Search This Blog

Friday, December 24, 2010

OK, this is just a serious kewl Do Dad for Vulnerable and Pen Tests

Feel free to send me one! The PlugBot is one clever idea. Just plug it into an outlet and let it connect WiFi or plug it into an Ethernet jack and let err rip....

Great idea to see if your organization can detect nefarious activity by unknown ne'er-do-wellers.
The PlugBot

Monday, December 20, 2010

(F) More on Passwords for websites

The recent Gawker password and account breach shows us that all these 'cloud' service sites like Gizmodo and Gawker Blog comment sites expose us if or when their security fails. Many websites like Gawker/Gizmodo where you have to register to leave a comment and be notified when someone comments on the same thread you did, leaves us with the question:

'How do we structure our passwords for the InterWebings'?

Users of the no longer optional Internet must have a set of rules that will allow you to use the Internet safely and able to withstand a major breach where our email address, which is our Internet login for most websites, along with our password has structure and rules we apply to keep us safe and isolate types of websites from others. If a breach occurs, like Gawker showed us, many other cloud sites like Facebook, Twitter, LinkedIn, Yahoo and others locked all the accounts from the Gawker breach that match their users.

Why? Because too many of us use the same password for sites like Gawker for other sites like Facebook, Twitter and even our Banking. If you are one of these users, who have one password for every type of website, you ARE at extreme risk of getting your access compromised on other websites when a breach like Gawker occurs and why many websites locked your account if the emails used matched the Gawker breach list.

With this in mind... Let's craft some recommendations.

1. Create a formula for at least four (4) passwords for types of websites.
2. Use some type of password manager solution
3. Optimally use a password manager that you can use random passwords for eve website.

Four password formula:

Using of course a terrible example to make it easy to understand, let's say your password is, well 'password', something you should never use, but will work for the example. Minimum length is 8, the best length is 12 or more.

Password - easy for blogs and things you just don't care if it got breached
Passw0rd - you care a little more or some sites require 3 out of 4 items (upper, lower, number, special), not long enough
P@55w0rd - more secure using all items, but not long enough to be secure, use for Facebook or Twitter
S3(urep@55w0rd - Secure password as it is long and uses all items. Use this for financials or setup SuperGenPass or LastPass to generate one for you.

Of course having a different password for each website is best which you can get with SuperGenPass and LastPass that can generate a unique password for each website and all you have to remember is your long pass phrase instead of a bunch of passwords that are probably not that secure.

I recommend SuperGenPass and LastPass for truly secure, random and easy to remember passwords. Not to mention if a site got Gawked, LastPass let's me change the password quickly.

Thursday, December 16, 2010

(F) Kids and passwords... Adults too

Ever wonder what are children know about usernames and passwords? Who taught them! Did you as their parent provide them guidance and follow up with them to verify what and how they surf the InterWebbings?

You might be surprised that most children, Tweens and Teens use weak or no password at all. Actually close to 70% of children ( and yes many adults too) leave passwords that are not required to be changed 'blank' or something weak like their name or password1.


Random Password Statistics

Number of online accounts that an average user has: 25
Number of passwords that an average user has: 6.5
% of US consumers that use 1-2 password across all sites: 66%
Number of times an average user login per day: 8
Average password length: 8
Most commonly used password: password1
% of users that use personally meaningful words: 54.9%
% of users that use the ‘Remember my password’ function: 28.6%
% of users that write down their password: 15%
Average time users maintain the same password: 31 months.

The following image says it better than anything I will write in this Blog post!

So talk to your children about passwords and help them understand what makes a good password and how to protect it and use different passwords for different websites. Come up with a formula to use different passwords for email than you use for gaming sites, than you use for Facebook.

Use things like SuperGenPass or LastPass for more control and to help randomize your passwords.

If you use the same username (email address) which we generally have to on the Internet and you also use the same password on all your websites, when something like the Gawker breach occurs, all your logins are subject to being taken over by a person looking to steal information or worse, your financial or person information which can include your identity.

Don't get "Gawked"... Use different passwords for different websites.

Wednesday, December 15, 2010

(W) Warning for anyone that has a Gawker / LifeHacker account, your password has been stolen ,

For those that use and read any of the Gawker websites like one of my favorites LifeHacker, if you have an account to post comments or other login, your account password has been compromised!!!!

