sure you enter the hostname you want in the “Common Name” field (for example, www.collicott.net).

Now that we have the *.csr file, we need to submit it to CAcert. Log in to your CAcert account, then go to “Server Certificates”, then click “New”. At the bottom of the page, paste in the contents of the *.csr file. CAcert will then sign and create an SSL certificate for you.

Once the certificate has been sent from CAcert, we need to install it on our web server. Since there are many types of servers, and your hosting company may provide its own interface on installing an SSL certificate, I won’t go into how to do that. Our host is currently running Apache 1.3, and it was pretty easy to modify the config in about 2 places, and then restart the server. You can find information on a couple servers here:

The information in this post is essentially a hybrid of my experience, and the following two support pages. If you want further information, you might start with them:

Now might be time to re-think your online resume

jess — Tue, 03 May 2005 04:00:00 +0000

Recently, I had begun to think about wrapping some low-tech security around my resume, just to keep out passive candidate robots and the like. After reading this article however, I’m thinking about just taking it offline:

SecurityFocus: Privacy watchdog warns job seekers to beware

Online fraudsters are increasingly taking advantage of vulnerable job seekers by using online résumés to steal their identity, a privacy expert warned this week.

“I think we have about a year and a half,” she said. “Then people will start looking at this whole online job search as a really risky affair.”

I honestly don’t pay much attention to e-mail inquiries, as they are usually offering something like 4-month contracts in some place far, far away. Yeah, like I really want to give up my full-time employment status for four months and then have to move again. So, I don’t think the risk of having my resume posted publicly online is outweighed by much benefit. I mostly have it up for historical purposes anyway, so I’ll probably take it down soon..