Archive for 'Security'

Secunia Software Inspector

For the last year or so, I’ve used Secunia to keep track of the latest software vulnerabilities that have been discovered. Recently, they released a new, free web-based service called the Secunia Software Inspector. The tool will scan your computer for software that has reported vulnerabilities, and it alerts you of what to do to update your software or address the issue. I don’t know how comprehensive its software list is, but it seems to at least catch major browsers, plug-ins and e-mail clients.

On both my work and home computers, the scanner let me know of a vulnerability for the installed version of Apple QuickTime, as well as remnants of old, trouble-some Adobe Flash installs. I did end up having to go research how to remove old versions of Flash player on my own though. It’s helpful to note Adobe provides a global Flash uninstaller.

The Software Inspector is by no means a replacement for a good anti-virus package or firewall, but it is a nice free service to help keep your machine a little more clean and secure.

Trillian Basic 3 – Fake password security

For awhile now, I’ve used the Trillian Basic instant messaging client, since I have contacts on Yahoo, MSN/Live, and AIM. There have been times when entering the startup password for Trillian, I thought – “Ooops, I fat-fingered that”, only to have Trillian continue to log in. I would shrug and move on, thinking I must have typed it correctly. Yesterday, I was logging into Trillian, and knew that I fat-fingered the password – and Trillian logged in! No errors! Hrmm.. So I did a couple tests:

• I used a completely bogus password – Trillian started right up.
• I tried no password, and yep, Trillian logged right in, no problems.

So the password prompt in Trillian is useless for security as far as I am concerned. This makes me highly question my continued use of Trillian. Does anyone else notice this with their install of Trillian? I’m using Trillian Basic 3.1 (build 121). In the meantime, I’m thankful I have Trillian and its data saved in a TrueCrypt encrypted volume. That still retains some of the security I was assuming was there in the first place.

Rustock.A and Advances in Rootkits

Forget DRM, it’s gonna be scarier things like the new generation of rootkits that are going to drive me off of Windows at home.

How to create a free SSL certificate from CAcert.org

Having an SSL certificate on your domain for encrypted traffic may be very attractive, but like me, you may get turned off at spending around $400 for personal use. CAcert.org to the rescue! They are making SSL certificates available for free. Awesome! Now I can use a valid SSL certificate for traffic on this domain. Read on for tips on how to do this yourself..
One caveat to this process, is that CAcert is currently not ‘known’ to browsers. This means you will get a warning from the browser stating it doesn’t know the signer of the SSL certificate. You can either always accept this warning, or you can tell your browser who CAcert is by installing their own certificate. To do this, go to CAcert’s Root Certificate page, and click the appropriate link for your browser. The link for IE is obvious, but for Firefox I chose the PEM format. Firefox then presented me with a helpful prompt that completed the install. After that, no more warnings! (Note: for this exact reason alone, I currently would not recommend using CAcert for commercial business, as you could make your potential customers nervous with the warning.) With that taken care of, let’s move on..

While not a complete step-by-step walkthrough, this is essentially how I created a signed SSL certificate for collicott.net from CAcert.org.

Requirements

• A host with openssl installed.
• A registered account with CAcert.org
• Access to your web server’s config to reference/install the SSL certificate

Creating an SSL certificate

1. First, I logged into my host, and created a key for the hostname I wanted to use SSL on. This key will subsequently be used to create a certificate request we will send to CAcert. Obviously, in these examples, replace out collicott.net with your hostname.
   

   $ openssl genrsa -out www.collicott.net.key 1024

   Important: Ideally, you should keep this file in a location where others cannot access it.

2. After the key is created, we want to use it to create a certificate request file to submit to CAcert. Perform this action on the *.key file (on a single line):
   

   $ openssl req -new -key www.collicott.net.key -out www.collicott.net.csr

   When you create this certificate request file, you will be asked for information for your domain. Some of this information is optional, but make sure you enter the hostname you want in the “Common Name” field (for example, www.collicott.net).

3. Now that we have the *.csr file, we need to submit it to CAcert. Log in to your CAcert account, then go to “Server Certificates”, then click “New”. At the bottom of the page, paste in the contents of the *.csr file. CAcert will then sign and create an SSL certificate for you.

