Hello...and you are? » Security

Fix it: Help for Checking Your Windows Security Settings

jess — Sat, 16 Jul 2011 14:33:19 +0000

Microsoft has small utility online you can run to check your Windows security settings:

Diagnose and fix Windows security problems automatically

What it fixes…

Checks Windows security features and enables them if needed
Phishing or Smartscreen filters
User Account Control (UAC)
Data Execution Prevention (DEP)
Windows Firewall
Antivirus protection status and updates

Change Your Amazon Password

jess — Mon, 31 Jan 2011 19:40:42 +0000

If you haven’t changed your Amazon password in awhile, you should do so right away. Amazon changed the way they are storing passwords, as their previous method wasn’t as secure. See this article for details:

Maximum PC | Why You Should Change Your Amazon Password Right Away

Free FamilyShield filtering from OpenDNS

jess — Sun, 11 Jul 2010 19:59:15 +0000

I have been using the OpenDNS domain filtering in my house for over a year, and have been very happy with the service. They have made it even easier to use for households looking to protect kids, by rolling out FamilyShield filtering. Without even needing to sign up for an account, you can use their service for free to block the following categories of web sites:

Pornography
Phishing
Malware
Proxy and anonymizer (for the “street smart” kiddos)

You can easily set up the service by following the walk-through instructions on configuring your router or computer’s DNS servers.

Web Browsers – Trackable without cookies

jess — Tue, 18 May 2010 15:40:11 +0000

Interesting proof of concept by the Electronic Frontier Foundation to show how the fingerprint of your web browser makes you trackable, even without the use of cookies:

Panopticlick

New security risk in SSL implementations

jess — Thu, 30 Jul 2009 14:05:16 +0000

More holes found in Web’s SSL security protocol.

It appears most modern browsers are susceptible to a simple man-in-the-middle attack on SSL certificates, meaning your encrypted browsing sessions can be intercepted.

The article lists Firefox 3.5 as the only modern browser not affected by the attack.

Watch out for increased Internet crime

jess — Thu, 15 Jan 2009 22:08:08 +0000

I caught an interesting quote from the bottom of a Symantec news article:

Explaining why Symantec continues to invest heavily despite the recession, Bregman said that during economic downturns Internet crime rises, creating opportunities for security companies.

Probably time to re-think through how you are securing your company and personal data, and watching out for cons.

Apple pushes insecure web browser on computers

jess — Mon, 31 Mar 2008 14:12:29 +0000

Apple pushes Safari on Windows via iTunes updater (posted 3/21)

Apple has started offering Windows users its Safari 3.1 Web browser through the same online updater it utilizes for iTunes and the QuickTime video player.

Not just offering, but pushing. As in you must manually un-check the install or ignore it, or Safari will be installed the next time you run the updater to bring your iTunes up to the next release.

MacBook Air hacked in security contest (posted 3/27)

A team of security researchers has won $10,000 for hacking a MacBook Air in two minutes using an undisclosed Safari vulnerability.

Bad decision, Apple. I don’t want that accidentally pushed out on my machines, or any of the family members I help support.

If you want to prevent this from happening on your machine when you run the Apple updater, make sure the Safari option is checked, and then in the top menu, select “Tools > Ignore selected updates”.

Hiding Wireless SSIDs

jess — Thu, 20 Dec 2007 14:55:24 +0000

Myth vs Reality. Hi Jeff!

10 things to know before you register a domain name

jess — Thu, 28 Jun 2007 16:10:22 +0000

Sometimes I get asked what is involved in registering a domain name, and is there anything to be careful of. I just ran across this site which does a good job of listing out most of the concerns to watch for when choosing an organization to register a domain name with:

10 things you MUST know before you register a domain name with anyone

Secunia Software Inspector

jess — Fri, 26 Jan 2007 03:12:29 +0000

For the last year or so, I’ve used Secunia to keep track of the latest software vulnerabilities that have been discovered. Recently, they released a new, free web-based service called the Secunia Software Inspector. The tool will scan your computer for software that has reported vulnerabilities, and it alerts you of what to do to update your software or address the issue. I don’t know how comprehensive its software list is, but it seems to at least catch major browsers, plug-ins and e-mail clients.

