Archive for the 'Beginner' Category

Integrity and Computers – Say What?

Published by

May 17, 2007 in Beginner. 0 Comments

Picture of man and computer Okay, think of the biggest weasel you’ve ever worked with. Okay, calm down. I can detect your blood boiling. Take a deep breath. Now, think of why s/he’s such a weasel. I detect another deep breath is in order here. If one quality that they lack is integrity, then you’ve already identified the second term in our CIA acronym that we’re going to discuss today – although I’ll bet many other words came to mind first.

Now I know you’re saying what in the world does integrity have to do with computers. I’m sure you must be thinking that my computer, at its worst, could never be as terrible as that *&*^% weasel. Well, when our computer systems lack integrity, the accuracy and reliability of the data stored on them is much like that weasel that you work with – unreliable. When there’s no integrity with our computer systems, unauthorized modification of data isn’t prevented. And as a result, data can end up in unintended destinations, often contaminated, corrupted and maliciously modified.

As an example, let’s say that that weasel accidentally made a mistake in a database entry and charged a customer $50,000 for a bill instead of $50… and tried to creatively blame you. Thanks to that weasel, (or too bad for you if s/he’s convincing) the data is now corrupted. The customer has now been inconvenienced by having to straighten out this error. And now your job might be on the line – but of course you’ll go into Soprano mode and prevent that from happening.

When hardware and software don’t work in a concerted effort to maintain the accuracy and reliability of data, trouble ensues. And while later on we’ll uncover ways to harden systems and educate/train users on ways to avoid such costly errors, for now, just note that integrity is critical to making sure that the correct data ends up in the correct destination.

Your computer needs updating

Published by

John Biasi

May 17, 2007 in Beginner, Updates and Windows. 0 Comments

Do you update your computer regularly? Surprisingly, many people don’t. Whether you are using Windows, Macintosh, or Linux, it’s important to update your system often. Every software vendor releases updates to their system, whether for compatibility or security reasons. When one of these updates is released, it clues everyone into the fact that there may be a bug in the system, so it’s in your best interest to make sure you get that bug fixed before someone has a chance to use it against you.

For Windows users, if you are running Windows XP or later, you should be using Automatic Updates. Automatic Updates is a feature that allows you to configure Windows to automatically download (and optionally install) any new security updates that Microsoft releases. I personally have chosen to configure it to download the updates automatically and then prompt me when they are ready to install, so I can choose to install them at a convenient time. You may also choose to have the updates downloaded and installed automatically, but that may cause you to lose data if you leave your computer with applications open and Windows tries to restart after applying the updates.

If you prefer to have more control over the updates Microsoft is sending your computer, you can choose to use the Windows Update site. Here you can pick and choose what updates you want to install – but I recommend you install anything Microsoft considers a “Critical Update.” You can also find updates that have nothing to do with security, such as new versions of Windows Media Player. Windows Update is also the method you should use if you have an older version of Windows.

If you want to be even more comprehensive with your updates, go to Microsoft Update. This site includes everything you get from Windows Update, but also adds updates to other Microsoft Applications besides Windows, such as Microsoft Office. Don’t forget that any software, not just your operating system, can have problems, so be sure to update them as well.

Speaking of which, pay attention to what other applications are loaded on your computer. Almost every computer has a Java client installed. Java is often the target of security researches, and consequently is updated frequently. Fortunately, if you have a recent version of Java, it should prompt you to download and install the latest version whenever there is an update.

Your antivirus program is probably configured to download new virus definitions on a regular basis, but does it ever update the program itself? Some do, but others require you to manually perform updates. I will try to put together a post on the methods to update AV programs in the near future.

Well, this post ran a little longer than I expected it to, so I’ll have to give you the methods for updating Macintosh and Linux systems another day. Hopefully this gives you a little more information on the methods to update your Windows System.

Keeping Those Secrets

Published by

Bridgitt

May 16, 2007 in Beginner. 0 Comments

Young lady looking into computer Last time we met, I asked you to remember a short acronym. Do you recall? No, well here’s a hint: There’s an intelligence agency with the same acronym? If you said CIA, muy bien! If not, you’re the recipient of Colbert’s Tip of the Hat – Wag of the Finger. And if you don’t know what that means, then unfortunately my friend, you’re probably missing out on one of TV’s wittiest and funniest shows.

Now, let’s proceed. Can you recall the last time that you told someone something in confidence,hoping that they’d honor your request not to go blabbering to the world? How far would you go to prevent them from disclosing your deep dark secret? Soprano fans, please don’t answer.

In the world of computer security, confidentiality is critical. It’s one third of the triad known as C-I-A. We’ll soon discuss the other two. Without it, all kinds of information that should be kept confidential is now unleashed, as if from the mouth of your blabbering friend. For example, some of those secrets can be a company’s trade secrets, marketing plans, credit card information, or your grandma’s secret family recipe.

Whatever that information is, it’s valuable and its disclosure can ruin a company’s productivity and profitability, raise the possibility of legal and liability issues, not to mention your grandma possibly disowning you.

Of course, sometimes we honestly disclose information that we didn’t know was confidential, but this doesn’t change the fact that information that should have remained secret is now exposed. This is why valuable information must be safeguarded while it resides on systems, while in transit and once it reaches its final destination. And yet with all the efforts made to maintain this confidentiality, there are still those who manage to obtain sensitive information. We’ll investigate these efforts later.

So, to wrap up, keep in mind that confidentiality is the means to prevent the unauthorized disclosure of resources and data. Think of it as efforts to ensure that information remains confidential, like keeping your friend’s trap shut and hopefully preventing your grandma from kicking you out of the family.

Computer Security and Why You Should Care

Published by

Bridgitt

May 14, 2007 in Beginner and Security. 0 Comments

Picture of computer with lock Seeing too many pizza commercials on TV yesterday, I finally succumbed to the advertisements and made a quick phone call to Dominos (advertising is indeed powerful). Usually when I call them, I’m on and off the phone in about 2 minutes. Not so today. I was put on hold for about 4 minutes. Very unusual. Afterwards, the employee gets on the phone, asks me for my order and then has to put me on hold again because the computer was slow. He apologized and finally said, “Ya know, computers are great, except when they’re not working.” True, but what about my pizza? Thankfully, my order was entered and I got my wonderful pizza while still trying to figure out how Sanjaya from American Idol made it as long as he did! Oh well. Some things we’ll never know. But I digress.

I use that example above because most of us use our computers with an expectation that everything will work fine. While we’re busy emailing co-workers or friends or enjoying the wonderful world of blogging, once we click that ’send’ button or that ‘publish’ button, we expect our information to be sent, in tact, to the recipient, with no problem. Right? Well, as we know, sometimes there are hiccups in the process and things just don’t go as we’d like.

This got me thinking about the use of computers in our lives and how many of us rely on them for our everyday activities. According to the Computer Industry Almanac, in 2005, there were 1.08 billion people online. Projections for 2010 are a staggering 1.8 billion. This means more people, more activity and an increasing need for more security. Security for what? Security from whom – you ask? We shall see.
Continue reading ‘Computer Security and Why You Should Care’

(The Myth of) Privacy at Work

Published by

John Biasi

May 12, 2007 in Beginner, Privacy and Security. 0 Comments

Personal Privacy Do you spend much time at work browsing personal sites, such as shopping or online banking? Do you check your personal email while at work? Not only is this usually against the corporate policies at most companies, you are putting yourself at risk by doing so.

Many people incorrectly assume that they have an expectation of privacy while using “their” computer at work. This can vary from state to state and country to country, but in most places, any activity on company-owned equipment is subject to review and monitoring by the company. This activity can include emails, web traffic, and any documents saved on company equipment.

Aside from the legitimate monitoring that your employer may be performing, there are other reasons why you should avoid using your work computer for personal purposes. Your computer is not an island. In most cases, your computer will be on the same network as a number of your coworkers. Being part of the same network means that one of your coworkers could potentially access data stored on your computer, or capture your web and email traffic as it traverses the network. While this scenario is somewhat unlikely, on many corporate networks there are few controls in place to prevent this, and little to warn you if this is occurring.

Your work computer is intended for just that; work-related activities. Save your personal web browsing and email for times when you are on a trusted computer, such as your home computer. In most cases, your personal information will be far safer there than at work.

The dangers of Autorun

Published by

John Biasi

May 9, 2007 in Beginner and Security. 0 Comments

Autorun is a feature of Windows that has been around since the Windows 95 days. Autorun is one of those features Microsoft “borrowed” from the Mac to make Windows more user-friendly. In case you are not aware of what Autorun actually does, when you insert a CD, or a USB hard drive or flash drive, Windows will perform one of two actions, depending on whether a certain file is present on the CD or drive.

