Articles & Presentations
▼
Sunday, October 31, 2010
(W) (F) Warning all public WiFi users... Home users too.. FireSheep arrives and Grandma can hack your accounts via WiFi
A game changing tool was released this week that will result in a significant change in WiFi security. How?, Why?...
FireSheep, an add-on for FireFox, Windows users will need WinPcap installed, Mac users are ready to go, Linux is coming... (FireSheep website)
FireSheep takes advantage of the way websites make session cookies that keep track of who and where you are when surfing the InterWebbings over WiFi... And NOT encrypted after you logon via HTTPS... So yes, HTTPS will NOT protect you from this vulnerability. I have tried it and 'ZOIKS Scooby Doo !!!!' I so can Pown your account over open WiFi...
A simple Add-On for FireFox that you just have to press 'Start Collecting' and after a short time, 'Stop Collecting' and you will see icons for all the FaceBook, Twitter, Yelp, DropBox, etc. Sites that people visited while on the same WiFi network like, say ... Starbucks, the Airport, or yes.. Your home, so your neighbors...
Now this only works over OPEN WiFi and not WiFi secured with WPA or WPA2 preferably.
I was at a Starbucks near the first LASCON Web App Security Con Friday and told this info to a visiting manager that was in the location recording with a webcam the art of space planning so we can get served quickly.. I informed him of this and told him to check my Blog... Hopefully companies like Starbucks get this and fast or users will have their accounts 'popped' as we call it, quickly.
If you want to protect yourself and you are a WiFi HotSpot like Starbucks, then all you need to do is have a WPA2 WiFi Key and make it obvious, like Starbucks or FREE. It does not have to be unique, just set to something everyone knows so it is still easy for your users to remember or your family to remember, but you MUST setup a WPA Key to beat FireSheep.
So what can I do if I hijack your session? post a Malware link as you, change your password, steal any data I choose, send a message to your girlfriend to meet you, or really... ME ( Hey Samy.. Add this to your presentation) and steal your files, login info and anything else in the list of websites seen in the image... And MORE sites coming !!!!
Let me know what you think... Send me an email.
#Security #FireSheep
5 Stages of vulnerability management...
If you don't have a vulnerability management program, you should. This article is a good example of the five stages you would go through (denial - acceptance) if you don't think you need to have or improve your program.
http://ping.fm/R6Iml
Thursday, October 28, 2010
(U) (F) Microsoft offers Security essentials through Windows Update
Now you don't have an excuse not to install the FREE Windows Security Essentials Av/Malware from Microsoft. They now offer it as an update through Windows Update so you don't have to download and install separately.http://ping.fm/3sU3y
Sunday, October 24, 2010
Want to learn some stuff? Read my presentations
(F) Want to prevent Malware? Don't surf as Admin
Avoid 57% of Vulnerabilities by removing your Administrator rights !!! It avoids 90% or more of critical vulnerabilities!! This means if you create a Standard User in Windows or a Mac, you will avoid 90% or more of the issues infecting computers these days... Study by BeyondTrust. Read my Top Ten Prevention items if you want to surf securely.
http://www.net-security.org/secworld.php?id=9068
Thursday, October 21, 2010
(W) Might want to make sure your car is actually locked
Device being used to block your car alarm remote from locking your car so it is easier to steal.... Make sure your car is actually locked.
Bruce Schneier article
Sunday, October 17, 2010
(F) Google's Gmail checklist for 5 ways to have a Hacker free life
For you Gmail users, Google has come up with a Checklist with 5 recommendations or steps to take to secure your Gmail.
Google Gmail Checklist
Saturday, October 16, 2010
(F) US looking at Australian Internet Security program
The US Federal government is looking at the Australian governments program that gives the ISP the ability to warn customers their computer is infected and then block them if the user does not address the issue.
So if you don't surf safely... The Feds might allow your ISP to cut you off from the Internet for your own and the Internets protection.
Yahoo News article
Friday, October 15, 2010
(W) Zeus behind scenes of new phish.. "Your Tax payment failed.."
Log onto the EFTPS website email that is going around and you will give the Bad Guys your info that they can use to steal money out of your bank accounts using fraudulent Wire Transfers...
IT Security News and Security Product Reviews - SC Magazine US
A growing spam attack warning recipients of a problem with their tax payments has been circulating. But it is more than a phishing ploy to attain recipients' confidential information, according to Solera Networks. Researchers at the network forensics company have evidence that this campaign is actually infecting machines using a new exploit to join a pre-existing Zeus botnet.
SC Mag article
IT Security News and Security Product Reviews - SC Magazine US
A growing spam attack warning recipients of a problem with their tax payments has been circulating. But it is more than a phishing ploy to attain recipients' confidential information, according to Solera Networks. Researchers at the network forensics company have evidence that this campaign is actually infecting machines using a new exploit to join a pre-existing Zeus botnet.
SC Mag article
Thursday, October 14, 2010
(F) (U) Malicious Software Removal Tool updated to detect the Evil Zeus Trojan
The latest M$ Patch bundle includes an update to MS Removal Tool (MSRT) which now can detect the EVIL Zeus Trojan !!!! MSRT only runs monthly so run it now...Start > Run > MRT... If it finds anything.. You will need to read my DON'T Click on THAT... Top Ten..