On both my work and home computers, the scanner let me know of a vulnerability for the installed version of Apple QuickTime, as well as remnants of old, trouble-some Adobe Flash installs. I did end up having to go research how to remove old versions of Flash player on my own though. It’s helpful to note Adobe provides a global Flash uninstaller.

The Software Inspector is by no means a replacement for a good anti-virus package or firewall, but it is a nice free service to help keep your machine a little more clean and secure.

How to create a free SSL certificate from CAcert.org

jess — Sat, 04 Jun 2005 00:50:53 +0000

Having an SSL certificate on your domain for encrypted traffic may be very attractive, but like me, you may get turned off at spending around $400 for personal use. CAcert.org to the rescue! They are making SSL certificates available for free. Awesome! Now I can use a valid SSL certificate for traffic on this domain. Read on for tips on how to do this yourself..
One caveat to this process, is that CAcert is currently not ‘known’ to browsers. This means you will get a warning from the browser stating it doesn’t know the signer of the SSL certificate. You can either always accept this warning, or you can tell your browser who CAcert is by installing their own certificate. To do this, go to CAcert’s Root Certificate page, and click the appropriate link for your browser. The link for IE is obvious, but for Firefox I chose the PEM format. Firefox then presented me with a helpful prompt that completed the install. After that, no more warnings! (Note: for this exact reason alone, I currently would not recommend using CAcert for commercial business, as you could make your potential customers nervous with the warning.) With that taken care of, let’s move on..

While not a complete step-by-step walkthrough, this is essentially how I created a signed SSL certificate for collicott.net from CAcert.org.

Requirements

A host with openssl installed.
A registered account with CAcert.org
Access to your web server’s config to reference/install the SSL certificate

Creating an SSL certificate

First, I logged into my host, and created a key for the hostname I wanted to use SSL on. This key will subsequently be used to create a certificate request we will send to CAcert. Obviously, in these examples, replace out collicott.net with your hostname.

$ openssl genrsa -out www.collicott.net.key 1024

Important: Ideally, you should keep this file in a location where others cannot access it.

After the key is created, we want to use it to create a certificate request file to submit to CAcert. Perform this action on the *.key file (on a single line):

$ openssl req -new -key www.collicott.net.key -out www.collicott.net.csr

When you create this certificate request file, you will be asked for information for your domain. Some of this information is optional, but make sure you enter the hostname you want in the “Common Name” field (for example, www.collicott.net).

Now that we have the *.csr file, we need to submit it to CAcert. Log in to your CAcert account, then go to “Server Certificates”, then click “New”. At the bottom of the page, paste in the contents of the *.csr file. CAcert will then sign and create an SSL certificate for you.

Once the certificate has been sent from CAcert, we need to install it on our web server. Since there are many types of servers, and your hosting company may provide its own interface on installing an SSL certificate, I won’t go into how to do that. Our host is currently running Apache 1.3, and it was pretty easy to modify the config in about 2 places, and then restart the server. You can find information on a couple servers here:

The information in this post is essentially a hybrid of my experience, and the following two support pages. If you want further information, you might start with them:

How to reset the master password in Firefox

jess — Sat, 26 Mar 2005 06:46:34 +0000

I’ve noticed a couple people coming to this site searching for help on resetting their master password in Mozilla Firefox, so I found help on this and am posting it here in case you happen to be one of those people.

Master password – MozillaZine Knowledge Base

If you have lost or forgotten your Master Password or you want to disable the feature, reset your master password. Note that, upon resetting, you will lose all the stored information in the Passwords Manager as this is a built-in security feature to prevent people otherwise resetting your master password and gaining access to your passwords.

For Firefox: go to “chrome://pippki/content/resetpassword.xul” (see Chrome URLs) and click on “Reset Password”.

For Thunderbird: “Tools -> Options (Edit -> Preferences on Linux) -> Advanced -> Saved Passwords -> Master Password -> Reset Password”.

For Mozilla Suite: “Edit -> Preferences -> Privacy & Security -> Master Passwords -> Reset Password”.