Search This Blog

Sunday, October 31, 2010

(W) (F) Warning all public WiFi users... Home users too.. FireSheep arrives and Grandma can hack your accounts via WiFi

A game changing tool was released this week that will result in a significant change in WiFi security. How?, Why?...

FireSheep, an add-on for FireFox, Windows users will need WinPcap installed, Mac users are ready to go, Linux is coming... (FireSheep website)

FireSheep takes advantage of the way websites make session cookies that keep track of who and where you are when surfing the InterWebbings over WiFi... And NOT encrypted after you logon via HTTPS... So yes, HTTPS will NOT protect you from this vulnerability. I have tried it and 'ZOIKS Scooby Doo !!!!' I so can Pown your account over open WiFi...

A simple Add-On for FireFox that you just have to press 'Start Collecting' and after a short time, 'Stop Collecting' and you will see icons for all the FaceBook, Twitter, Yelp, DropBox, etc. Sites that people visited while on the same WiFi network like, say ... Starbucks, the Airport, or yes.. Your home, so your neighbors...

Now this only works over OPEN WiFi and not WiFi secured with WPA or WPA2 preferably.

I was at a Starbucks near the first LASCON Web App Security Con Friday and told this info to a visiting manager that was in the location recording with a webcam the art of space planning so we can get served quickly.. I informed him of this and told him to check my Blog... Hopefully companies like Starbucks get this and fast or users will have their accounts 'popped' as we call it, quickly.

If you want to protect yourself and you are a WiFi HotSpot like Starbucks, then all you need to do is have a WPA2 WiFi Key and make it obvious, like Starbucks or FREE. It does not have to be unique, just set to something everyone knows so it is still easy for your users to remember or your family to remember, but you MUST setup a WPA Key to beat FireSheep.

So what can I do if I hijack your session? post a Malware link as you, change your password, steal any data I choose, send a message to your girlfriend to meet you, or really... ME ( Hey Samy.. Add this to your presentation) and steal your files, login info and anything else in the list of websites seen in the image... And MORE sites coming !!!!

Let me know what you think... Send me an email.
#Security #FireSheep

5 Stages of vulnerability management...

If you don't have a vulnerability management program, you should. This article is a good example of the five stages you would go through (denial - acceptance) if you don't think you need to have or improve your program.

Thursday, October 28, 2010

(U) (F) Microsoft offers Security essentials through Windows Update

Now you don't have an excuse not to install the FREE Windows Security Essentials Av/Malware from Microsoft. They now offer it as an update through Windows Update so you don't have to download and install separately.

Sunday, October 24, 2010

Want to learn some stuff? Read my presentations

If you want to learn about 'How to surf securely at Home' or 'Working securely from Home or Starbucks, or 'What infects our computers and how your behavior can protect you', check out the PDF's I have posted on my Blog under "Articles and Presentations" on the right bar >>>>>>

(F) Want to prevent Malware? Don't surf as Admin

Avoid 57% of Vulnerabilities by removing your Administrator rights !!! It avoids 90% or more of critical vulnerabilities!! This means if you create a Standard User in Windows or a Mac, you will avoid 90% or more of the issues infecting computers these days... Study by BeyondTrust. Read my Top Ten Prevention items if you want to surf securely.

Thursday, October 21, 2010

(W) Might want to make sure your car is actually locked

Device being used to block your car alarm remote from locking your car so it is easier to steal.... Make sure your car is actually locked.
Bruce Schneier article

Sunday, October 17, 2010

(F) Google's Gmail checklist for 5 ways to have a Hacker free life

For you Gmail users, Google has come up with a Checklist with 5 recommendations or steps to take to secure your Gmail.

Google Gmail Checklist

Saturday, October 16, 2010

A funny one... But fits for you Facebookers...

(F) US looking at Australian Internet Security program

The US Federal government is looking at the Australian governments program that gives the ISP the ability to warn customers their computer is infected and then block them if the user does not address the issue.

So if you don't surf safely... The Feds might allow your ISP to cut you off from the Internet for your own and the Internets protection.

Yahoo News article

Friday, October 15, 2010

(W) Zeus behind scenes of new phish.. "Your Tax payment failed.."

Log onto the EFTPS website email that is going around and you will give the Bad Guys your info that they can use to steal money out of your bank accounts using fraudulent Wire Transfers...