The websites affected include:

Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin and Fleshbot.

The threat?

Many people, i'm not one of them, use the same password for multiple website accounts, yes we call this 'The Cloud'. This means if you use the same password for a Gawker website as your Facebook or Twitter account... The bad guys are already logging into to these stolen accounts and trying to steal or gain data from your other sites and accounts that you used the same password for.

How do I avoid this threat?

My last post was on passwords and either SuperGenPass or LastPass have a random generator that allows each website to have a unique password and you only have to remember your main passphrase which either generates the real password (SuperGenPass) or enters the remembered password like LastPass.

How do I know if I have a Gawker account?

The are a couple websites that allow you to lookup your Email that was used as your account and see if Gawker reports it. If your email address does show up, your password and Gawker account are now well know to the Ne'er-do-wellers and no longer under your control or private.

Look them up now !!!

ComputerWorld article with instructions

Slate website with simple email address check

Saturday, December 11, 2010

(F)(U) Best bookmark sync tool now with best password management tool

I could not be happier to read that the best Tool to synchronize bookmarks was acquired by the best tool to manage passwords.

Xmarks is an Add-On for FireFox, Chrome, IE and Safari that allows you to use one browser on one PC or Mac, add a bookmark and then go to a different PC or Mac, yes iPad too and see the synchronized bookmarks. Now any browser you use will have all your bookmarks in sync. Also it is the best way to backup your bookmarks if you get a new system or have to rebuild your computer, the power of the cloud will store your bookmarks on the Xmarks server, which also allows you to access your bookmarks from any computer, say your friends, work or parents system. You just login to your Xmarks account and poof.. There are all your bookmarks. Xmarks synchronizes your bookmarks each time you open or close your browser or as needed. Xmarks also lets you save your passwords for logins, but they are not stored as secure as I would like them to be. The only issue with Xmarks is the lack of encryption at rest, on the Xmarks server and options to additionally secure them with two-factor authentication.

LastPass is a tool that is used to save and store all your website logins and also secure notes. Browser based Add-on as well and iDevice too, LastPass encrypts your password file locally with AES 256 encryption, so as good as it gets as well as stores them on the LastPass server, yup, the cloud, again with AES 256 encryption. So if some Ne'er-do-well breaks into the LastPass cloud servers, they would only get encrypted data that is worthless without the master password only you have.

In addition, you can add, yet another best thing, a Yubikey to add a 2nd factor 'something I have' token that you plug into your USB and touch to add a one-time and/or static password option for $25 USD that now protects your website logins and passwords with not only your username and password, but with the option of 2 factor authentication with a Yubikey, which of course I use to protect my website logins...

With LastPass acquiring Xmarks, this means we will now have a bookmark sync tool that now stores your bookmarks securely, very secure with AES 256 and with Yubikey as an option, your bookmarks, usernames, passwords and secure notes will all now be securely stored locally and in 'the cloud'.

Xmarks website

LastPass website

Yubikey website

Wednesday, December 8, 2010

(W) Use your browser to store passwords? Bad surfer bad...

If you didn't already know why you should NEVER use your browsers "remember passwords" option, tools like this are why... Store your password in a browser, get it broken and stolen by a tool like this, and no, a ne'er-do-well would do it from a java script on a website you visit.

Use something more secure like LastPass or SuperGenPass...

Monday, November 22, 2010

These lads look awfully young to be 'WANTED'....

Care to guess what they are wanted for ? Would you have trusted them ?

(W) Warning Will Robinson... Adobe 10 Email is malware

If you get or see an email, post or other add for Adobe 10 - ignore it, it WILL BE MALWARE!!!!

Go to directly if you want to check for an update, or use Secunia PSI.

SANS article on the Adobe SPAM

Sunday, November 14, 2010

Good source for InfoSec Podcasts

Thank you IronGeek for listing the more popular InfoSec Podcasts. I would add Steve Gibson's 'Security Now' for general IT folks and anyone wanting a good basic InfoSec update Podcast.

Tuesday, November 9, 2010

Top Ten Opensource Security and Network tools

Some well known, new and forgotten FREE Opensource InfoSec and Network tools for the budget minded.

Thank you Dark Reading...

