December 18, 2014

POODLE has Morphed??????

Recently, new exploits for the  RC4 stream cipher suite have come to light. It is used in almost half of the internet's SSL/TLS implementations, that "https" stuff that you see in front of your url, and many well know companies, including internet giant Google, are still using the protocol. However, at this time, security professionals are saying that an attacker would have to cause hundreds of millions of TLS connections while executing a Man-in-the-Middle attack, in order to glean enough information about the traffic being encrypted to mount a feasible attack.

For the moment, researchers are saying that we are safe, but administrators should not wait too long before disabling the SSLv3 fallback vulnerability. Security experts believe that development of GCM, Galois/Counter Mode symmetric key cryptographic block cipher, will be accelerated to help phase out RC4 cipher.

The security research company Qualys has created a testing page that can be used to check domains for the vulnerability. The site will also offer some tips for making your domain "more secure" by grading it and giving explanations as to why it received the grade that it did. The site looks to be fairly in depth and insightful. Qualys also has some vulnerability mitigation recommendations for the near future. I am going to list the ones pertinent to system administrators, as these are the individuals that will be needing this information the most. If you would like to read on about the others listed, please click here.


System Administrators
  • Disable TLS compression. This attack is similar in nature to the recent RC4 attacks, but practical. 
  • Support TLS 1.2 and GCM as soon as possible. 
  • Also, if you have not disabled SSLv3 compatibility, go ahead and do so. 

Example Use Case
The problem here (as usual) is your browser.
fYou see, there are certain common elements that your browser tends to send at the beginning of every HTTP(S) connection. One of these values is a cookie -- typically a fixed string that identifies you to a website. These cookies are what let you log into Gmail without typing your password every time.
If you use HTTPS (which is enforced in many sites by default), then your cookies should be safe. After all, they'll always be sent over an encrypted connection to the website. 
Unfortunately, if your connection is encrypted using RC4 (as is the case with Gmail), then each time you make a fresh connection to the Gmail site, you're sending a new encrypted copy of the same cookie. If the session is renegotiated (i.e., uses a different key) between those connections, then the attacker can build up the list of ciphertexts he needs.
To make this happen quickly, an attacker can send you a piece of Javascript that your browser will run -- possibly on a non-HTTPS tab. This Javascript can then send many HTTPS requests to Google, ensuring that an eavesdropper will quickly build up thousands (or millions) of requests to analyze.
Source: http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html

October 3, 2014

Somebody is Conversnitching



Wouldn't it be interesting if you could put a listening device in a lamp so that you could hear what your buddy down the hall was saying, or listen in on a conversation from the team that your competing against. Well now you can, with this fun little gadget known as the Conversnitch. It is a listening device that lives in a light bulb. Once it grabs some audio it puts the string into a format that can be posted to Twitter in real-time. Hilarious right? 
It is constructed from little more than a Raspberry Pi miniature computer, a microphone, an LED and a plastic flower pot. It screws into and draws power from any standard bulb socket. Then it uploads captured audio via the nearest open Wi-Fi network to Amazon’s Mechanical Turk crowdsourcing platform, which McDonald and House pay small fees to transcribe the audio and post lines of conversation to Conversnitch’s Twitter account
Take a look at the video above and let me know what you think. I thought it was pretty entertaining myself. Just watching those guys put the lightbulb in so many different places and no one even tried to question what they were doing.

SourceConversnitch - http://www.wired.com/2014/04/coversnitch-eavesdropping-lightbulb/



Bash Bug aka 'ShellShock' & the 'AfterShock'

Shell Shock from Marvel

There is a critical vulnerability in the in the GNU Bourne Again Shell other wise known as Bash. The news was released on September 23, 2014, and has continued to evolve as the days go by in regards to severity of the ShellShock bug.

So ... What is ShellShock

Other than a cool looking cartoon character from the Marvel comic book series (see picture at right), ShellShock is a fundamental flaw in the Bourne Again Shell or Bash for short, which is used in many Linux, UNIX, and MacOS operating systems. The vulnerability allows attackers to execute specially crafted commands remotely through environmental variables when Bash is invoked. An environmental variables are a set of dynamic named values that can affect the way running processes will behave on a computer.

