Archive Page 4

Local Shared Objects: the cookies you never knew that existed

Published by

May 8, 2007 in Beginner and Privacy. 0 Comments

Many users, specially those who are worried about privacy, already know cookies: how they work, where are they saved and, most imprtantly, how to delete them. Most browsers include an utility to manage them, blocking or deleting the ones we don’t want.

But even if you are actively deleting cookies, you might still be leaving something behind. Local Shared Objects are the implementation of cookies done by Adobe Flash. So, if you have this software installed (and most people do) these Flash cookies are resting on your hard disk, maybe forever.

Each site using Flash can store, by default, up to 100 KB of data in your computer, even without you knowing it. No permission is asked unless the application tries to store more data than permitted.
Continue reading ‘Local Shared Objects: the cookies you never knew that existed’

MySpace phishing site reveals password patterns

Published by

John Biasi

May 7, 2007 in Beginner, Passwords, Phishing and Security. 0 Comments

MySpace logo

As a follow-up to my previous post about creating good passwords, I thought it would be helpful to mention an article that shows some of the bad habits in password creation. In Note to MySpace Users: Get Better Passwords, Brian Krebs discusses a phishing website that targeted MySpace users. The site was used to obtain the usernames (which in MySpace’s case are email addresses) and passwords of close to 60,000 people.

On top of that, the list of usernames and passwords was stored as a text file on the phishing website, which security researchers were able to grab and analyze. Here is the list of the most common passwords used:

password1 (106)
abc123 (73)
swimmer1(43)
iloveyou1 (41)
monkey1 (40)
****you (37)
123456 (33)
myspace1 (32)
****you1 (32)
i(32)
password (27)
babygirl1 (25)
iloveyou2 (24)
football1 (24)
danny12031986 (23)
blink182 (23)
princess1 (22)
freesh**4me (22)
16188s (22)
123abc (22)

This is revealing for a number of reasons. First of all, the most common passwords used on MySpace are far from unique, and far from complex. Most of these passwords would be easily guessed or cracked. Since this post is a few months old, these people obviously haven’t been following my advice, as they wouldn’t have seen it yet.

Secondly, it shows how easily people can be fooled by phishing websites that look authentic. As this was from a few months ago, hopefully the introduction of in-browser anti-phishing tools in Internet Explorer 7 and Firefox 2.0 should help reduce the likelihood of this happening again.

And lastly, it provides a good justification for using different passwords on different sites. If someone is able to get your MySpace password, no big deal, right? It’s not exactly a critical site (to most of us, anyway). But many people use the same password on many sites, including online banking sites. So obtaining your MySpace password could be the key to all the sites that you share that password between.

Hopefully this scares you enough into making sure those passwords are strong, unique between sites, and that you pay attention to potential phishing scams. Soon, I’ll give you some ways to help manage your passwords.

What makes a good password?

Published by

John Biasi

May 6, 2007 in Beginner, Passwords and Security. 1 Comment

How do you create a good password? It’s a common question, and there are a number of different approaches to this problem. Understand that using strong passwords is critical, whether you are creating a password for your home computer, your online banking site, or any other type of web site or forum.

So what constitutes a strong password? The standard definition of a strong password is “choose a password at least 8 characters in length, containing letters, numbers, and special characters.” In case you’re wondering, special characters are usually the ones above the number keys on your keyboard, plus characters such as spaces, commas, periods, and the various other symbols on your keyboard.

This definition is perfectly fine, but gives you little guidance on how to structure a password. It can often lead to difficult-to-remember passwords, such as I$hg7p3V*!. It can also lead to passwords that seem secure, but in fact are very easy for password crackers to break, such as P@ssword1.

There are two approaches to password creation that I consider to be good options. The first one is to think of a phrase, such as “My dog Spot likes to eat dog food.” You can take the first letter of each word and turn that into a memorable password such as “Md$ltedf05.” As long as you remember the phrase, you will remember the password, and anyone else looking at it will find it incomprehensible.

Another approach that I feel is even better, if a bit typing-intensive, is to forget about passwords entirely and consider passphrases. This approach creates even stronger passwords, but you will probably end up typing 15 or 20 characters in a password. Take the example above. Instead of taking the first letter from each word, just use the whole phrase as your password. So your password would be “My dog Spot likes to eat dog food.” This password contains all the elements of a strong password except for numbers, but it also is considerably longer than your standard password. I would challenge any password cracking program to break that password. The only limitation to this method is that certain applications and web sites have a maximum password length, so you may have to choose shorter phrases, or go back to the previous method for these sites.

Does anyone else have any password best practices that they want to share? I’m open to any other methods that can create strong passwords that anyone can use. Weak passwords are a serious risk and should be addressed in any way that you feel comfortable.

We are searching for bloggers

Published by

madelman

March 5, 2007 in Various. 1 Comment

Searching

It’s been a long time since the last post. Lots of things have happened since then and the site has been stalled for the lack of time for updating it.

There are still lots of things to be told about computer security and I would really like this blog to keep on. But as I can’t do it myself I want to search for some people who can.

So if you are interested in computer security and can write in English (no need to be an expert in any of both) apply for this position right now. This is a paid position, so you can even win some money while writing about something you like.

To apply or ask any question, please use the form contact in the about page.

How to protect your mobile devices

Published by

madelman

June 8, 2006 in Beginner and Security. 0 Comments

Using mobile devices to store private data can be a big security risk in case you lose them and they are not conveniently protected. If you use these kind of devices you should follow some rules.

Password protection. You should use passwords or a PIN to access your device. This might be a very basic protection, but can stop casual attackers from accessing your data.

Cipher your data. Many mobile device include this capability built-in, but if yours don’t you should find some software which you can trust.

