RSS

Category Archives: security

The’re out to get us! maybe

As I promised I will now attempt to convince you of the importance of being paranoid about security.

To convince you that you need to worry about your security I think I first need to make it clear to you why you need security. Its pretty simple really, you need to keep your information secure to keep your pocket secure! wheather you like it or not we live in a world where the slightest piece of information could allow someone to steal your identity and empty your bank account or worse. Some of you right now are yelling “RUBISH!” but it isn’t! Your saying “Why would anyone want to steal my information?” or “Well, its has to be hard to actually steal someone’s identity and even the how could it possible be used against me?.” Lets take a little closer look at these.

Why would anyone want to steal my information

Why not? Lions go after the gazelles in the back limping around and looking at the flowers instead of looking for lions! If you don’t care about your security it becomes very easy for anyone to steal your information. Furthermore, these people don’t care if who you are, where you are from, or how much money you have. The pros are going to get into your bank account empty it out, open a few credit cards and max them out, and maybe sell of your information to someone who wants to use your information to get medical care that you will have to pay for (plus it will be in YOUR medical records that you had a kidney transplant, or whatever, when you didn’t). At best you will probably loose your life savings to some druggie.

Well, its has to be hard to actually steal someone’s identity and even the how could it possible be used against me?.

Of course it will probably take more than your name, but one piece of fairly arbitrary information could lead the person to more information about you. It is pretty easy to figure out where people live and from there you can learn a lot about a person by stealing their mail. Now, this kind of goes back to why would anyone go to all of this trouble. Well, they probably won’t unless they have a good reason to target you. You can take the chances at your own risk.

I don’t want you to think that security is only related to computers. You should be paranoid in all aspects of life because “there is no patch for human stupidity.” You should consider the possibility that any given person is out to get you. That means the guy casually talking to you at the store might be looking for people who are going to be out of town for the weekend so he can rob them. Every one might be out to get you.

I don’t know why some people are born paranoid and others are born to be overly trusting but I consider it a good thing that I’m one of those paranoid people. It can be a bit annoying at times because I’m always looking for malice where there is none to be found (e.g. from people who don’t have the mental capacity for trickery). The real reason I’m talking about this isn’t to save people money but because I don’t want them to use insecure practices and get their computers taken over by botnets and then send me spam.

You may already be a paranoid person, if you are then try to spread the paranoia. All you have to do is make a well placed comment to a friend and they will always be a little paranoid in the back of their mind :).

 
Leave a comment

Posted by on April 17, 2008 in security

 

Tags: , ,

11 security tips

A lot of people don’t seem to know or care about the security of their computers. If you are reading this site you probably aren’t one of those people but I’m sure you know some, and if you are one of those people then READ THIS! Even if you are a security knowledgeable citizen of the intertubes there may be a few things you don’t know or you can at least share this with your “dumb” friends :).

If you happen to be one of those “dumb” friends and you don’t understand any of this don’t hesitate to ask you “smart” friend for help. We love it when you ask us for help with your computers.

Don’t use Microsoft products:

As a general rule Microsoft products are not the most secure, though thats not to say if its not made by Microsoft it is secure or that only open source software is secure. I’m not just talking about windows here; outlook, IE, MSN messenger, and whatever tend to have more security flaws then their competitors. I believe this is partially due to the way Microsoft makes products (e.g. buy something someone else made and give it to developers that aren’t familiar with it and tell them to screw with it so that it is different then it was when they got it and get it out the door as fast as possible with absolutely no testing), Microsoft’s monopoly, having fewer devs looking at the code than an open source project would. This really is the most important thing you can do to protect yourself. I guess I can’t just tell you to stop using Microsoft products without giving a suggestion on what you should use. Ubuntu is probably the best thing for a non-technical person to use if they want to continue to use the computer they already have. If you are a non-technical person or your “friend” is and you are in the market for a new computer I would suggest apple products. If you insist on using Windows I only ask that you stop using IE. Switch to firefox.

Keep up to date:

In general software becomes more secure with time. So it is generally a good idea to have the latest version of software, or at least the software that is going to be connecting to the internet (i.e. your web browser, email client, or instant messenger). It is especially important that you keep up to date on the updates for you OS.

Browse defensively

It a pun of defensive driving get it? Yeah, I know it wasn’t funny… Anyway, unsafe browsing habits is among the top causes of security problems. Pay attention to what you are doing. If you get an email claiming that paypal needs your password treat it the same way you would if you got a letter in the mail that says Social Security needs your social security number. This is called phishing. You will be sent to a web site that looks a lot like paypal but is not paypal. All you have to do is look at the address bar and see that you are at http://www.someurl.com (that is an example and not really where you will be) instead of at http://www.paypal.com.

Besides getting your information stolen unsafe browsing can lead to viruses and root kits (a program that takes control of your computer so that a cracker can use it). So be careful what you download. If you are doing loading a file and its called 5billionpicsofsexygirl.exe.zip, it is not the porn you wanted but a virus! You should always be leery of files with two extensions. Also, check the file size. if it is really 5 billion pictures it is going to be much larger than 500kb.

This topic is another great example of why you shouldn’t run windows. Windows has many vulnerabilities that will allow an attack to install software onto your computer by simply directing you to a webpage or getting you to open an email.

Use long, random passwords:

Passwords are generally your first line of defense against an attack and the longer and less guessable they are the safer they are. I talked recently about a website that generates a very long password for you. I suggest that you use it.