RedHat.com describes the bug as follows:
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) 
A variety of tools, including FTP, SSH, DHCP, SIP VoIP proxies and TelNet can be taken advantage of by this vulnerability, and there many proofs of concept that can be used to verify these issues. Some Apache Web servers are vulnerable if they use mod_cgi and mod_cgid to perform certain actions. If your Apache server does not need to utilize these functions then, they should be deactivated within the respective configuration files.

The following is a link to a video explanation of how ShellShock works. It may help you to better understand what is actually happening, on a very high level, when the vulnerability is exploited. SANS ShellShock Explanation: https://www.youtube.com/watch?v=W7GaVyzkCs0

Update October 03, 2014: The ShellShock Bash shell vulnerability is being used to target Network Attached Storage (NAS) devices, QNAP storage solutions in particular. Of course, the recommended thing to do is update and patch the system if it is vulnerable, but I say patch the system anyway because the update may fix something that has yet to be disclosed.
The attack attempts to instruct the target NAS to download a script that affects the device's startup environment to allow for future malicious updates, loads the malicious SSH key to allow for future password bypass, and then further cements itself with an ELF executable that gives the attacker shell access to the device and can be invoked in three different ways.
Source: www.darkreading.com

Testing

If you have not patched your system yet, run the following line of code in a Terminal to test your system for the vulnerability:

env x='() { :;}; echo vulnerable' sh -c "echo this is a test"

If the echo request, "this is a test", is returned, it means that your system is vulnerable to the exploit and should be patched to the latest version of the Bash shell immediately! 

If you have patched your system or your systems is unaffected by ShellShock then, you will see the following output from your terminal after entering the command above.


bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

If you have implemented a patch, try the following two tests: 

env -i x='() { (a)=>\' bash -c 'echo date'; cat echo
env -i X=' () { }; echo hello' bash -c 'date'


If the output from either of them yields the days date, i.e. Wed Oct  1 09:12:20 EDT 2014 or something similar, then your system is still vulnerable to very specifically crafted exploits.

Solution

The short answer is patch patch patch ... and make sure that the patch you have installed is the most current version. 

Longish version, RedHat, as well as many others, have released patches to address ShellShock. However, even after the updates, security researchers are finding more ways to exploit the vulnerability in Bash that the early updates have not yet addressed. Go figure right. With something this prominent, there will be more than just one or two way to taking advantage and this will most likely be around for quite sometime. So ... good job for coming out with a fix so quickly, but be ready to install more bash security related updates in the days to come. It will take some time to find everywhere that a vulnerable system exists, but stay vigilant.   

Below, is a list of links and commands for updating bash on various operating systems: 

Sources

September 10, 2014

The Home Depot POS Breach

Home Depot
Home Depot POS systems compromised by POS Malware

THE FACTS

Home Depot has confirmed, on September 08, 2014, that a data breach has taken place in the majority of its US and Canadian store location. There is an estimated 2400+ stores that may have been affected by the breach, starting back in April of last year.

Brian Krebs from KrebsOnSecurity said that sources close to the investigation have determined that the Malware used in this breach was aided by a possible new variant of the bug used to infect Target and other point-of-sale (POS) devices last year. This information was release early last week along with a statement from Home Depot. Other sources suggest that some of the stores were infected with a POS Malware called BlackPOS, which is designed to copy credit and debit card numbers as soon as they are swiped at the card reader terminals. The security company Trend Micro says that his new variant has a few new capabilities including the ability to disguise itself inside of the anti-virus software running on the compromised systems. Very sneaky. The malware also comes with an enhanced ability to pull date from the memory of vulnerable POS devices.

According to krebsonsecurity.com, the large batches of stolen credit cards began to show up on the underground cyber crime shop know as Rescator[dot]cc under the name "American Sanctions", which was given to the first two card batches. The store is also the location where cards, stolen from Target and other retail stores, have been sold. So, it is believed that the same hackers responsible for the earlier incidents are in fact the same individuals responsible for the HD attack.

Although Home Depot says that card PIN numbers were not compromised, the cards themselves can be used to create counterfeit copies and if the hackers can successfully change the PIN numbers associated with those cards, they can make ATM withdrawals. Many banks have reported seeing an increase in reported fraudulent ATM activities. Krebs states that the most important piece to this story is that the name, city, state and zip code of the legitimate card holders. This is important because most Home Depot shoppers live in close proximity to the stores, which makes guessing the most likely address pretty easy, which then, makes it much easier to for the frauders to locate the SSNs and birth dates of victims using other resources in the cyber crime underworld.

When it comes to ATM card vulnerabilities and knowledge-based auth systems, this quote says a lot:
"Banks are long overdue to move away from knowledge-based authentication. Forget about the fact that most major providers of these services have been shown to be compromised in the past year by the very crooks selling Social Security numbers and other data to identity thieves: The sad truth is that today’s cybercriminals are more likely to know the correct answers to these questions than you are."
WHAT HOME DEPOT PLANS TO DO

Home Depot has offered free credit card monitoring and repair services through AllClear ID for anyone involved in the POS data breach. However, even though this is good that they are doing this, the breach has most likely affected a majority of people in the US and Canada. HD also states that no one will be responsible for any of the fraudulent changes that may show up on statements. In response to the breach, Home Depot plans to implement EMV "Chip and PIN" (better than Chip and Signature) technologies in all of its US based stores by the end of the year, which, according to HD, is well ahead of the October 2015 deadline set by the payment card (PCI-DSS) industry.

If you would like to see the FAQ page that Home Depot has released in leu of the incident, follow the following link (no pun intended) HERE.

Update: September 12, 2014 - Some researchers have taken a closer look at the malware that was used to attach Home Depot and they think that it is not at all related to BlackPOS, which was used in the Target attack. Based on some of the differences that were found, it would appear that the new malware was written by a different person or group entirely.

Some of the differences include:
  • Both malware move the harvested data through network shares, but their techniques differ. BlackPOS uses direct system calls, while the new malware writes out to a batch script and executes with a call to a CreateProcessA() Windows API. 
  • The malware calls to different APIs for process enumeration vary. BlackPOS uses EnumProcess(), and the new malware uses CreateToolhelp32Snapshot.
  • Lastly, BlackPOS uses a more focused whitelist approach to finding processes to target, while the new malware uses a blacklist. 
Update: November 7, 2014 - Home Depot updated their breach notification page to tell everyone that a large number of email address, to the tune of 53 million, were stolen along with PII that had already been reported. HD did assure its customers that the file containing the addresses did not contain any payment card info or passwords. Another bit of news regarding the breach is that, like the Target Breach, a third party vender was compromised then used to attack Home Depot. The attackers used some stolen credentials from the third party to gain access to the edge network. Then, exploited a vulnerability in the Windows OS on the terminals.

SOURCE INFORMATION
  • http://krebsonsecurity.com/2014/09/in-wake-of-confirmed-breach-at-home-depot-banks-see-spike-in-pin-debit-card-fraud/ 
  • http://www.darkreading.com/home-depot-breach-may-not-be-related-to-blackpos-target/d/d-id/1315636



August 23, 2014

Netflix in Linux Using Chrome

Netflix Logo

Update 01.01.2015 - I have some awesome news! It is now unnecessary to use the "User Agent Extension" for Google Chrome in order to watch Netflix online. Simply remove the agent then relaunch the video that you want to watch and it should work!

The World Wide Web Consortium or W3C has made a push for protected media content to be streamed using HTML5 media playback through the Encrypted Media Extension specifications. Watching Netflix natively in Linux has been made possible in Beta versions of Google Chrome using an extension. You will no longer have to use a funky wine/silverlight work around any longer as long as you use the Beta version of Google Chrome!
By spoofing the user agent of an official supported EME platform (e.g., Windows 8.1) in Chrome for Linux we can get fuss-free totally native playback of movies and TV shows — for now, at least.
It does take a bit of tweaking to get it up and running, but once you do, it plays much nicer than the wine configurations from earlier days.

Requirements for this install:
  • Ubuntu 14.04 or 14.10 Alpha
  • Google Chrome Beta or Dev version v37 or greater 
  • A Netflix subscription 
  • Have Prefer HTML5 selected in Netflix Account Playback
You can install Google Chrome Beta by using the following command inside of a terminal window.

sudo apt-get install google-chrome-beta

After all of those things have been completed you will need to update your Ubuntu 14.04 LTS install to the latest version of libnss3. If you have some trouble getting this to work try running an update on your system. This should install all of the latest updates for libnss3. There may be some dependencies that Ubuntu is unable to resolve, but if you run the following command, it should fix any dependency issues:

sudo aptitude upgrade --full-resolver

Next, you will need to install the "User Agent Extension". You can find it in the Chrome Store or by going to the link below:

User Agent Extension for Chrome

After the extension is installed, there should be a new extension icon at the top right of the Chrome browser. Right-click on the extension and select options. In the Custom User-Agent section input the following information:

  • Name: Netflix Linux
  • String: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2114.2 Safari/537.36
  • Group: (is filled in automatically)
  • Append?: Select ‘Replace’
  • Flag: IE
When the information has been added, press the "Add" button. Then, navigate to Netflix.com in Google Chrome Beta, click on the user agent extension, select "Chrome". Then, under Chrome select the "Netflix Linux" agent that was just created. After that, you should be in business. 




August 6, 2014

Russian Cyber Gang "Steals" Passwords


A source told the Guardian, on Tuesday, that a Russian cyber gang has stolen 1.5 billion unique passwords belonging to multiple email address. However, there does not seem to be enough information as to whether or not the reporting party is telling the truth. At least there hasn't been a big name security firms that have been allowed to verify this claim. A information security researcher from University College London told the Guardian,
It’s plausible that they have found this many credentials, but whether they actually have or not we would need to see more data ... We’ve been told independent experts have verified it, but we haven’t seen what they’ve verified and we don’t know who they are.
The article goes on to say that this news, whether true or not, is just another nail in the theoretical coffin for the use of usernames and passwords as the mechanism of choice to secure Web pages. People are always getting the advice that says, "You need to make a secure password that is some number of characters long, contains each of the following character types, and is difficult for others to guess but easy enough for you to remember. However, the problem is not that people cannot remember their passwords, it's that they have so manly passwords for so many place that we, as security professionals, should not expect them to reasonable be able to remember all of them without using the same one here and there or write some of them down. At least the ones that they do not use that often.
An alternative solution is to move to another device or mechanism for proving identity. Wueest explained that one potential solution would to be to use a mobile phone that confirmed a login via a push notification or text message that the user would verify to allow entry into a website or computer system.
In other words, this quote is referring to the use of two fact authentication, which is something that I have been using for almost a year now, on the sites that are allowing it. Twitter, Google, LastPass, Evernote, DuoSec (Two factor auth company), and many others have begun to utilize this technique as an alternate means of verifying someone's identity.

I thought it was interesting that the security firm claiming to have discovered the threat will not release any data, but they say that the credentials have been stolen from many big name sites. The had the NY Times sign confidentiality agreements before they would allow an outside source, not affiliated with the firm, to analyze the data and prove its authenticity. What sights are they referring to? There hasn't been word of any companies making a public statement urging their users to update passwords, but the security firm claims that some of them do know their records are among the ones that were stolen. I also found it very interesting that the CISO of the security firm (Hold Security) has some sources in the cyber criminal realms who have given him some information regarding the nature of the attack as well as the possible general where abouts of the criminals. I would really like to know if I need to warn anyone that they need to go change their account passwords due to a large breach.

At this point, no one is sure of anything. It is still a bit early to determine exactly what happened, if anything. The best thing for people to do for the moment is watch their accounts closely. Especially those tide to financial data, banks, credit cards, etc. We will have to see what surfaces in the next few days.

Update:

It appears that the primary method used by the hackers to get information was through SQL injections. The hackers created a large Botnet of zombie computer systems (computers that have been taken over by a hacker, usually without the knowledge of the owner,  to be used as a mechanism to attack other entities on a large scale) to go to Web sites and test to see if they were vulnerable to SQL injections. If they were, the hacker gang would mark that site as vulnerable then come back later to chiffon any information.

Brian Krebs from Krebs on Security, said that he has seen the data, found by Hold Security,  first hand and it is, without a doubt, the real thing, but he is not at liberty to disclose the means by which the information was found or who the data belongs to. He also mentioned that Hold Security does have close ties with the cyber criminal underground.

Furthermore,  an article from The Dark Reading says that the cyber gang, at this time, does not seem to be selling any of the information that has been gathered. They look to be using it as a way to create an email spamming business for hire.

Do we know how many of the password databases were hashed? Because this would help us to figure out how many of the passwords are readily available for the hackers to use. Yes, the SQL vulnerabilities should be addressed, but putting a hash of a password in a database is far more secure than storing the actual password in plain text, so even if the data was stolen it would be more difficult for the information to be used.

For more on this breach, visit the Hold Security blog: http://www.holdsecurity.com/news/cybervor-breach/.

---------------------------------------------------------------------------------------------------------------------

Source Information:
  • Breach Source: http://www.holdsecurity.com/news/cybervor-breach/
  • Source: http://www.theguardian.com/technology/2014/aug/06/cybersecurity-expert-russian-hacking-scare-hold-security-passwords
  • Source: http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?_r=0
  • Source: http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/
  • Source: http://www.darkreading.com/biggest-cache-of-stolen-creds-ever-includes-12-billion-unique-logins/d/d-id/1297811

July 31, 2014

Pass Phrases are Easier


Source: https://xkcd.com/936/

---------------------------------------------------------------------------------------------------------------------


Criteria:
  1. 25,000 words to chose from
  2. Pick 4 words at random
  3. That's 25,000 words raised to the 4th power, which equals 390,625,000,000,000,000 possibilities for a pass phrase using only lowercase letters.
  4. This happens to be about the same strength as a 9-10 digit alpha numeric password that you would make up yourself.
  5. However, most people capitalize one or more of the words witch adds more possibilities. 50,000 raised to the 4th or a really BIG number, and it has the same strength as a 10-11 character password using letters and numbers. 
  6. If mutations are allowed, (special characters or changing letters to numbers, etc.) this increases the number of possibilities to 2.5 million unique words, which is also another very very LARGE number. 
The best part is ... 

You can actually remember the pass phrase without having to right it down!!!!!!!

Source: https://xato.net/passwords/analyzing-the-xkcd-comic/


Primo-vigesimo-centillion


primo-vigesimo-centillion is equal to 10366 in America, or 10726 in France and Germany. Like most illion numbers, it is part of an extended system of names. It is part of a naming scheme first proposed by Professor Henkle in 1904 and subsequently popularized in 1968 in an article by Dmitri Borgmann. In Henkles scheme the latin ordinals represent their corresponding values, while the cardinals represent multipliers to be applied primarily to the milli- prefix.
Professor Henkles system is notable for being the earliest known attempt to extend the zillion series to the millionth member. It may also have served as the impetus and blue print later systems, including the popular Conway & Guy naming scheme.
Sourcehttp://googology.wikia.com/wiki/Primo-vigesimo-centillion

June 28, 2014

Huge Data Breach in Montana!

Holy smokes, I just read a post from SC Magazine, that describe a pretty substantial data breach at the Montana Department of Public Health and Human Services (DPHHS) where DPHHS is notifying 1.3 million clients and employees of a year long data breach. The information stolen from clients include SSNs, phone numbers, birth dates, addresses and dates of service. Data belonging to employees and contractors includes SSNs, names, numbers and bank information.

And of course, they are claiming that, after investigation, that there is no knowledge of any inappropriate use of the information that was taken. I assume that they notified the individuals and offered them the generic "credit monitoring" free for a year. Hopefully this want happen in the future, but my fingers are crossed.

Source: http://www.scmagazine.com/montana-dphhs-notifies-13-million-clients-and-staffers-of-nearly-year-long-breach/article/357655/

June 20, 2014

Common DDoS Response Mistakes

I found and interesting article on darkreading.com, which discussed some of the common mistakes that organizations make when they are under a DDoS attack. The unfortunate thing about these types of attacks is that there is no real cure, and DDoS attacks are going to remain a pain our sides for some time to come. Below is a list of some of the common mistakes that organizations make when responding to a DDoS.

* Not having a plan to prevent DDoS attacks in the first place.