Use a firewall. If you need access to Internet you should use the same levels of protection as at home, so use a firewall to avoid attacks.

Use device lockdown functions. Many mobile devices include some way to wipe its contents remotely if someone steals it. Be sure to have copies of this information before wiping it.

If you don’t follow some simple rules your information might fall in the wrong hands.

Return to blog

Published by

madelman

June 8, 2006 in Becoming paranoid. 0 Comments

After more than two weeks of not writing in this blog because of lots of parallel projects and the real life, we are back.

Expect more posts about computer security in little time.

Microsoft Word vulnerability

Published by

madelman

May 22, 2006 in Medium, Spam and Windows. 0 Comments

Some years ago, macro viruses inside documents became the new trend. Almost any new virus used this, hiding inside Office documents and executing when the unsuspecting user opened the file.

Most users got conscious and disabled the use of macros, so the virus couldn’t get executed and many mail providers blocked e-mails with attached Office documents.

This is not the case anymore, as macro viruses are very rare now, but a recent Word vulnerability has made DOC files dangerous again. This time the problem is not with macros inside the document, but a vulnerability that allows to execute malicious code when the document is open.

There is no patch yet for this vulnerability, as Microsoft won’t release it until June, so you should be extremely careful with documents you receive, specially if they are unexpected.

For now, this doesn’t seem too widespread, as only one attack has been detected against a company, and it was a very targeted one, directed specially to them, but it wouldn’t be strange to find it in the wild in some days.

F-Secure Online Scanner

Published by

madelman

May 17, 2006 in Beginner, Security and Virus. 1 Comment

If we have to check one computer for viruses and we don’t have any antivirus at hand, F-Secure Online Scanner may be a good option, as it allows you to scan your files without installing any software in your computer.

You only have to browse to its page and download an ActiveX control which will scan the computer searching for viruses. You will need to use with Internet Explorer, as this is the only supported browser.

Another service I like to use is VirusTotal, which offers free online analysis of files with 23 different virus scanners, although in this case you can only scan individual files one at a time, but it is very useful in case you are suspicious of a file and want to test it throughfully. As no antivirus is 100% reliable, checking the file with so many different scanners may guarantee better results.

Anyway, it’s always a good solution to have a resident scanner which avoids viruses even being written to your disk, even less getting executed.

Chain letters

Published by

madelman

May 15, 2006 in Beginner, Email and Security. 0 Comments

With some regularity, everyone receives in our inbox some e-mails sent by someone they know where they try to warn you against some kind of really dangerous virus or asking for collaboration in a project to help a poor kid,…

These e-mails are known as hoaxes and, although they are send with a good intention, they are almost always false, a kind of urban legend spread through Internet.

You can spot this kind of e-mails because they say you will have a big loss if you don’t forward them, they are not signed, they promise some presents from a company or offer some difficult to believe information.

Some examples of these kind of messages:

The Make A Wish Foundation, has agreed to donate 7 cents evertime this message is sent on.
If you forward it to 20 friends, you will receive the brand new Ericsson R320 WAP-phone.
DO NOT RELY ON YOUR ANTI-VIRUS SOFTWARE. McAFEE NOR NORTON CAN DETECT IT BECAUSE IT DOES NOT BECOME A VIRUS UNTIL JUNE 1ST. IT WILL BE TO LATE THEN. WHATEVER YOU DO, DO NOT OPEN THE FILE!!!

These e-mails have all been extracted from Break the chain, a site dedicated to recopilating them, so you can know if an e-mail you receive is a hoax or not.

You should never forward this letters to your friends, because they are very annoying, clutter up your inbox and many times, they can be used to get e-mail addresses to spam them. If your friends send them to you, you should tell them not to do it and why is it bad, redirecting them to Break the chain if necessary.

Sharing a computer securely

Published by

madelman

May 9, 2006 in Medium, Security and Windows. 0 Comments

If you are in charge of a computer used by some different people, you will have found yourself formatting and reinstalling it from time to time to clean it from everything the users have installed, voluntarily or involuntarily.

In computers located at Internet cafes, public libraries or school the risk of being infected by spyware or viruses is very high, as they are used by people who, sometimes, are not very knowledgeable about security. So copying files from them or accessing important sites from there can be very dangerous.

Microsoft has released Shared Computer Toolkit for Windows XP which makes it easier to manage this computers in a secure way. The main features of this toolkit are Windows Disk Protection, User restrictions and Profile Manager.

Windows Disk Protection clears the changes made to the hard disk when the computer is rebooted so, if it gets infected with a virus it will be deleted next time you turn the computer on. You can also define some zones which must not be cleared, for example where the users save their documents.

User restrictions allows the creation of user profiles in an easy way, so you can give different sets of permissions to the different users or groups of users who must use the computer. For example, you can disallow the use of unauthorized software or set timers which limit the time a user can be logged on.

With Profile manager you can create permanent spaces which will not be cleared by Windows Disk Protection, where the users can save data.

This is a good solution unless you have a large number of computers, because the control is not centralized. In that case it will be better to use Active Directory and Group Policy. It will also allow you to test software in your own computer without fear of destroying important data.

To use Shared Computer Toolkit you will need a legal copy of Windows XP, as you must pass the Windows Genuine Advantage validation. You will also need 5 MB of space in your hard disk and a NTFS file system.

For more information and download you can go to Microsoft Shared Computer Toolkit for Windows XP.

About

Becoming paranoid is a weblog about computer security, privacy and staying safe online, specially dedicated to novices
If you want to know something more about us, visit our contact page.

If you enjoyed Becoming paranoid, you can have a look at the rest of our blogs: