Tag Archives: Security

The Current State of Platform, Software and Device Security

The year 2012 and the better part of 2013 have witnessed the birth of new computing platforms, social network platforms and general computing trends that not only make the gadget and internet a better place, but also a more dangerous one. These innovations and developed habits expose us to a variety of threats that we must be aware of in order to survive in the modern digitally connected world.

Security

The release of new platforms gives both legitimate technology users and hackers something to look forward to. Users have to test new features and functionalities as hackers seek to exploit loopholes in the innovations’ firewalls. Since the adoption of new technology improves our efficiency, we will always be vulnerable to the accompanied hacker attacks and hope that the platform, gadget or software developer will release security patches as soon as security related bugs show up.

Are Security Risks Increasing or Decreasing?

As genuine developers come up with new software pieces, malicious developers are also at work trying to come up with re-engineered pieces that are better at breaching current and yet-to-come systems. This trend, confirmed by the attempts to improve on Skywiper/flamer to Stuxnet, gives system administrators something new to think about since they will be facing better-equipped criminals in the near future.

Even though the security trends of the future might strongly lean on the weaknesses of the new platforms and operating systems, we cannot overlook the birth of mobile devices. Since most people do not believe that, there are systems that can intrude the innate security of their mobile devices, cyber criminals might have an easier time in gaining access into the information people share through their devices.

With the number of possible additions to this list almost endless, the number of risks grows exponentially. The diversification of platforms and computing behaviors might give the average person an information overload that might force them to overlook some important security features or give cyber criminals more options to explore.

Do We Have a Choice?

Apart from the security issue, the manner in which we interact with other people is bound to change. The adoption of online solutions will greatly reduce personal level interactions while reducing the control we have over some of the information we might refer to as “personal.”

Nonetheless, the productivity per unit time is bound to increase since we no longer have to do all the hard work. The new systems and hardware products will take care of most of our needs despite the security and privacy risks, making them almost as important as the basic human needs. We will have no option but to live with the emergent vices and make the best out of the available virtues.

How to uninstall Adobe Acrobat Reader and open PDFs in your browser instead

adobe-reader-logoOver the last few months, I’ve been aggressively pursuing ways to remove my dependence on 3rd-party plugins. Every time I read about a massive security exploit in software like Java and various Adobe products I think to myself, “Why am I putting myself at risk by keeping this software installed?”

PDF documents aren’t going anywhere, nor should they. They provide a useful, lightweight method to share non-editable rich text documents, and the format has been around since 1993 meaning almost all of us have interacted with a PDF document at some point in our lives. The fact that PDFs are so ubiquitous means that most computers come with a PDF document viewer pre-installed, with Adobe Acrobat Reader being one of the most popular.

I certainly can’t criticize Adobe’s efforts to combat security issues because I’m frequently prompted to update my Adobe software via their automatic update system. These updates are often retroactive, though: by the time you receive an update, the security flaw has already done its damaged to hundreds and thousands of computers. The definition of a “0-day exploit” means that the attack used a previously unknown vulnerability, and these exploits can be extremely dangerous.

Unfortunately, we simply can’t rely on automatic updates to protect us from all security flaws for a number of reasons. Some users may not have automatic updates enabled, and many users deliberately disable automatic updates on popular applications despite the security risk it presents. Automatic updaters typically run on a schedule, so there could be a delay before your computer even checks for a security update. And let’s not forget the most basic of issues: Some users simply don’t know what to do when presented with an automatic update dialog.

So what’s the solution? In my opinion, the best way to avoid security flaws in Adobe Acrobat Reader is simply to uninstall it. I don’t want you to be PDF viewer-less though, so in this article I’ll show you a simple way to remove Adobe Acrobat Reader without giving up your ability to view PDFs.

Web browsers to the rescue

Web browsers like Chrome and Firefox have strong incentives for removing the dependency on 3rd-party plugins like Adobe Acrobat Reader. Plugins slow down browsers, open security vulnerabilities, and can cause a variety functional issues with the browsers themselves.

Recently, both Chrome and Firefox have released updates that allow you to view PDFs right from within your browser, without using a 3rd-party plugin. Firefox has offered this feature since version 19, and thanks to Javascript, the Mozilla team was able to render PDFs without relying on a plugin.

If you have the latest versions of Chrome or Firefox installed, you should automatically see their built-in PDF viewers when opening a PDF link in your browser. But what about PDFs you have on your local computer? No problem!

How to use modern versions of Chrome and Firefox as the default viewer for PDF documents

Using your browser as a PDF viewer is as simple as changing the default application used to open the .pdf filetype. In Windows, this can be done by following these steps:

Step 1: Locate a PDF document on your computer.

Step 2:Right-click the document and select Properties.

Step 3: Locate the Opens with: setting and click Change.

2013-04-20_20h16_10

Step 4: Select your web browser of choice. You may need to navigate to your browser’s executable if it isn’t displayed in the list.

Selecting the default PDF viewer in Windows 8
Selecting the default PDF viewer in Windows 8
2013-04-22_09h22_09
Selecting the default PDF viewer in Windows 7

That’s it! Now when you open a PDF document, your web browser will be used instead of Adobe Acrobat. You can now uninstall Acrobat from your computer – you won’t be needing it or its security vulnerabilities anymore.

2013-04-22_09h35_22

How to stay secure on public Wi-Fi

CoffeeShopWifi

Credit card numbers? Check. Website logins? Check. “Private” chats between cheating spouses? Double check.

Spend ten minutes in a coffee shop snooping on the “Free Public Wi-Fi!” and you’ll see all these things and more. Airports, libraries, parks? Same situation. Hotels are a little different, though. All the bandwidth is being taken up by people streaming porn, so there’s not much else going on.

Granted, this is the same type of traffic you’d see on a private, secure network, but in that setting you’re probably going to have a little better idea of who you’re sharing the network with and there are controls to keep potential criminals out.

Public Wi-Fi is exactly that, public. You are sharing it with everyone else in the local area, just like Jenny, that nice girl you went to highschool with who just wanted to feel pretty. For someone who’s interested in stealing financial information or identities, it’s an appealing target, mostly because it’s so easy to exploit. I wouldn’t even call it hacking, it’s more “collecting” – monitoring the network for unencrypted information and capturing the info that looks interesting.

Protect your neck

That being said, public Wi-Fi can be relatively safe to use if you take the appropriate steps to secure yourself and use a little common sense.

    • Starbucks is not a good place to balance your checkbook. Context is everything and there are certain places for doing certain things. Doing your online banking on public Wi-Fi is just a bad idea. Even if you’re taking steps to protect your laptop, there are too many factors that are out of your control to justify the risk. Restrict financial and other “sensitive” activities to networks you trust (like the one at your house).
    • Use a VPN service. A VPN (virtual private network) service will protect your internet traffic inside a secure tunnel out to the internet so that someone snooping locally won’t be able to see anything other than you connecting to the VPN service. Good VPNs aren’t free, but if you’re a heavy public Wi-Fi user, the cost is definitely worth the security you gain. I personally use a service called Cloak that works on Mac and iOS devices. If you’re not a super-awesome-Apple-user like me, I’ve also heard good things about StrongVPN.
    • Know what you’re connecting to. Although they can easily be spoofed to match the name of a real Wi-Fi network, it’s important to pay attention to the names of the wireless networks you use. Much in the same way that an e-mail titled “Free Money Waiting For YOU!” is probably spam, a wireless network named “Free Public Wi-Fi” is likely a scam.
    • Look at the physical signage wherever you are visiting. Starbucks uses AT&T to provide their Wi-Fi (It says so on the front door.), so the network there is called “attwifi”, not “starbuks” (The laziness that’s paired to Wi-Fi snooping is often paired with stupid.). Just being on the right public Wi-Fi for the location will keep you more secure. If you’re reading this thinking “Well, Mr. Smartypants, what if someone has exactly mimicked the name and setup of a real network and is performing a man-in-the-middle attack?” – see points 1 & 2.

When in doubt, bail out

Ultimately, if you doubt the safety or validity of a Wi-Fi network, don’t use it. It may come as a surprise to some people, but there are other things to do in public than surf the internet. If you’re presented with obviously unsafe options for wireless, maybe it’s a good time to strike up a conversation with one of the people around you. Read a book. Or maybe you should just sit quietly and contemplate your existence and how to become a better person.

Image Credit: Ed Yourdon

5 ways to fight spam in your iCloud email account

Apple iCloudI have been an iCloud email user for a while, even before “iCloud” existed (iCloud is Apple’s online email service and other online tools). I was originally a MobileMe and .mac user. Until recently, my iCloud email addresses were relatively free from spam. However, for the past few weeks I have been getting five to ten spam emails a day and I didn’t even sign up for anything.

A search of internet discussion boards shows that I am not the only one with a recent onslaught of junk in my iCloud account. So is there anything that can be done about it? Well, there are a few steps you can take to help reduce the junk in your iCloud inbox.

Don’t click ‘Unsubscribe’ links

First, and most importantly, do not click any unsubscribe links in any of these spam emails. This will, most likely, just open the door to more junk. These links basically tell the senders that your email address is real and is read by a human.

Help report spam to Apple

The second thing you can do is help Apple improve its server-side filters by emailing the emails to them. You do this by forwarding the email from your desktop app as an attachment to spam@me.com. This is Apple’s spam address. To do this from Mail on your Mac select the email and choose “Forward as attachment” from the Messages menu. Address the email and send it off.

Add spam filter rules to iCloud

A third part of the plan includes setting rules through the iCloud webmail settings. If you log into your email through iCloud.com, locate the gear icon in the top right of the screen. Clicking that will present you with a menu of options. “Rules” will be one of these options. Choose that and you will see a window where you can set up rules.

If your junk emails have similar words in the subject, you can set up a rule to send emails with that subject to the “Junk” folder or the “Trash” folder. If the emails seem to be coming from the same email address, as many of mine have been, you can set the parameter based on that email address. It is very easy to do and setting the rules online instead of your mail program will prevent many of these emails from even making it into your inbox of the program you use.

rules

Flag spam as ‘Junk’

For those spam emails that still manage to sneak through your filters, you can mark them as “Junk” in the Apple Mail program or the webmail interface . iCloud is supposed to learn what is junk and what is not based on how you mark emails. I don’t know how well it works, but it is better than doing nothing.

Buy spam filtering software

Finally, there is the pay option. There are several spam filter apps for the Mac and several online spam filtering services. SpamSieve is an app I have used in the past.

Conclusion

There have been small flurries of spam through Apple’s email services in the past and it eventually works itself out. Hopefully it will do so again. If not, you now have some weapons to help fight spam in your iCloud account.

Have any tips for fighting iCloud spam? Share them in the comments below!

Image courtesy: Bas Boerman

Top 5 Free Antivirus Software for Windows

Antivirus software provides essential protection for your PC from virus, trojan, spyware, worm, adware, root kit and key logger infections. One of these nasty infections could expose key personal information or stop your computer from working. As powerful as the web is, it is also a very dangerous place. However, installing antivirus software does not mean you have to break the bank. Some of the best antivirus software are free and have what it takes to keep your PC safe.

If you’re tired of expensive antivirus packages that slow your PC down then these free antivirus programs are the way to go.

AVG Anti-Virus Free Edition

AVG Anti-Virus Free Edition  is an excellent choice, if not the best for a free antivirus. AVG Anti-Virus Free is a full-fledged antivirus and anti-spyware tool, includes an email scanner, link scanner, scheduled scanning options, automatic updates, and more. AVG has been certified to remove 100% of in-the-wild viruses

Cons: Unfortunately AVG free has grown considerably in size, has very slow scan speeds and advertisements (but they can be disabled). AVG Free Edition does not provide adware/spyware removal (though it is available in the paid version of the product).

Avast! Free

Avast! Free Antivirus is improving its detection rates over the past few years “heuristics engine” and now ranks with the some of the best. Avast has the following features: full real-time capabilities including web, e-mail, IM, P2P and network shields, boot-time scanning, and a behavioral blocker. This program is also very light on resources.AVAST has been making this antivirus product since 1988 and is often cited as the most installed antivirus product. It also has a large user support community in case you need any help.

Cons: Average scores in PCMag’s malware blocking test.

Microsoft Security Essentials

Microsoft Security Essentials is a another fan favorite with great detection rates, particularly for rootkits. Microsoft Security Essentials has very few false positives, is light on resources and is good at removal of existing malware. MSE is a great choice for average users because of the minimal user interaction required. It is directly from Microsoft and it’s very easy to see if your computer is secure from threats: if the icon next to your clock is green, you’re in good; if it’s red, something is wrong.

Cons: The main downsides are the slow scan speeds and the lengthy amount of time it takes to quarantine malware.

Panda Cloud Antivirus

Panda Cloud Antivirus  protects you from several kinds of malware threats – viruses, worms, Trojans, adware, and more – just like all the other free antivirus programs in this list. Along with Microsoft Security Essentials, it is an excellent choice for average users with a simple interface and completely automated features with automatic updating and removal of malware. What makes Panda Cloud Antivirus one of the top free antivirus programs is that it does its job from “the cloud” meaning the  antivirus work that typically slows down a computer is done on computers elsewhere on the Internet, freeing up your computer to work like nothing is happening.

Cons: As many free program installs Panda Cloud Antivirus tries to install a toolbar and set Yahoo! as your browser’s home page during the installation process so uncheck the boxes before continuing if you don’t want them.

Avira AntiVir Personal Edition

Avira AntiVir Personal Edition protects you from viruses, Trojans, worms, spyware, adware, and various other kinds of malware, making it a fully functional anti-malware tool. AntiVir does not include web or e-mail scanning capabilities; this is only available in the paid version.

On installation, AntiVir schedules a daily full scan. You can, of course, change the schedule or add your own scheduled events. By default its configuration page shows only basic settings.

Cons: One con about Avira AntiVir Personal was the configuration you have to complete after installation which might be difficult if you’re a computer novice.

Conclusion

A lot of time was spent comparing free antivirus programs and there are many more that are not on this list. Each individual may have a different need or use for antivirus software.

Unfortunately no package excelled in every area. Some were lightweight but less accurate, others were good at detecting malware but had a significant performance on your system.Picking a winner inevitably involves some compromises and may vary depending on your requirements.

After weighing the results the program that gets my first place vote is : AVG Free 2012. It has plenty of features and is lightweight making AVG Free 2012 a good all-round winner of the best free antivirus award.

Would you trade in your social media passwords for a job?

The practice of employers looking up social media profiles of prospective employees is nothing new. It’s a great way to learn a lot about a person from the things that they choose to broadcast to the public. However, there comes a point where this all may go a little too far — specifically when a potential employee’s profile is set to private.

Associated Press reports that some job seekers have been asked during the interview to hand over their Facebook passwords. Justin Bassett, a New York statistician, was asked to disclose his Facebook login credentials to the interviewer. Bassett withdrew his application.

Others weren’t directly asked for their passwords, but they were asked to log in to their Facebook account so that the interviewer could have a peek.

While most job candidates would decline to give out their passwords, there are some job seekers who are so desperate for a job, they have no choice but to hand over such information to the company.

In 2010 a security guard at the Maryland Department of Public Safety and Correctional Services was asked for his login information so the agency could check for any gang affiliations. The security guard handed it over saying, “I needed my job to feed my family.”

Orin Kerr, a George Washington University law professor and former federal prosecutor says that this practice is “an egregious privacy violation” and “it’s akin to requiring someone’s house keys.”

Surprisingly, this is all completely legal, but legislation is being proposed in Illinois and Maryland, with more states possibly joining in later.

Personally, I have nothing to hide when it comes to my social media profiles. If an employer wants to look at my Facebook profile, they can do so, but I will never give my password away to anyone. However, I probably wouldn’t mind logging into my Facebook and letting them surf around for a bit while I at least watch (as long as they were just looking at my profile and not digging into my settings), although that does sound extremely juvenile and definitely says something about the maturity of the company.

What about you? Would you let a potential employer have your password or at least log in for them so they can look around?

Privacy: Ghostery helps you elude online trackers in all browsers

Ghostery browser add-on
Ghostery shows you who is tracking you and let's you stop them.

Browser cookies are the black helicopters of the Internet age. Everyone seems to believe they’re only used for a secret, evil purpose.

I guess it depends on your definition of evil. Companies use cookies  to store information about Internet users. That information is coupled with other data collected via “tags, web bugs, pixels and beacons that are included on web pages in order to get an idea of your online behavior.” That idea helps them deliver ads and marketing messages to you online. Probably the biggest problem is that this is done without you knowing that you’re building a customer profile simply by reading blogs and watching videos.

Ghostery is a free browser add-on that exposes who is tracking your behavior and allows you to block them. It is available for Firefox, Safari, Google Chrome, Opera, Internet Explorer and Apple iOS. That’s right – you can use it on your iPhone.

When setting up the add-0n, it’s easiest to go with a broad brush by blocking all third-party extensions and cookies. It doesn’t seem to do any harm (depending on your definition of harm).

For example, it blocks almost all the social media sharing buttons you see on web content. So if you use them a lot to “Like” pages, tweet stories and add to social bookmarking services, you’re going to miss them. But it’s easy enough to allow the functions you want by clicking on the ghost icon at the bottom of your browser. That will bring up an info box that tells you what is blocked and lets you unblock it. You can also click through to get information on the service that is tracking your behavior.

That window also lets you temporarily turn off the blocking. Once you do that, Ghostery still identifies the trackers and gives you the same information.

One of the benefits seems to be increased browser speed. Sometimes the blocking takes time but overall pages load faster without the third-party extensions.

Another casualty is advertising. Some ads are blocked. Sometimes the space is there but no ad can be seen. Annoying pop-over ads still appear but don’t show any advertisement. I still have to close out the ad space to continue reading.

Other than that, I don’t seem to be missing any functionality, except my online banking site seems to be glitchy while Ghostery is blocking trackers. Pausing the blocks lets me do what I need to do though.

I see two problems for publishers though:

First, Ghostery can block your analytics – Google Analytics and Omniture for example. That means your stats could take a hit even if you’re only tracking traffic to pages not who is reading them.

Second, if you run a metered paywall – a limit to the number of pages that can be viewed for free – Ghostery can let readers bypass those limits since they rely on information in cookies. But it doesn’t break down paywalls that protect certain pages.

What I like about Ghostery

I don’t need a tin foil hat anymore. The add-on makes me feel invisible to all kinds of tracking. Since not all of it is evil, I have the ability to accept the services that I want to use. It’s easy to use and worth the time to install.

Ghostery
Ghostery blocks some ads from being displayed

[Download Ghostery]

How to Manage Stored User Names and Passwords in Windows Credential Manager

A convenient feature of any operating system or software application is its ability to save login credentials so you don’t have to repeatedly enter the same user name and password. Although it may be convenient, there are some potential security concerns with saving login information on your computer, especially if it is shared with others.

Windows manages a user’s login credentials through the Credential Manager. The Credential Manager in Windows stores login information for any servers, network locations, mapped drives, websites, and various other software that you may access during the day.  Follow these steps to access the Credential Manager and find out what user names and passwords Windows is currently storing for you.

Start the Credential Manager by opening the Control Panel and navigating to Control Panel > All Control Panel Items > Credential Manager.

Here you can see the locations that Windows had stored the login information for a couple of network shares I have connected to.

Expanding each entry shows more information about it.

You can edit an entry to change the user name or password.

Or alternatively, you can delete saved login information.

The Credential Manager also allows you to backup and restore your saved credentials.  Simply click the Back up Vault button to save your login information to a .crd file.  This same file can be used to restore your saved credentials in the event of a problem.

Another way to access the Credential Manager is through the command line.  This works with both Windows XP and Windows 7.

Start by opening  a command prompt.  Type the following into the command prompt window and press Enter.

rundll32.exe keymgr.dll, KRShowKeyMgr

The Stored User Names and Passwords window will open, allowing you to perform the same functions as the Credential Manager outlined in the above steps.

How I Circumvented Network Authentication (And Got Caught in the Process)

While I’ve never personally worked in the IT field, I have a number of friends who have, and I can appreciate their efforts to keep a network secure and functioning well. Sometimes, though, the cost of network security can be pretty annoying.

The university where I work is home to a top-notch group of IT guys that keep the wheels greased for over 15,000 network users. Just like many other universities, the IT department instituted a network authentication system to do several things, one of which being to cut down on illegal filesharing. This system included user login and a horrible little program called SafeConnect by Impulse.

Put simply, SafeConnect is a watchdog program that is forcibly installed on your system before you are allowed Internet access. It monitors to see that you have anti-virus software installed that is up to date, keeps tabs on your device preferences, and (as far as I can tell) was specifically designed to be a major pain in the butt.

 

If you’re like me, you probably don’t like to be forced to download third-party software. Also, if you’re like me, you probably don’t want to have your name associated with everything you do online. Finally, if you’re like me, you probably have an e-deathwish and don’t care what happens to your e-career when you do e-stupid things. Luckily, there are ways to avoid both SafeConnect and network authentication at many universities, and possibly fulfill a deeply seated wish to get yourself expelled.

Derp. I am not a fan.

Disclaimer: You probably know where this is going. Before you consider doing this for yourself, understand that while I performed these steps and survived to tell the story, my circumvention of the university network authentication system landed me in the Dean’s office for a rather eventful discussion with the Network Administrator present to see me squirm.

Step 1: Change your TCP/IP fingerprint

If you’re running Windows, your computer will be detected by the network as a valid candidate for SafeConnect. Fortunately, there is not a Linux-friendly version of the software. Changing the TCP/IP fingerprint will allow your computer to be detected as a Linux box and you can avoid that pesky download forever. You can achieve this manually by digging into the guts of your registry…or take a much easier route of using a nifty piece of software called OSfuscate.

With OSfuscate, you can change your fingerprint to just about any platform

Step 2 (optional): Change your MAC address

MAC addresses are hardwired into the network adaptor of your computer and are often used to filter rogue computers from a network. Spoofing a fake MAC address is not very difficult, and there are easy-to-follow tutorials here and here. I mark this step as optional because it is not essential for circumventing login. However, if you plan to do anything nefarious on a network, it’s best not to get an authentic MAC address banned from use.

In your Device Manager, visit the Advanced tab of your Network Adaptor.

Step 3: Change your Browser User-Agent

At this point, if you’ve changed your TCP/IP fingerprint and uninstalled SafeConnect, firing up a browser should give you a typical network login screen. The interesting thing about most university networks is that they typically don’t require authentication of gaming consoles like a Playstation 3. If your university is anything like mine, its second tier of authentication (after SafeConnect) is identifying the User-Agent of the browser in use. If it detects a game console, it lets it pass through without authentication.

 

If your login looks like this, this tutorial will probably work for you.

 

 

Spoofing a user-agent on a browser can be fairly easily accomplished with a Firefox plug-in or by modifying your desktop shortcut to Chrome.

Once your user-agent is spoofed, it is likely that you can now do anything online… semi-anonymously.

The User-Agent Switcher plug-in for Firefox in action

 

Step 4: Get discovered, deal with consequences

So, as the saying goes, all good things must come to an end. You see, network admins have a nose for this kind of behavior, and while I don’t know the specific tools that are used to detect it, you will eventually get caught. Chances are also quite good that circumventing network authentication is against your Student Code of Conduct.

 

You, crying, because you ignored my warnings and got caught.

In the end, this is a good exercise for those interested in network security, but a poor long-term defense against doing naughty things online.

Kids, keep your noses clean. SafeConnect and other forced software downloads may be lame, but risking expulsion to cover your e-tracks is just plain dumb.

3 Secure Ways to Store Your Passwords

If you’re anything like me, you probably have all your passwords jammed into a text file or stored in your browser somewhere for easy retrieval when you need them.  While convenient, you may want to consider more secure ways to store your passwords to prevent your account(s) from being hacked.

The following applications and services are free, easy to use, and absolutely capable of protecting your sensitive data from peering eyes.

KeePassX

KeePassX is perhaps the most popular method of storing passwords and is an open-source application available for Windows, Mac, and Linux.  It can store a variety of usernames, passwords, URLs and more in a single, encrypted database. Being compatible across multiple platforms, the database can be easily exported, moved, and imported into KeePassX on other computers.

Password Dragon

You may consider Password Dragon a lightweight version of KeePassX. Also open-source and compatible with Windows, Mac, and Linux, Password Dragon stores all of your passwords in an BlowfishJ-encrypted database that you can access with a master password.  You can also bypass the GUI and access your passwords via command line.

PassPack

You may be a bit weary of the concept of storing passwords online, but this can be an excellent option for those that need to be able to access data from any location, on any device.  PassPack offers both free and professional accounts for individuals or businesses, and allows you to securely share your passwords with anyone you wish.  For the security-conscious, PassPack provides disposable logins for use on public computers and two-factor authentication with a virtual keyboard to deter keystroke-logging programs.

So now that you know that there are free applications out there dedicated to providing you with an easy, secure method of storing your passwords, stop using Notepad and put your Post-its away!