So, let me repeat myself. People tell me everyday about how this kind of advice helps them, so here it is again.
A little Alliteration is good for writing effect every now and then; why not apply this to passwords? I don’t mean to write out an alliterative phrase and turn it into a password or passphrase (though you could, I guess); what I mean is to use a pattern that makes it easy for you to remember the password, but still results in a very strong, un-guessable one. Here’s an example of a very strong password: 19[-[Phrase]-]60.
This one is very weak: %6*Some*Phrase*6%. Can you see why? Too many repetitions of characters. Change it slightly, %6!Some*Phrase!6%, and it becomes very strong.
The trick is to come up with a pattern that means something to you. By no means should you use the patterns I suggest—use something that will be easy for you to remember.
I’ll leave it to you to analyze the two examples and let you come up with your own. Remember, the bad guys read these blogs, too.
I have recently had issues with trying to explain botnets to a client. I was met with blank stares.
Thanks to Sophos for this definition:
A botnet is a collection of infected computers that are remotely controlled by a hacker.
Once a computer is infected with a bot, the hacker can control the computer remotely via the internet. From then on, the computer is a “zombie,” doing the bidding of the hacker, although the user is completely unaware. Collectively, such computers are called a botnet.
The hacker can share or sell access to control the botnet, allowing others to use it for malicious purposes.
For example, a spammer can use a botnet to send out spam email. Up to 99% of all spam is now distributed in this way. This enables the spammers to avoid detection and to get around any blacklisting applied to their own servers. It can also reduce their costsbecause the computer’s owner is paying for the internet access.
Hackers can also use zombies to launch a distributed denial-of-service attack, also known as a DDoS. They arrange for thousands of computers to attempt to access the same website simultaneously, so that the web server is unable to handle all the requests reaching it. The website thus becomes inaccessible.
people who are using Skype are clueless about how to configure it for maximum security, especially if they have set up a public chat. The default security settings for Skype are not adequate by any means.
Let me give you some tips. First off, click here for the list of commands you can issue in a Skype window.
If you have a public chat, you absolutely must issue this command:
/set optins +TOPIC_AND_PIC_LOCKED_FOR_USERS
If you don’t do that, then anyone can change the chat topic and/or title.
Also, change your privacy settings to allow only your contacts to call you and send you private messages.
If you have those things in place, you’re somewhat secure.
A new cyberweapon could take down the entire internet – and there’s not much that current defenses can do to stop it. (Marvin Martian proposed this a long time ago as immediate disintegration) So say Max Schuchard at the University of Minnesota in Minneapolis and his colleagues, the masterminds who have created the digital ordnance. But thankfully they have no intention of destroying the net just yet. Instead, they are suggesting improvements to its defenses.
The attack requires a large botnet – a network of computers infected with software that allows them to be externally controlled: Schuchard reckons 250,000 such machines would be enough to take down the internet. Botnets are often used to perform distributed denial-of-service (DDoS) attacks, which bring web servers down by overloading them with traffic, but this new line of attack is different.
“Normal DDoS is a hammer; this is more of a scalpel,” says Schuchard. “If you cut in the wrong places then the attack won’t work.”
OK. Forgive me, but while I believe this is possible, only a government could mandate it, and I don’t believe we have anyone is Washington is savvy enough to do it. But, hey, it’s scary enough. Check it out at: http://www.newscientist.com/article/dn20113-the-cyberweapon-that-could-take-down-the-internet.html
By the way, I am Marvin Martian’s boss, the one he refers to as “Sir Altitude.”
There’s an invisible web that underlies everything we see. These things are invisible web – tags, web bugs, pixels and beacons that are included on web pages in order to get an idea of your online behavior. In other words, trackers. The debate rages on about the use of trackers by online advertisers and many people simply do not want to have their online activities tracked. But, what can one do about it?
I suggest that you check out Ghostery.com. They have a great little Firefox add-on that is free to download and use – plus you have their promise that Ghostery will never be used for advertising. The utility looks at the invisible web, tracks the trackers and gives you a roll-call of the ad networks, behavioral data providers, web publishers, and other companies interested in your activity. Here’s what they do next:
After showing you who’s tracking you, Ghostery also gives you a chance to learn more about each company it identifies. How they describe themselves, a link to their privacy policies, and a sampling of pages where we’ve found them are just a click away.
Then, it give you options so you can take whatever actions you want: block scripts from companies that you don’t trust, delete local shared objects, and even block images and iframes. That’s putting you pretty much back in control.
To be honest, I don’t much care about being tracked and marketed to in a targeted way by reputable companies; however, I do perform security research which sometimes leads me into the clandestine and dangerous areas of the web.
Ghostery currently tracks 486 web bugs & 338 cookies that you can block selectively, so I think that’s got a lot ground covered. But what’s really interesting about Ghostery is the information they give you on each company/method they have listed. Let me just take one example that I bet you don’t know about: Facebook Beacon. Here’s an excerpt from Facebook’s description:
Facebook Beacon is a way for you to bring actions you take online into Facebook. Beacon works by allowing affiliate websites to send stories about actions you take to Facebook. Here’s how that process happens: If you are logged in to Facebook and visit a Beacon Affiliate, an action you take (like writing a review or purchasing an item), may trigger that website to want to publish a story to Facebook.
Give Ghostery a test drive and see what you learn. I promise that it’s going to give me fodder for many articles about the Invisible Web, so stay tuned.
I often consult with people who are running online marketing businesses and soliciting opt-in subscribers to their newsletters. They do this through special landing pages that have forms specific to the information product they are offering. The danger in having such a form live on the web is not unknown–it’s relatively easy to initiate an SQL injection attack.
Another issue is spammers using robots to sign up for newsletters and then using the address of the marketer to attempt to hack the mailing list management service he uses. Most of these services use the marketer’s email address as the account username, so if a hacker or spammer has that information, they can then attempt an attack on the password.
Finally, there is the issue of junk traffic and subscriptions. Naturally, a marketer wants prospects that are not only interested in the products offered, but capable of buying them. Depending on the marketing methods used, traffic can come from anywhere in the world, and often does. My own newsletter at Ask the Geek has a worldwide subscriber audience.
Let’s say we want to block all traffic from China. It’s mostly useless, is spammer/hacker central and they don’t buy anything. Start with http://www.blockacountry.com. When you arrive at the site, look to the sidebar on the right and select the country or countries you want to block. You’ll be asked for your email address. This is OK, it’s just for update purposes. Click the submit button.
You’ll get a pre-configured text that you add to your .htaccess file on your web server. Here’s a look at the concatenated version of what I got:
ErrorDocument 403 http://www.proxynetwork.ws/blocked.html <Limit GET HEAD POST> order allow,deny deny from 184.108.40.206/14 deny from 220.127.116.11/13 deny from 18.104.22.168/16 deny from 22.214.171.124/15 ...[[huge list of every IP address in the country]]... allow from all </LIMIT>
You can change the location of the 403 error document to one you have created on your server. Then, just copy and paste or upload the file to your www root folder and you’re good to go. Full instructions are on the referenced website.
People since time immemorial have fallen for scams of various kinds. Chalk it up to wishful thinking, dreaming, greed, what have you, but eventually, everyone finds themselves gullible. If that weren’t the case, life would lose some of its luster. We love to play act; we love to be fooled; and, we love to fool others as long as it’s all in good fun. Unfortunately, there are malicious people–cyber criminals and scam artists–who love to take advantage of those traits for their own gain and our (usually financial) loss.
Here are the top ten tips, courtesy of OnGuardOnline.gov for avoiding online scams:
- Don’t send money to someone you don’t know.
- Don’t respond to messages that ask for your personal or financial information.
- Don’t play a foreign lottery.
- Keep in mind that wiring money is like sending cash: once it’s gone, you can’t get it back.
- Don’t agree to deposit a check from someone you don’t know and then wire money back.
- Read your bills and monthly statements regularly—on paper and online.
- In the wake of a natural disaster or another crisis, give to established charities rather than one that seems to have sprung up overnight.
- Talk to your doctor before buying health products or signing up for medical treatments.
- When considering an investment, remember that there’s no such thing as a sure thing.
- Know where an offer comes from and who you’re dealing with.
I’ve been saying these same things all along, but I will continue to repeat them for as long as I need to.