Once the certificate has been sent from CAcert, we need to install it on our web server. Since there are many types of servers, and your hosting company may provide its own interface on installing an SSL certificate, I won’t go into how to do that. Our host is currently running Apache 1.3, and it was pretty easy to modify the config in about 2 places, and then restart the server. You can find information on a couple servers here:

• Apache 2.0
• IIS 5.0
• IIS 4.0

The information in this post is essentially a hybrid of my experience, and the following two support pages. If you want further information, you might start with them:

• HOWTO cacert.org SSL certificates
• CAcert: How do I generate a private key and CSR using OpenSSL?

Now might be time to re-think your online resume

Recently, I had begun to think about wrapping some low-tech security around my resume, just to keep out passive candidate robots and the like. After reading this article however, I’m thinking about just taking it offline:

SecurityFocus: Privacy watchdog warns job seekers to beware

Online fraudsters are increasingly taking advantage of vulnerable job seekers by using online résumés to steal their identity, a privacy expert warned this week.

“I think we have about a year and a half,” she said. “Then people will start looking at this whole online job search as a really risky affair.”

I honestly don’t pay much attention to e-mail inquiries, as they are usually offering something like 4-month contracts in some place far, far away. Yeah, like I really want to give up my full-time employment status for four months and then have to move again. So, I don’t think the risk of having my resume posted publicly online is outweighed by much benefit. I mostly have it up for historical purposes anyway, so I’ll probably take it down soon..

How to reset the master password in Firefox

I’ve noticed a couple people coming to this site searching for help on resetting their master password in Mozilla Firefox, so I found help on this and am posting it here in case you happen to be one of those people.

Master password – MozillaZine Knowledge Base

If you have lost or forgotten your Master Password or you want to disable the feature, reset your master password. Note that, upon resetting, you will lose all the stored information in the Passwords Manager as this is a built-in security feature to prevent people otherwise resetting your master password and gaining access to your passwords.

• For Firefox: go to “chrome://pippki/content/pref-masterpass.xul” (see Chrome URLs) and click on “Reset Password”.
• For Thunderbird: “Tools -> Options (Edit -> Preferences on Linux) -> Advanced -> Saved Passwords -> Master Password -> Reset Password”.
• For Mozilla Suite: “Edit -> Preferences -> Privacy & Security -> Master Passwords -> Reset Password”.

Microsoft AntiSpyware to be free of charge

Bill Gates has pledged that the Microsoft AntiSpyware software, with technology aquired from Giant Software, will be made free to all licensed Windows users.

“Just as spyware is something that we have to nip down today, we have decided that all licensed Windows users should have that protection at no charge,” Gates said.

This is good news, and keeps MS from appearing to have a conflict of interest (in not fixing security holes), but I’m guessing the specifity of the word “licensed” means another layer of OS validation (re: “genuine Microsoft Windows”). This isn’t a huge deal if you’re legal (like I am), but it could be annoying given the troubles they’ve had in the past with XP activation.

You’ll need a firewall for your refrigerator.

The kitchen has long been considered a breeding ground for germs, but you probably don’t expect your toaster to infect your cell phone.

Oh great.

Search for:

Recent Posts

• Free FamilyShield filtering from OpenDNS
• Zune – Reserved Space fixed with a device restart
• Web Browsers – Trackable without cookies
• SharePoint/Office 2010 RTM Downloads
• Library of Congress to Archive Twitter

Categories

• Current Events (26)
• Entertainment (23)
• General (46)
• Security (18)
• SharePoint (9)
• Web Dev/Tech (128)

Del.icio.us Bookmarks

• Instructables - Make, How To, and DIY
• SharePoint 2010 PowerShell Permissions Explained - Zach Rosenfield's SharePoint Blog
• What service accounts do you need to install SharePoint 2010? - The SharePoint Farmer's Almanac
• SharePoint 2010 service applications – UserProfile Synch service is not synching the profiles from AD ? - Microsoft Premier Field Engineer - SharePoint Dev - Site Home - MSDN Blogs
• User Profile Synchronization Service fails to start in SharePoint 2010

Experts Exchange Badge

meta

• RSS
• Comments RSS