#11... custom scripts...

Sunday, November 7, 2010

(C) Two first time InfoSec Conferences in Austin & Houston ROCKED!!!!

In the last week I attended two first time InfoSec conferences, LasCon focused at Web Application Security and HouSecCon which combined hacking and general InfoSec presentations.

For a first time conference LasCon rocked, not just for the kewl LA Police Gear bag, but it was organized well and most the presentations were very good. I especially liked "How I met your girlfriend" by Samy Kamkar of MySpace worm and Evercookie fame, but also a very kewl example of using Facebook chat times and a Geo location hack to actually get information enough to meet, say, your girlfriend knowing when you are not with her...

At HouSecCon, MJ Keith gave a presentation on Android phone hacking and how the business contact App Bump can be used to steal info and generally do nefarious activity.

Of course there were other talks and conversation with several seasoned InfoSec professionals I know or just met, but all in all, they were great one day events.

Put these two conferences on your list as MUST attend for next year!!!!

There is a new paradigm shift (Yes I used it) in InfoSec conferences with one or two day inexpensive conferences (under $100) that are ruling the InfoSec conference circuit. Why? Because as InfoSec professionals, we have an obligation to train and educate in order to improve information security, not just make profit, which there is plenty of. B-Sides is another conference that was this weekend in Dallas that I tried to virtually attend via MS Live, but alas.. The audio did not work... ;-(

I am part of the Austin B-Sides March 2011 conference planning because I believe in this new InfoSec 1-2 day cheap to free mentality to promote InfoSec for everyone, not just those with budget to attend BlackHat, SANS, RSA or CSI events..

Watch my Blog for more on Austin B-Sides 2011, it WILL be a killer event !!! And just before South by Southwest Interactive week!!!!

Two new browsers for you to consider...

So we have two new browsers designed more for social networking than typical browsing. Both these browsers are based on Chromium, so expect speed for video and pictures.

Will these be more or less secure for surfing social sites like Facebook, Twitter, Flicker and others? Time will tell...
RockMelt website

Flock website

Wednesday, November 3, 2010

(U) SANS botched this one...

I usually agree with SANS, but they missed the #1 preventative item and that is REMOVE ADMINISTRATIVE access of the user!!!! This will cut your risk 90% give or take. Also AV will not help you from 0-Day events... Not being a local Admin will.

Start - Control Panel - Users - Create New User, make it STANDARD USER - set a good password.

Logoff, logon as is user and never use an Administrative account unless you are doing updates.

Surfing and Emailing as a Standard User will protect you more than anything else... Ohh and of course DON'T CLICK ON THAT !!!!

Tuesday, November 2, 2010

(F) Catch me on The InfoSec Daily Podcast, discussing compliance, Don't click on that, local administrator and other Infosec shutoff

Catch me chatting with Rick Hayes and Keith Pachulski on the "InfoSec Daily Podcast" Episode 248 - discussing PCI, compliance, Security Awareness, 'Don't click on THAT!!!' presentation, local administrator accounts and other shtuff... on iTunes:
Link to iTunes
or their website via MP3 download:
ISDPodcast website

Monday, November 1, 2010

Achieving Compliance Daily - my perspective on achieving compliance

Read my article in the November 2011 ISSA Journal on how to achieve compliance daily. Basically, spend the effort on obtaining compliance on actually improving your InfoSec program and by default you will be compliant.

Sunday, October 31, 2010

(W) (F) Warning all public WiFi users... Home users too.. FireSheep arrives and Grandma can hack your accounts via WiFi

A game changing tool was released this week that will result in a significant change in WiFi security. How?, Why?...

FireSheep, an add-on for FireFox, Windows users will need WinPcap installed, Mac users are ready to go, Linux is coming... (FireSheep website)

FireSheep takes advantage of the way websites make session cookies that keep track of who and where you are when surfing the InterWebbings over WiFi... And NOT encrypted after you logon via HTTPS... So yes, HTTPS will NOT protect you from this vulnerability. I have tried it and 'ZOIKS Scooby Doo !!!!' I so can Pown your account over open WiFi...

A simple Add-On for FireFox that you just have to press 'Start Collecting' and after a short time, 'Stop Collecting' and you will see icons for all the FaceBook, Twitter, Yelp, DropBox, etc. Sites that people visited while on the same WiFi network like, say ... Starbucks, the Airport, or yes.. Your home, so your neighbors...

Now this only works over OPEN WiFi and not WiFi secured with WPA or WPA2 preferably.

I was at a Starbucks near the first LASCON Web App Security Con Friday and told this info to a visiting manager that was in the location recording with a webcam the art of space planning so we can get served quickly.. I informed him of this and told him to check my Blog... Hopefully companies like Starbucks get this and fast or users will have their accounts 'popped' as we call it, quickly.

If you want to protect yourself and you are a WiFi HotSpot like Starbucks, then all you need to do is have a WPA2 WiFi Key and make it obvious, like Starbucks or FREE. It does not have to be unique, just set to something everyone knows so it is still easy for your users to remember or your family to remember, but you MUST setup a WPA Key to beat FireSheep.

So what can I do if I hijack your session? post a Malware link as you, change your password, steal any data I choose, send a message to your girlfriend to meet you, or really... ME ( Hey Samy.. Add this to your presentation) and steal your files, login info and anything else in the list of websites seen in the image... And MORE sites coming !!!!

Let me know what you think... Send me an email.
#Security #FireSheep

5 Stages of vulnerability management...

If you don't have a vulnerability management program, you should. This article is a good example of the five stages you would go through (denial - acceptance) if you don't think you need to have or improve your program.

Thursday, October 28, 2010

(U) (F) Microsoft offers Security essentials through Windows Update

Now you don't have an excuse not to install the FREE Windows Security Essentials Av/Malware from Microsoft. They now offer it as an update through Windows Update so you don't have to download and install separately.

Sunday, October 24, 2010

Want to learn some stuff? Read my presentations

If you want to learn about 'How to surf securely at Home' or 'Working securely from Home or Starbucks, or 'What infects our computers and how your behavior can protect you', check out the PDF's I have posted on my Blog under "Articles and Presentations" on the right bar >>>>>>

(F) Want to prevent Malware? Don't surf as Admin

Avoid 57% of Vulnerabilities by removing your Administrator rights !!! It avoids 90% or more of critical vulnerabilities!! This means if you create a Standard User in Windows or a Mac, you will avoid 90% or more of the issues infecting computers these days... Study by BeyondTrust. Read my Top Ten Prevention items if you want to surf securely.

Thursday, October 21, 2010

(W) Might want to make sure your car is actually locked

Device being used to block your car alarm remote from locking your car so it is easier to steal.... Make sure your car is actually locked.
Bruce Schneier article

Sunday, October 17, 2010

(F) Google's Gmail checklist for 5 ways to have a Hacker free life

For you Gmail users, Google has come up with a Checklist with 5 recommendations or steps to take to secure your Gmail.

Google Gmail Checklist

Saturday, October 16, 2010

A funny one... But fits for you Facebookers...

(F) US looking at Australian Internet Security program

The US Federal government is looking at the Australian governments program that gives the ISP the ability to warn customers their computer is infected and then block them if the user does not address the issue.

So if you don't surf safely... The Feds might allow your ISP to cut you off from the Internet for your own and the Internets protection.

Yahoo News article

Friday, October 15, 2010

(W) Zeus behind scenes of new phish.. "Your Tax payment failed.."

Log onto the EFTPS website email that is going around and you will give the Bad Guys your info that they can use to steal money out of your bank accounts using fraudulent Wire Transfers...

IT Security News and Security Product Reviews - SC Magazine US
A growing spam attack warning recipients of a problem with their tax payments has been circulating. But it is more than a phishing ploy to attain recipients' confidential information, according to Solera Networks. Researchers at the network forensics company have evidence that this campaign is actually infecting machines using a new exploit to join a pre-existing Zeus botnet.
SC Mag article

Thursday, October 14, 2010

(F) (U) Malicious Software Removal Tool updated to detect the Evil Zeus Trojan

The latest M$ Patch bundle includes an update to MS Removal Tool (MSRT) which now can detect the EVIL Zeus Trojan !!!! MSRT only runs monthly so run it now...Start > Run > MRT... If it finds anything.. You will need to read my DON'T Click on THAT... Top Ten..
MSRT website

Wednesday, October 13, 2010

Good article about the News business and mergers affecting quality journalism

Brian Krebs, one of my favorite InfoSec research bloggers get well deserved Kudos.