Once again, the Security Now! podcast has given me cause to justify my relentless insistence that security begins with the person sitting at the keyboard. No amount of Geeky IT rules, security policies and other preventive measures will ever be effective if the end user doesn’t understand them. This is why we need good educational resources to teach with. Believe it or not, our own U.S. Government has produced one. I’ll let Steve Gibson give you the highlights:
…if any of our listeners have ever wished there was a friendly, easy-to-use, really well put together website that they could point their less savvy friends and relatives to, I’ve got to say now there is. The FTC site is called OnguardOnline.gov, just all run together, OnguardOnline.gov. And it’s very nicely designed. In fact, I was impressed by it.
Well, so was I. I have posted a notice in several chat rooms that I participate in to help spread the word. Here’s my most recent post:
Hi Everyone. You know I’m an online security professional and nowhere is security more important than in our own IM businesses. A hacker could ruin your entire business in a minute if he gained access to any of your critical account information.
[8:33:48 PM] + Ken Harthun (Asst. Host: TIIMG): But there’s an awful lot of “geek speak” that sometimes goes with security and people get confused. Good news, though: our own government, in cooperation with the technology industry, has come up with a great site to help you protect yourself.
[8:35:01 PM] + Ken Harthun (Asst. Host: TIIMG): Go check out http://www.OnGuardOnline.gov and you’ll see what I mean. And please heed the advice there.
Please tell everyone you know who may benefit from the information there. This is very solid and useful information written for regular people, not Geeks.
I hope you find my alerts about these webcasts valuable. In general, they have some sort of product pitch built in, but I always manage to glean some valuable information from them. Once again, I have one presented by Sophos, “Strategies for Protecting Virtual Environments: Balancing Security with Performance,” scheduled for February 24, 2011, 2 pm ET/11 am PT. It is a complimentary webcast. Here’s the abstract:
The move to virtual servers has allowed organizations to reduce TCO while increasing IT and business efficiency, flexibility and reliability. Many are looking to extend these benefits to their endpoints with virtual desktops. With the increased adoption of virtualization, organizations now face a new set of security challenges.
Join Jonathan Tait at Sophos, for a live Webcast to learn about the security challenges for both server and desktop virtualization and strategies for balancing protection with performance. Jonathan will discuss these key topics and more:
- How virtualization changes your security posture
- Virtualization security needs and issues
- Strategies for a secure virtual environment
You can register here if you wish to attend.
There seems to have been a rash of tech support scams lately, some with people actually to pretend to be from Microsoft. The scammers seem to target online forums and tech support sites, so be careful what you post if you really do have a technical problem. (You are always welcome to Ask the Geek and that’s my site, so you’re safe.) Let’s take a look at some of the warning signs that will clue you into the fact that you’re probably being scammed. This is taken from one particular incident reported by Woody Leonhard in Windows Secrets.
- First of all, the call will be unsolicited. Even if you asked on a forum, so not assume that the call is in relation to that. You didn’t ask for a phone call, so if you get one, be wary.
- They will ask you for personal contact information, or perhaps pretend they already know it.
- You are asked for your Windows activation code or CD key. There’s no reason why anyone would need this to fix your PC; it’s just a tactic to make you think they’re legitimate.
- They will ask you for some other sort of code or “warranty check” information which you won’t have, and which, of course, is completely bogus anyway.
- Something like this will happen next (as described by the almost-victim in the above article. The person was put on hold while the “technician” purportedly “checked” the warranty: “A few minutes later, he was back and gave me the unfortunate news that my free support period had ended. He told me I would have to pay $99 for extended support and directed me to a place on the website to enter my credit card information. I’m not sure why, but I smelled a rat, so I hung up on him.”
- The website you are referred to looks legitimate and may even say things like, “Microsoft Registered Partner” and have an official Microsoft logo, or it may say “This company is a Technical Support Provider.”
- The domain name is registered in a foreign country and/or does not have legitimate contact addresses or phone numbers associated with it.
- The website they refer you to may have numerous spelling and grammatical errors or just “doesn’t look right.”
- The “support engineer,” or whatever he calls himself wants you to review your event viewer logs and points out that there are numerous yellow and red flags. This, of course, is normal for most Windows machines, but they will try to convince you of the dire consequences of ignoring the warnings and errors.
Don’t fall for it. Most of this will be social engineering in one form or another. They will get your money, they will get your personal information, and they may steal your identity.