MSRT website
Wednesday, October 13, 2010
Good article about the News business and mergers affecting quality journalism
Brian Krebs, one of my favorite InfoSec research bloggers get well deserved Kudos.
Dim Reading in Geekville - Trevor Butterworth - Medialand - Forbes
http://ping.fm/8wh2F
via Twittelator Pad
Dim Reading in Geekville - Trevor Butterworth - Medialand - Forbes
http://ping.fm/8wh2F
via Twittelator Pad
(F) (W) Facebook to get One Time Passwords (OTP) using your cell
Updated...
Hey FB users !!! Wanna give FB your Cell knowing their Privacy position? Just to have another way to enter a password??? I think they just want to SMS you Ad texts... Or worse...
PayPal has this now and soon Google Doc users as well will be able to enable their Cell phone to act as a second factor (something I have) along with the something you know (username and password) to logon to Facebook.
I HIGHLY recommend it for PayPal and Google Docs as well as banking, but FaceBook????
My first experience with giving FB my Cell was to get signed up for premium texts that charged my Cell Bill $5 per month...because I wanted to play a game...
I just don't trust FB enough to add my cell number to their database and allow them to harvest that data for who knows what marketing, gaming, texting scam someone comes up with...
The recent Group rollout that allows your friends to add you to a group without approval is a perfect example of a new feature and ZERO user control.. And Privacy first mentality.. Until it's too late and you get SPAMMED and added to Groups you didn't want to begin with..
Be weary FB users... If you want a stronger password.. Use SuperGenPass or LastPass or both as I do to provide stronger passwords.
The idea is this.. If you're on a computer you don't trust, such as a kiosk or in a cafe, and you don't want to enter your password, you can request a one-time password (by texting "otp" to 32665 from a US mobile phone). The OTP is returned as a reply text message. Then user can then log in from any computer and the OTP is good for 20 minutes.
So now your real password never gets entered on the 'untrusted' computer. Why you would ever use an untrusted computer is beyond me, but hey.. We all have a need at some point...
Read more here:PC Mag article on Facebook OTP
Hey FB users !!! Wanna give FB your Cell knowing their Privacy position? Just to have another way to enter a password??? I think they just want to SMS you Ad texts... Or worse...
PayPal has this now and soon Google Doc users as well will be able to enable their Cell phone to act as a second factor (something I have) along with the something you know (username and password) to logon to Facebook.
I HIGHLY recommend it for PayPal and Google Docs as well as banking, but FaceBook????
My first experience with giving FB my Cell was to get signed up for premium texts that charged my Cell Bill $5 per month...because I wanted to play a game...
I just don't trust FB enough to add my cell number to their database and allow them to harvest that data for who knows what marketing, gaming, texting scam someone comes up with...
The recent Group rollout that allows your friends to add you to a group without approval is a perfect example of a new feature and ZERO user control.. And Privacy first mentality.. Until it's too late and you get SPAMMED and added to Groups you didn't want to begin with..
Be weary FB users... If you want a stronger password.. Use SuperGenPass or LastPass or both as I do to provide stronger passwords.
The idea is this.. If you're on a computer you don't trust, such as a kiosk or in a cafe, and you don't want to enter your password, you can request a one-time password (by texting "otp" to 32665 from a US mobile phone). The OTP is returned as a reply text message. Then user can then log in from any computer and the OTP is good for 20 minutes.
So now your real password never gets entered on the 'untrusted' computer. Why you would ever use an untrusted computer is beyond me, but hey.. We all have a need at some point...
Read more here:PC Mag article on Facebook OTP
Tuesday, October 12, 2010
101 Flaws in a week... Really???
(U) Upgrade your Windows.. 49 fixes in this bundle
Monday, October 11, 2010
(F) This says it all... malware EXPLODING
"In the last two to three years we have seen more individual pieces of malware than in the entire 30 years before that time," said Mr Chris Bolin, a former chief technology officer at McAfee who is now head of UK security firm Prevx, which is trying to start the initiative.
Article on Security Tool change
(F) Understanding your Teens surfing behavior
More on National Cyber Security Awareness Month - Understanding your Teens Surfing behavior
http://ping.fm/uErzV
Sunday, October 10, 2010
(F) How and why NOT to be an administrator in Windows
More on ways and reasons NOT to be an administrator when using the InterWebbings...
http://ping.fm/yRYWh
Wednesday, October 6, 2010
(F) National Cyber Security Awareness Month (NCSAM)
For those interested in the Top Ten things you can and should do to secure your computer and safely surf the InterWebbings... Read my presentation "Don't click on THAT!!!"
Top 10 Presentation - Don't click on THAT!
(F) & (W) Facebook users can now download their profile
OK everyone... FaceBook now let's you download everything about yourself in a zip file so you can have and see what is on FB about you !!!!
SC Mag article on new FB feature
(W) Warning iTunes users
Watch out iTunes users.. Don't click on that receipt or you'll get the very bad Zeus bot malware...
http://ping.fm/5DDjM
(P) Patch your Adobe for 23 holes
OK everyone.. Patch your 23 holes of Adobe Reader... Until next month.. There will be more I'm sure..
http://ping.fm/IA7Q0