Security firms say that it is much more difficult to remediate a DDoS attack after it has started. It is much easier and more effective to put a shield in place that can prevent this type of crippling traffic from starting in the first place. Senior director of security strategy at SolarWinds, Gretchen Hellman, says, 
"Such a plan should include evaluation of current DDoS protections, defined roles and responsibilities between the network and security teams, and a clear process of communication both internally and with your ISP," she says. "Failure to have a solid plan will result in mistakes, such as focusing on blocking IP addresses only -- attackers will use spoofed ones that change often -- reacting without taking the time to understand the nature of the DDoS traffic, and elongated response time when an attack occurs, resulting in more damage."
I like the fact that she says that it is a good idea to take some time to figure out and understand the nature of the attack, what kind of mechanisms is it using to execute the attack, what part of the network is it targeting or is it targeting the entire network, is the attack only focused on the Web server? Reacting too quickly can actually cause more damage than stepping back for a second to really evaluate the situation fully or at least to the best or ones ability. Having a slow response time can also lead to damaging circumstances as well. So, I think the take away from this one is to have a plan before the DDoS actually occurs so that damage can be kept to a minimum.

* Not having a plan to test the plan ...

Waiting to try out a DDoS plan in the midst of an attack is probably not the best way to go. This article gives an example, which talks about a popular bank that was hit by a DDoS back in 2012. After verifying that they were indeed under attack, they tried to switch all of their services over to their DDoS mitigation solution. When they flipped the switch their whole network went down. Ummmmm .......... is the look that I can imagine everyone had on their faces. Looks like testing their solution a head of time might have come in handy.

Michael Bennett, from DDoS Strike, says that not testing the infrastructure and defenses is a common mistake. If you have never seen or been hit by a DDoS attack, how will you know what that kind of attack looks like, and you want know what to do or how to react in that situation. Testing your plan can help to determine where there might be holes or weaknesses, which includes communication between pertinent teams within the organization.

Communication communication communication, that is one of the key points that I caught from reading this part of the article. Table top exercises would probably be a good place to start. At least it would get the conversation going and open up proper channels between each department within the organization.

* Not becoming close buddies with your ISPs 

It can is much easier to have the traffic be blocked further upstream before it even reaches your network. It is much easier to put the protection in place before you need it, and I feel that in the case of a DDoS it is almost inevitable, depending on the type or size of the org, that an attack will happen sooner of later. I would rather have something in place, so that I wouldn't be running around is circles.

So, in conclusion:

  • Plan
  • Test
  • Look outside of the immediate network 



June 17, 2014

AT&T Data Breach Warning

AT&T_logo
Marfapublicradio.org
AT&T has notified some of its customer base that their personal information (PII) may have been accessed between April 9 and April 21, 2014 by the employees of one of AT&T's contractors. Some of the information accessed includes: Social Security Numbers, birth dates, and other data. They believe that this information was accessed in a effort to create a passcode that would allow them to unlock AT&T based phones to be sold on secondary or "black" markets.

They claim that no financial information was stolen, and the employees of the company have been terminated. However, AT&T is urging their customers to change their account passwords as a precaution. One thing that some of you may find interesting is that ATT has not released the number of people affected by this breach. They are only saying that some customer accounts were affected. I do not know you, but this does not make me feel very safe, being that I am an ATT customer myself.

Security experts say that while there was apparently no direct financial effect on customers, the breach is still concerning.

-------

Make sure that, if you are an ATT customer, that you go ahead and change your account password, and monitor your account activity. Including credit card or other financial payment information.

Source: http://tinyurl.com/ATT-Breach

June 13, 2014

Mitigating BYOD Mistakes with Two-Factor Auth

Duo Security has come out with a rebuttal to The Wall Street Journal's Tech Blog article entitled "5 ways attackers exploit our bad BYOD habits" which listed 5 different ways that BYOD can introduce cyber security issues into an organization.
  • Open wifi networks can be set up by attackers in places such as coffee houses and other public areas and then invite others to join. The main risk to this threat is the  stealing of usernames and passwords. Duo Security says that the use of a modern, out-of-band 2-factor authentication solution prevents this from happening by using a separate channel to verify a user's identity.
  • With 2-factor authentication, you can prevent a Man-in-the-Middle attack because the attacker is unable to intercept a push notification sent directly to your cell phone, which would keep you in control of your account. From there, you can change your password and take other precautions to insure that your account is protected. 
  • As many people have used the same password across multiple Web sites and accounts, this could allow a successful attack to be used against multiple accounts. Once one account has been compromised, the attacker will generally try that password on multiple sites. Duo Security claims that using 2-factor auth will make the complexity of the password less important because the attacker will have to get through two levels of authentication versus one have to guess the users password. Furthermore, the user will receive a notification that 2-factor has been triggered and they will know that someone else is trying to log into one of their accounts. 
I think this article makes some pretty good points regarding account security and authentication, but I still feel that stronger unique passwords should be used on every Web site or account, along with 2-factor authentication, where applicable. We do not want to make it too easy for someone to guess one of our passwords. To me, a weak password is only a little better than using a default password or none at all. With Rainbow tables and dictionary attacks, it is much easier for someone to guess a poor password. I have been using the free version of Duo Security two-factor authentication for about 6 months now and I think it works fairly well. The only problem is that I am limited in regards to the number of site to which it is compatible. 