Don’t right down your passwords:

You remember those dosen long random passwords I told you to use? Yeah, never ever write them done (or give them to others). If you do it completely defeats the purpose of having them because then anyone can just read it! There are some memory tricks you can use remember them if you are having trouble: break each password up into small section of 1-3 characters (e.g. if your password is oetuhc89dh break it into oet uhc 89 dh or oet uhc 89d h), or assign each character in your password to an object and place that object in you memory palace.

To be honest, I don’t remember most of my passwords. I let firefox remember them for me and I just use a master password. I know this isn’t the most secure thing to do but its better than using the same one password I remember for every site. I also keep all of my passwords in an encrypted text file (that is NOT labeled passwords.txt). If you are really paranoid you might want to keep this on a flash drive so that the people in black helicopters can’t steal your hard drive and recover the unencrypted text file from your deleted files. I just use srm.

Use security extension for firefox:

I’ve already said that you shouldn’t use IE because it isn’t secure and that you should use FireFox (or opera if you want). Now I’m going to tell you that FireFox is still not secure enough. FireFox is better than IE but like all things in this world it isn’t perfect. Fortunately, there are some extensions that can bring Firefox closer to perfection.

fireGPG
flashBlock
McAfee Siteadvisor
NoScript
SafeCache
SafeHistory

secure your network:

I’m all for sharing your network with others, but it really isn’t very secure. a lot of people don’t even know that it is possible to log in to their wifi router and change things. Well you can. so lets all go to http:192.168.1.1 and change our routers passwords and then go over to the security tab and turn on encryption (make sure you know the wep key or wpa password).

If you know what your doing and you want your network to be secure but also want to allow others to use it, you can make a section that you use which is secure and a section for others to use that is open.

Turn off file sharing:

File sharing is evil turn it off when you aren’t using it. Next time you stay at a hotel that offers free wifi poke around at the network a bit and you will be amazed to find probably dozens of windows machines that have file sharing (not as in p2p) on and completely open to you. This is yet another reason why you should not use windows. Linux/BSD/Mac OS will make you work to reach this level of insecurity whereas windows does it by default (or maybe it is a toggle in the network settings I can’t remember). However, I do believe that vista is a bit more secure than XP when it comes to file sharing.

Use multiple passwords:

As well as using long, random passwords you should be using multiple passwords. In fact, you should really have a different password for everything. At very least use a different password to login to your computer as you use on to log into the bank’s site and yet another for myspace or whatever.

Encrypt your stuff:

Anytime you are using a computer you should have the expectation that someone could get access to your files if they are determined enough. Thus, the only sure way to protect yourself is to use encryption (unless the FBI, CIA or any other organization with a three letter abbreviation for a name are after you.) You have two options: encrypt only the files that you want to secure or encrypt all of your files. Both have their advantages. If you only encrypt certain files it will be a red flag to anyone who finds them that they are important. Encrypting everything means encrypting the partition that your stuff is on. Recently some security experts have shown thatit is relatively easy to get around this kind of encryption. I presume that the attack used to do that only works if the partition is mounted at start up; so if you don’t mount it at start up and simply mount it yourself after you have logged in I think you may be able to protect yourself from this.

If you want to go with the first method (encrypting individual files) you should check out a series I wrote about GNUPG a long time ago.

If you would prefer to use the second method (full partition encryption) you should check out the series that Zeth over at the Commandline Warriors put together.

Remove important stuff with srm or shred.

If you are using full disk encryption this section probably isn’t for you, but if your not listen up. When you delete things from your computer they are not gone! it simply tells your computer that the space that was used for the old data can now be used to something else. So when you delete a file it can often be recovered by people who have the money to do that kind of thing.

Never fear, you can protect yourself from this one Too! Just use srm or shred to delete those important files (both of these (or maybe just one) should be available in your friendly neighborhood repository). Some people argue about which is better and I don’t know so I’m not going to comment. I think both will probably get the job done, however srm is more widely available.

If you are reinstalling your OS or getting rid of your computer you want to make sure that there is nothing left behind from the old OS that could compromise you security. I suggest using a live disk called Darik’s Boot and Nuke (DBAN). If you don’t want to mess with this when you are just reinstalling your OS that is fine, but This is a must if you are going to be getting rid of your computer/hard drive. If you do not wipe the drive before you get ride of it the person who gets it next will have complete access to all of your files.

If you still need a reason to worry about the security of your computer know this: most spam comes from computers which have been taken over by attackers completely without the knowledge of their owners.

Stay tuned for the second part of my security series where I will try to get you to think like a paranoid person. Also Mr.linuxcrayon that FreeBSD review will becoming any day now.

 
20 Comments

Posted by on March 28, 2008 in security

 

Tags: , ,

Site of the Week: High Security Passwords

I usually post the site of the week on Friday but I will be out of town this weekend and thus unable to post site of the week at its normal time. Because I know the thousands of people that read this blog desperately want to see a site of the week and since I didn’t post one last week I will post it today.

This weeks site of the week is Ultra High Security Password Generator. This site is really pretty simple. It generates a pseudo-random 64 hex character string, a 63 ascii character string, and a 63 alpha-numeric string for use as passwords. 63-64 characters is a really long password to remember. If you can do it, go for it; if you can’t, just cut it down to 20-30 characters. It won’t be as secure but it will still take hours upon hours to brute force.

I just noticed today that this site is a product of the Gibson Research Center (I wonder if its hosted on a gibson? 😛 HACK THE PLANET!) as in Steve Gibson of Security Now. I haven’t actually listened to Security Now yet, but I may in the future. However Mr. Gibson has been on the Screen Savers back in the day and on TWIT several times.

Enjoy your internets and remember:
“Seldom do those who are silent make mistakes.” – from the Havamal.

 
1 Comment

Posted by on February 14, 2008 in security, site of the week

 

Tags: , , , ,