The first option is that Windows will find a file on the drive called autorun.inf. This file contains instructions for Windows to perform when it detects this media has been inserted into the system, such as a program to run. Some of you may already realize why this is a problem, but I’ll get to that in a minute.

The second option is that Windows doesn’t find an autorun.inf file. Windows will then scan the drive and pop up with a dialog box asking you which action you want to take, such as viewing the files, launching Media Player to play music or video files found on the drive, or viewing pictures found as a slideshow.

The first option is a serious security risk. Why? Because with Autorun enabled, Windows will automatically, and without prompting you, launch whatever program is specified in autorun.inf. This program could be a virus, a keylogger, or any number of equally dangerous programs. One recent application of this method is known as podslurping. Podslurping is the simple process of taking an iPod with a specially configured autorun.inf file, and plugging it into an unsuspecting system that has Autorun enabled. The program that is executed automatically searches the drive for files “of interest,” such as Word docs, Excel spreadsheets, and Powerpoint presentations, and copies them to the iPod. It does this silently and quickly, and allows the owner of the iPod (or podslurper?) to walk away with valuable information without attracting much suspicion.

So what can you do to nullify the insidious nature of Autorun? You have a few options. The first, which is a bit too much of a manual process for me, would be to hold down the “shift” key on your keyboard whenever you insert a CD or USB storage device. This would not prevent someone else from podslurping when you are away from your desk, however. The method I prefer is a registry change to disable Autorun for good. Here are the instructions from Annoyances.org:

Windows 2000/XP

Run the Registry Editor (REGEDIT.EXE).
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom.
Double-click the Autorun value, and type 0 for its value. (If it’s not there, create it by selecting Edit -> New -> DWORD Value, and typing “Autorun” for its name.)
You may have to log out and then log back in for this change to take effect.

For other methods of disabling Autorun, and for older operating systems such as Windows 98, go to http://www.annoyances.org/exec/show/article03-018.

Where do you keep your passwords?

Published by

John Biasi

May 9, 2007 in Beginner, Passwords and Security. 2 Comments

Keepass logo

OK, I’m starting to get repetitive with these password posts, but I promised in my last post that I would mention some ways to keep track of all your passwords.

As you probably know already, the less places you share your passwords between, the more secure you are. So, the most secure way to manage passwords is to never repeat them. So, if you have accounts on 15 different websites, and 5 different computers, and you have security in mind, you should have twenty different passwords you use on a regular or occasional basis, and you should be changing those passwords regularly (hopefully quarterly, or semi-annually at least).

At best, I think I can probably keep track of around 8-10 passwords at a time, and even then I start to confuse them, and have to try a few passwords on some sites before I get it right. I hold very little hope of remembering 20 passwords for very long. In fact, between personal and work-related accounts, I probably have closer to 40 or 50 passwords to manage.

So how do I keep track of my passwords? I write them on a yellow Post-It note and tape it to my monitor, of course. That’s secure, isn’t it? Well, if I wanted to be a little more diligent about keeping my passwords secure, I would use a tool such as KeePass Password Safe.

KeePass is a secure database for your passwords. It is also Open Source, and free to download and use. It allows you to create groups for your passwords so you can be more organized, and it also allows you to enter in the address of any website you have an account on, and auto-type the username and password when you load the site. The entire database is encrypted using standard algorithms such as AES, TwoFish, or Rijndael. You can also use either a password, a key file (stored on a USB key or hard drive), or a combination of the two to restrict access to the database.

I highly recommend this tool as a way to keep track of your passwords in a secure manner. And since it’s free, you don’t have to spend any money to try it out and see if it works for you. Check it out here, KeePass Password Safe

Local Shared Objects: the cookies you never knew that existed

Published by

madelman

May 8, 2007 in Beginner and Privacy. 0 Comments

Many users, specially those who are worried about privacy, already know cookies: how they work, where are they saved and, most imprtantly, how to delete them. Most browsers include an utility to manage them, blocking or deleting the ones we don’t want.

But even if you are actively deleting cookies, you might still be leaving something behind. Local Shared Objects are the implementation of cookies done by Adobe Flash. So, if you have this software installed (and most people do) these Flash cookies are resting on your hard disk, maybe forever.

Each site using Flash can store, by default, up to 100 KB of data in your computer, even without you knowing it. No permission is asked unless the application tries to store more data than permitted.
Continue reading ‘Local Shared Objects: the cookies you never knew that existed’

MySpace phishing site reveals password patterns

Published by

John Biasi

May 7, 2007 in Beginner, Passwords, Phishing and Security. 0 Comments

MySpace logo

As a follow-up to my previous post about creating good passwords, I thought it would be helpful to mention an article that shows some of the bad habits in password creation. In Note to MySpace Users: Get Better Passwords, Brian Krebs discusses a phishing website that targeted MySpace users. The site was used to obtain the usernames (which in MySpace’s case are email addresses) and passwords of close to 60,000 people.

On top of that, the list of usernames and passwords was stored as a text file on the phishing website, which security researchers were able to grab and analyze. Here is the list of the most common passwords used:

password1 (106)
abc123 (73)
swimmer1(43)
iloveyou1 (41)
monkey1 (40)
****you (37)
123456 (33)
myspace1 (32)
****you1 (32)
i(32)
password (27)
babygirl1 (25)
iloveyou2 (24)
football1 (24)
danny12031986 (23)
blink182 (23)
princess1 (22)
freesh**4me (22)
16188s (22)
123abc (22)

This is revealing for a number of reasons. First of all, the most common passwords used on MySpace are far from unique, and far from complex. Most of these passwords would be easily guessed or cracked. Since this post is a few months old, these people obviously haven’t been following my advice, as they wouldn’t have seen it yet.

Secondly, it shows how easily people can be fooled by phishing websites that look authentic. As this was from a few months ago, hopefully the introduction of in-browser anti-phishing tools in Internet Explorer 7 and Firefox 2.0 should help reduce the likelihood of this happening again.

And lastly, it provides a good justification for using different passwords on different sites. If someone is able to get your MySpace password, no big deal, right? It’s not exactly a critical site (to most of us, anyway). But many people use the same password on many sites, including online banking sites. So obtaining your MySpace password could be the key to all the sites that you share that password between.

Hopefully this scares you enough into making sure those passwords are strong, unique between sites, and that you pay attention to potential phishing scams. Soon, I’ll give you some ways to help manage your passwords.

What makes a good password?

Published by

John Biasi

May 6, 2007 in Beginner, Passwords and Security. 1 Comment

How do you create a good password? It’s a common question, and there are a number of different approaches to this problem. Understand that using strong passwords is critical, whether you are creating a password for your home computer, your online banking site, or any other type of web site or forum.

So what constitutes a strong password? The standard definition of a strong password is “choose a password at least 8 characters in length, containing letters, numbers, and special characters.” In case you’re wondering, special characters are usually the ones above the number keys on your keyboard, plus characters such as spaces, commas, periods, and the various other symbols on your keyboard.

This definition is perfectly fine, but gives you little guidance on how to structure a password. It can often lead to difficult-to-remember passwords, such as I$hg7p3V*!. It can also lead to passwords that seem secure, but in fact are very easy for password crackers to break, such as P@ssword1.

There are two approaches to password creation that I consider to be good options. The first one is to think of a phrase, such as “My dog Spot likes to eat dog food.” You can take the first letter of each word and turn that into a memorable password such as “Md$ltedf05.” As long as you remember the phrase, you will remember the password, and anyone else looking at it will find it incomprehensible.

Another approach that I feel is even better, if a bit typing-intensive, is to forget about passwords entirely and consider passphrases. This approach creates even stronger passwords, but you will probably end up typing 15 or 20 characters in a password. Take the example above. Instead of taking the first letter from each word, just use the whole phrase as your password. So your password would be “My dog Spot likes to eat dog food.” This password contains all the elements of a strong password except for numbers, but it also is considerably longer than your standard password. I would challenge any password cracking program to break that password. The only limitation to this method is that certain applications and web sites have a maximum password length, so you may have to choose shorter phrases, or go back to the previous method for these sites.

Does anyone else have any password best practices that they want to share? I’m open to any other methods that can create strong passwords that anyone can use. Weak passwords are a serious risk and should be addressed in any way that you feel comfortable.

About

Becoming paranoid is a weblog about computer security, privacy and staying safe online, specially dedicated to novices
If you want to know something more about us, visit our contact page.

If you enjoyed Becoming paranoid, you can have a look at the rest of our blogs: