USB security: how to lock down the ports

USB ports can be a security risk, seeing how flash-based USB drives have got so common and are capable of containing lots of data. It’s really easy to enter a 1 GB disk in a company, carrying it in your pocket, and copy private data which should not leave the organization. Usually you only have to connect the disk and works out of the box, without needing any driver installation.

If you want to avoid these kind of risks you can use hardware-based or software-based methods. The hardware based ones can be the most effective, but also have the burden of not being able to use the USB in case you need it.

To deactivate an USB port you can either disconnect it from the motherboard (if it’s not integrated), deactivate it from the BIOS (not very reliable) or fill the hole with glue so nobody can insert anything in it.

If you want to it by software, you can disable the USB ports completely as explained in the Microsoft Knowledge Base: How to disable the use of USB storage devices. You can also make the USB devices read only.

Phishing (II): how to protect

Now we know what is phishing and how it works, it’s time to learn how to protect against it.

For me, the most important thing to be protected against phishing is incredulity. Simply don’t believe everything you receive by e-mail. E-mail can be forged very easily and the sender of the message might not be who it seems.

Also, take into account that most companies will never contact you by e-mail to ask for information. Well, there are some companies which do this, but if you follow these rules that won’t be a problem.

  • Don’t reply with personal information. If you ever get any kind of message from anyone asking for personal information, never reply to it. If you think this is legitimate it’s always better to call by telephone and give this data. Take into consideration the fact that e-mails travels as plain text through the net, so anyone can see it.
  • Don’t click in hyperlinks within emails. Although they might look legitimate, there are techniques for redirecting you to another site controlled by the attacker. If you think the mail is real and you have to input information, it’s better to open a new browser windows and and type the URL in the location bar, to make sure you are going to the site you intended.
  • Check for Secure HTTP. Once you have gone to the site, check it’s legitimate by looking at the location bar, checking it uses Secure HTTP (the URL begins with https). If it does, then check the certificate of the site by clicking on the lock that appears and have a look at the information in the popup windows to see if it’s the same that you expected. 
  • Check your bank accounts and report to authorities. It’s really convenient to check your accounts from time to time to see if there’s any unusual or suspicious activity. If there’s something unexpected, you should better contact your bank and if they confirm it’s fraudulent, report it to the local autorithies so they can investigate the case.
  • Use antiphishing toolbars. This is a convenient software to know if a site is a suspect of being a phishing site.

You can either use Google Toolbar for Firefox which shows an icon indicating if a site is forged or not.

Googletoolbar

You can also use Netcraft Toolbar which can tell even the country where the server is located, so if you access an american bank and the server is located in Russia, you can get really suspicious.

Netcrafttoolbar

With all these measures you should be quite safe against phishing.

The best free security tools for Windows

Many times people ask me what are the essential tools to install in a new computer to improve the security. I usually install everything I can think of, but sometimes I might forget something, so this list of best free security tools might prove very valuable. Sergio Hernando started it and I’ll try to improve it a bit with some comments about each program.

These applications are free (some are open source, others are simply gratis) and will improve greatly the security of your computer. Anyways, they are not infallible so you must take basic measures to protect your computer besides using these tools.

I usually prefer using open-source tools, but sometimes there is no useful open-source equivalent in some category, so a closed-source option must be used. Anyway, I have always found a freeware option which fulfilled my needs, so you don't need to pay anything to keep your computer secure.

Continue reading The best free security tools for Windows

Are warning dialog boxes really useful?

In a really interesting post, Bruce Schneier tells that “lots of warning dialog boxes don’t provide security”. The cause is users don’t pause to read the content of the dialog box and act consequently. They only want the job to be done, so they click the default button or, if this doesn’t work, they click whatever button until it finally works (or at least, the dialog disappear).

This happens with every application. The most usual case is security warnings from bad SSL certificates.

Continue reading Are warning dialog boxes really useful?

Phishing (I): what is it?

Although phishing has been in the rising for some time, there are still lots of people who don’t know what it is and how it works. This is used by phishers to steal data from innocent users for their own profit.

So, first of all, what is phishing? It’s a technique used to steal private data from the user by tricking him to give it away. This private data is usually passwords for sensitive sites, credit-card numbers or PIN codes for bank accounts.

How do phishers trick the user? The most common way to ask for the data is through email. Phishers send emails which look legitimate, usually mimicking the look of real ones but pointing to their own servers instead of legitimate ones.

Most phishing tells the users that account might have been compromised and they need to authenticate again to confirm the account. They give a link which looks like a legitimate one, but points to another site controlled by the phisher. This site also looks like the original one, as they steal images and layout from the legitimate one and upload them to another server.

So, when the user enters the username and the password in this site, the data gets stored in a database controlled by the attacker, who will be able to retrieve it later and use the data in his own profit.

This is an example of a phishing email I received:

Phishing

The link seems to point to cards.fleet.com but, in reality, it goes to 4.60.21.232:34,a link which doesn’t work by now but which was under the control of the phisher.

Lately, the sophistication of this kind of e-mail has increased, every time looking more credible and using new techniques to trick the user, like emails looking like a question from a possible buyer from eBay which points to another site or even targeting e-mail to users depending on the bank they use.

In the next post, we will see how to protect against phishing.

Defeat hardware keylogger with SuperGlue

We explained that a usual way to steal password is with keyboard loggers. This happened once at Sumitomo Bank, where someone installed a hardware keylogger to a computer and got some passwords which allowed him to transfer money to an account on his own.

The bank has opted for a low-tech solution to this problem. To avoid someone installing hardware keyloggers they have glued the connectors to the back of the PC with SuperGlue, so it's not possible to unplug the keyboard and insert the keylogger.

It's a known problem that to secure a computer where the user has physical access to it is quite difficult, so I would have opted instead for using dumb terminals instead of PCs, so the security only has to be implemented in one place, making it easier to control.

This is not always possible, as some systems can't be configured to work with dumb terminals or might not be convenient for the business. In this case, the solution is to keep the PC case in a “secure” lock where it cannot be accessed by the users without permission.

From | Threat Chaos.

E-mail security: avoiding spam

Following the series of articles about spam I last wrote about detection of spam by analyzing the content. This usually works great but it is a big waste of resources for the user receiving the spam, as he has to download the mail (mostly free if you are on a residential line, but might be expensive if you are on the road) and analyze it (spending computer time).

It would be better if the server was able to avoid these messages being sent. Although some mail servers analyze the content of the message before delivering there are some other techniques which have been proposed to work against spam. Some of them are even standards, but haven’t usually been widely deployed. Let’s have a look at some advantages and disadvantages of them.

Continue reading E-mail security: avoiding spam

Scan for viruses with Knoppix

One of my favourite tricks when checking some Windows computer which is screwed up (and, usually, they are really screwed up, even not booting) is scan for viruses using Knoppix, a Linux distribution which can boot from a CD.

Once booted, it recognises your Windows partitions and allows downloading F-Prot, a free virus scanner, which checks your hard drive for virus. If you find any, you need to delete the files containing them.

It is also a good idea to download updates for Windows at this time, as it is safer to browse the web from the Knoppix CD.

You can download the Knoppix CD from the official site. It's a good idea to have it at hand, just in case you need it urgently.

From | O&Reilly

Recover your own instant messenger password

Most instant messaging applications have an option to remember your information (username and password) so you don't need to input it every time you want to log on. This might be a handy feature, but it's quite dangerous (as are all systems which remember your password, unless they are specifically designed for security).

If the applications remembers your password it has to store it somewhere, usually in a file in the disk or in the Windows& registry. Most time it's encrypted so you can't look directly at it, but this encryption is useless as the program has to recover it some time, something other applications can also do.

The advantage of this is if you forgot you instant messenger password you can recover it easily. Just download MessenPass and it will find all the stored passwords for your user. Remember, only for your user, not for other users in the same computer.

The disadvantage is someone can get in your account if he has access to your computer when you are logged on, and can also recover the password.

The best option is to choose a good password and not to store it in the computer, inputting it each time we want to logon.

From | Quands.cat.

On holidays

These days I'm not writing anything because I'm on holidays, so I only wanted to say Hi! and wish you a good Easter week.

See you next monday.