Source: http://tinyurl.com/DuoSec 

June 9, 2014

Helping to Reclaim Our Personal Digital Life

OPI security appliance
source: Indiegogo.com
Overview:

OPI is an information security appliance that you can use as your digital information safe. You can store and back up all information and it is encrypted! You can completely control who is able to access your information and you can control where that information is stored, primarily in your home. The super cool thing about this appliance is that it is running Ubuntu Linux! How cool is that!

The creaters want to offer an alternative to other cloud services such as Google drive or Dropbox for those of use that want to take back control of what is already ours, our data.

How It Works:


This is really awesome because you can back up all of your information while staying in complete control of where that information lives. Also, you can access that data anywhere and every where that there is an internet connects or I assume a data connection. The appliance sits at your home and is connected to your router, just as you would plug a computer or other networked appliance on your internal network. 

Currently, a base OPI starts at $119 bucks, which isn't that bad. You will get an 8GB memory card and three months of OP's back up service and if you don't want to continue paying for the service you can back up your documents, photos and other information manually. 

To access your data, OPI is compatible with Android phones and tablets, IOS and other Apple devices, desktop clients and through the Web using the OPI Web interface. A cool feature, during setup, OPI gives you the choice to create a unique name so that you can find you device and access data no matter where you are in the world. 
All OPI’s will be granted names under the domain “op-i.me”, so an example would be to enter testopi.op-i.me to access the device named “testopi”.
 What it Will Not Do:

The device isn't a firewall or a router, so it will not route or block traffic and it want be able to obfuscate your Internet searches or browsing behaviors. What it will do is keep your traffic encrypted at all times and it will encrypt the traffic between the OPI and your phone or computer. Furthermore, if anyone gains physical access to the appliance they will have a difficult time getting to the information because they will not have the password.

Overall, I think this is a really great idea, and it seems like a good product for the general purpose user. Not to mention the full encryption of my data. Great work! The only thing that I am unsure of is whether or not the device is up-gradable or can I change the amount of storage when my needs change.

Source: https://www.indiegogo.com/projects/opi-reclaim-your-digital-life

Specs: http://media.openproducts.com/tech_spec.pdf

More In depth: http://openproducts.se/2014/05/06/opi-under-the-hood/




May 5, 2014

Internet Exploder & Malware Defense Tips

Internet Explorer Vulnerability 
Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.
The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.
Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates, and installing antimalware software.
...
Sourcehttps://technet.microsoft.com/library/security/2963983
--------------------------------------------------------------------------------------------------------
Malware Tips for Users 
  • Be very cautious about opening an attachment or clicking a link in an email, instant message, or post on social networks (like Facebook)—even if you know the sender. Call to ask if a friend sent it; if not, delete it or close the instant messaging window.
  • Avoid clicking Agree, OK, or "I accept" in banner ads, in unexpected pop-up windows with warnings or offers to remove spyware or viruses, or on websites that may not seem legitimate.
    • Instead, press "CTRL + F4" or "CTRL + w" on your keyboard to close the window.
    • If the window doesn't close, press "ALT + F4" on your keyboard to close the browser. If asked, close all tabs and don’t save any tabs for the next time you start the browser.
  • Only download software from websites you trust. Be cautious of "free" offers of music, games, videos, and the like. They are notorious for including malware in the download.
  • Remember that your IT department should not include links to change your password by asking you to "CLICK HERE" or tell you that you should click a link in the email before your email account is deleted. If you receive an email like the ones desribed, contact your IT Help Desk.
...
Sourcehttp://www.microsoft.com/security/pc-security/protect-pc.aspx