IT Security News and Security Product Reviews - SC Magazine US
A growing spam attack warning recipients of a problem with their tax payments has been circulating. But it is more than a phishing ploy to attain recipients' confidential information, according to Solera Networks. Researchers at the network forensics company have evidence that this campaign is actually infecting machines using a new exploit to join a pre-existing Zeus botnet.
SC Mag article

Thursday, October 14, 2010

(F) (U) Malicious Software Removal Tool updated to detect the Evil Zeus Trojan

The latest M$ Patch bundle includes an update to MS Removal Tool (MSRT) which now can detect the EVIL Zeus Trojan !!!! MSRT only runs monthly so run it now...Start > Run > MRT... If it finds anything.. You will need to read my DON'T Click on THAT... Top Ten..
MSRT website

Wednesday, October 13, 2010

Good article about the News business and mergers affecting quality journalism

Brian Krebs, one of my favorite InfoSec research bloggers get well deserved Kudos.

Dim Reading in Geekville - Trevor Butterworth - Medialand - Forbes

via Twittelator Pad

(F) (W) Facebook to get One Time Passwords (OTP) using your cell


Hey FB users !!! Wanna give FB your Cell knowing their Privacy position? Just to have another way to enter a password??? I think they just want to SMS you Ad texts... Or worse...

PayPal has this now and soon Google Doc users as well will be able to enable their Cell phone to act as a second factor (something I have) along with the something you know (username and password) to logon to Facebook.

I HIGHLY recommend it for PayPal and Google Docs as well as banking, but FaceBook????

My first experience with giving FB my Cell was to get signed up for premium texts that charged my Cell Bill $5 per month...because I wanted to play a game...

I just don't trust FB enough to add my cell number to their database and allow them to harvest that data for who knows what marketing, gaming, texting scam someone comes up with...

The recent Group rollout that allows your friends to add you to a group without approval is a perfect example of a new feature and ZERO user control.. And Privacy first mentality.. Until it's too late and you get SPAMMED and added to Groups you didn't want to begin with..

Be weary FB users... If you want a stronger password.. Use SuperGenPass or LastPass or both as I do to provide stronger passwords.

The idea is this.. If you're on a computer you don't trust, such as a kiosk or in a cafe, and you don't want to enter your password, you can request a one-time password (by texting "otp" to 32665 from a US mobile phone). The OTP is returned as a reply text message. Then user can then log in from any computer and the OTP is good for 20 minutes.

So now your real password never gets entered on the 'untrusted' computer. Why you would ever use an untrusted computer is beyond me, but hey.. We all have a need at some point...

Read more here:PC Mag article on Facebook OTP

Tuesday, October 12, 2010

101 Flaws in a week... Really???

Believe it or not... Between Adobe (23) last week, Java (29) and Microsoft (49) this week... That is 101 flaws fixed in just 1 week... Maybe now you can understand how important patching is... Can't leave these flaws waiting for the bad guys...

(U) Upgrade your Windows.. 49 fixes in this bundle

29 from Java, 49 from Microsoft, all we need now is some from Adobe to make it 3 of a kind upgrade extravaganza... Oh yeah....Adobe had 23 last week.. WTF with all the patches ??? Would you developers code securely already.. Step 1... OWASP Top Ten... Ohhh bother...

(U) 29 Java fixes.. Update your Java

Sun/Oracle just released a huge update for Java.. Update your JRE

Monday, October 11, 2010

(F) This says it all... malware EXPLODING

"In the last two to three years we have seen more individual pieces of malware than in the entire 30 years before that time," said Mr Chris Bolin, a former chief technology officer at McAfee who is now head of UK security firm Prevx, which is trying to start the initiative.
Article on Security Tool change

(F) Understanding your Teens surfing behavior

More on National Cyber Security Awareness Month - Understanding your Teens Surfing behavior

Wednesday, October 6, 2010

(F) National Cyber Security Awareness Month (NCSAM)

For those interested in the Top Ten things you can and should do to secure your computer and safely surf the InterWebbings... Read my presentation "Don't click on THAT!!!"
Top 10 Presentation - Don't click on THAT!

(F) & (W) Facebook users can now download their profile

OK everyone... FaceBook now let's you download everything about yourself in a zip file so you can have and see what is on FB about you !!!!
SC Mag article on new FB feature

(W) Warning iTunes users

Watch out iTunes users.. Don't click on that receipt or you'll get the very bad Zeus bot malware...

(P) Patch your Adobe for 23 holes

OK everyone.. Patch your 23 holes of Adobe Reader... Until next month.. There will be more I'm sure..

Monday, October 4, 2010