Dim Reading in Geekville - Trevor Butterworth - Medialand - Forbes

via Twittelator Pad

(F) (W) Facebook to get One Time Passwords (OTP) using your cell


Hey FB users !!! Wanna give FB your Cell knowing their Privacy position? Just to have another way to enter a password??? I think they just want to SMS you Ad texts... Or worse...

PayPal has this now and soon Google Doc users as well will be able to enable their Cell phone to act as a second factor (something I have) along with the something you know (username and password) to logon to Facebook.

I HIGHLY recommend it for PayPal and Google Docs as well as banking, but FaceBook????

My first experience with giving FB my Cell was to get signed up for premium texts that charged my Cell Bill $5 per month...because I wanted to play a game...

I just don't trust FB enough to add my cell number to their database and allow them to harvest that data for who knows what marketing, gaming, texting scam someone comes up with...

The recent Group rollout that allows your friends to add you to a group without approval is a perfect example of a new feature and ZERO user control.. And Privacy first mentality.. Until it's too late and you get SPAMMED and added to Groups you didn't want to begin with..

Be weary FB users... If you want a stronger password.. Use SuperGenPass or LastPass or both as I do to provide stronger passwords.

The idea is this.. If you're on a computer you don't trust, such as a kiosk or in a cafe, and you don't want to enter your password, you can request a one-time password (by texting "otp" to 32665 from a US mobile phone). The OTP is returned as a reply text message. Then user can then log in from any computer and the OTP is good for 20 minutes.

So now your real password never gets entered on the 'untrusted' computer. Why you would ever use an untrusted computer is beyond me, but hey.. We all have a need at some point...

Read more here:PC Mag article on Facebook OTP

Tuesday, October 12, 2010

101 Flaws in a week... Really???

Believe it or not... Between Adobe (23) last week, Java (29) and Microsoft (49) this week... That is 101 flaws fixed in just 1 week... Maybe now you can understand how important patching is... Can't leave these flaws waiting for the bad guys...

(U) Upgrade your Windows.. 49 fixes in this bundle

29 from Java, 49 from Microsoft, all we need now is some from Adobe to make it 3 of a kind upgrade extravaganza... Oh yeah....Adobe had 23 last week.. WTF with all the patches ??? Would you developers code securely already.. Step 1... OWASP Top Ten... Ohhh bother...

(U) 29 Java fixes.. Update your Java

Sun/Oracle just released a huge update for Java.. Update your JRE

Monday, October 11, 2010

(F) This says it all... malware EXPLODING

"In the last two to three years we have seen more individual pieces of malware than in the entire 30 years before that time," said Mr Chris Bolin, a former chief technology officer at McAfee who is now head of UK security firm Prevx, which is trying to start the initiative.
Article on Security Tool change

(F) Understanding your Teens surfing behavior

More on National Cyber Security Awareness Month - Understanding your Teens Surfing behavior

Wednesday, October 6, 2010

(F) National Cyber Security Awareness Month (NCSAM)

For those interested in the Top Ten things you can and should do to secure your computer and safely surf the InterWebbings... Read my presentation "Don't click on THAT!!!"
Top 10 Presentation - Don't click on THAT!

(F) & (W) Facebook users can now download their profile

OK everyone... FaceBook now let's you download everything about yourself in a zip file so you can have and see what is on FB about you !!!!
SC Mag article on new FB feature

(W) Warning iTunes users

Watch out iTunes users.. Don't click on that receipt or you'll get the very bad Zeus bot malware...

(P) Patch your Adobe for 23 holes

OK everyone.. Patch your 23 holes of Adobe Reader... Until next month.. There will be more I'm sure..

Monday, October 4, 2010

Wednesday, September 29, 2010

One of my favorite browser plugins.. Pulls the plug

XMarks, formerly FoxMarks announced they are ceasing operations. XMarks was by far the best Bookmark synchronization tools there are. You add a bookmark or favorite in FireFox, IE, Chrome or Safari and they would show up on my other system browsers on my other systems.

Sad day when the best of something fails to get funding... Booooo to the Angel and Venture Capitals that let this fail.