Hello folks. I'm away all for this next coming week so I shall do a special 'week in review' blog post when I get back, until then folks, cya.
A place where I can give my thoughts on recent security related happenings and offer advice every now and again.
Saturday, 30 July 2011
Week in review
Friday, 29 July 2011
Infected hardrives for sale?
Buying a new hardrive, bound to the harmless right?
In an article published by HNS (HelpNetSecurity), an Australian supermarket ALDI was selling hardrive that were infected with the Conficker worm.
The company now asks anyone who bought a hardrive from them for it to be returned.
http://www.net-security.org/malware_news.php?id=1787
The thing is though, how many customers will have used their hardrive before they were alerted to this issue? I see a lot of machines everyday that still use the autorun feature in Windows, and even more machines with old outdated software on them.
This also raises another question, people who use these old(er) machines that run with plenty of security holes left open, how often do they run an antivirus scan?
I know not everyone is tech savvy, but a simple thing like switching off autorun can (to some degree) prevent the Conficker worm activating from external media. Think about it before you buy your next piece of external hardware, the bad guys are hiding everywhere and picking up an infection nowadays is getting harder to avoid.
In an article published by HNS (HelpNetSecurity), an Australian supermarket ALDI was selling hardrive that were infected with the Conficker worm.
The company now asks anyone who bought a hardrive from them for it to be returned.
http://www.net-security.org/malware_news.php?id=1787
The thing is though, how many customers will have used their hardrive before they were alerted to this issue? I see a lot of machines everyday that still use the autorun feature in Windows, and even more machines with old outdated software on them.
This also raises another question, people who use these old(er) machines that run with plenty of security holes left open, how often do they run an antivirus scan?
I know not everyone is tech savvy, but a simple thing like switching off autorun can (to some degree) prevent the Conficker worm activating from external media. Think about it before you buy your next piece of external hardware, the bad guys are hiding everywhere and picking up an infection nowadays is getting harder to avoid.
Thursday, 28 July 2011
Anonymous & FBI
An article written on Gawker a few days ago about 19yr old girl being raided by the FBI as they thought she was a "power that be" in Anonymous, turns out they were wrong.
It's interesting how the FBI go around busting down the doors of innocent people.
I have to say good on her, not breaking under pressure, they searched a house of an innocent girl who was only an IRC channel OP, LOL! Well done FBI, were the words "arrogant and belligerent" because you didn't find much, didn't find what you hoped you'd find?
Give the article a quick read, it's worth reading. http://gawker.com/5757995/an-interview-with-a-target-of-the-fbis-anonymous-probe
See what you make of it.
It's interesting how the FBI go around busting down the doors of innocent people.
Later they told my family that I was "arrogant and belligerent." I disagree. I think they expected me to cry. I think they expected me to ask for forgiveness.
I think they expected me to panic and give them everything I knew. I think that these are stupid expectations based on the fact that I am 19 and female.
I have to say good on her, not breaking under pressure, they searched a house of an innocent girl who was only an IRC channel OP, LOL! Well done FBI, were the words "arrogant and belligerent" because you didn't find much, didn't find what you hoped you'd find?
Give the article a quick read, it's worth reading. http://gawker.com/5757995/an-interview-with-a-target-of-the-fbis-anonymous-probe
See what you make of it.
Wednesday, 27 July 2011
Wifi Hacking DVD
Downloaded the Wifi Hacking DVD released by SecurityTube a few days back and only just got round to looking at it.
A quick look at what it contains for anyone interested: http://www.securitytube.net/groups?operation=view&groupId=9
Definitely worth looking at and worth learning from, however the DVD is 4.23gb to download, but anyone who works in computer security should get this.
http://www.securitytube.net/downloads
A quick look at what it contains for anyone interested: http://www.securitytube.net/groups?operation=view&groupId=9
Definitely worth looking at and worth learning from, however the DVD is 4.23gb to download, but anyone who works in computer security should get this.
http://www.securitytube.net/downloads
Tuesday, 26 July 2011
Mozilla's own OS
So we have the Mac OSX, Windows, Google with ChromeOS, now Mozilla want to dabble in it.
Good for them I say, before Chrome, Firefox was the way forward, there isn't much to write about, it's all just a simple plan for now, nothing is "concrete".
Mozilla have named the project "Boot to Gecko". Mozilla are possibly looking at building on a Linux base rather than re-invent the wheel so to speak.
Sources say they may prototype their OS for PC's but they are mainly focusing on handheld devices such as phones/tablets/pads and will be released real time in open source.
No doubt this project will take quite a while to even see the light of day but from what I've read, if anything ever become of this project, I would be willing to give it a try, I was a Mozilla user for many years and still am, they made an awesome product in Firefox and Thunderbird, so this has the potential to be something even better.
Keep up with the discussions and planning here with these two links: http://goo.gl/bseDK & http://goo.gl/pHQH9
Good for them I say, before Chrome, Firefox was the way forward, there isn't much to write about, it's all just a simple plan for now, nothing is "concrete".
Mozilla have named the project "Boot to Gecko". Mozilla are possibly looking at building on a Linux base rather than re-invent the wheel so to speak.
Sources say they may prototype their OS for PC's but they are mainly focusing on handheld devices such as phones/tablets/pads and will be released real time in open source.
No doubt this project will take quite a while to even see the light of day but from what I've read, if anything ever become of this project, I would be willing to give it a try, I was a Mozilla user for many years and still am, they made an awesome product in Firefox and Thunderbird, so this has the potential to be something even better.
Keep up with the discussions and planning here with these two links: http://goo.gl/bseDK & http://goo.gl/pHQH9
Google+
So, my next quick write up is about Google+, Google's own social networking.
Over the past few days, Google have been removing accounts G+ that don't use real names, or "pseudonyms". Now, I myself use a pseudonym name, for I am Belahzur and my G+ name is set to that as well just because I'd rather use that than my real name online.
Google said they wanted Google+ to kill Facebook? that wont happen if they force people to use their real identity. Yes it's a "social network" but that doesn't mean Google should be allowed to force users to either use their real names or be locked out of G+, I know plenty of friends and family on my Facebook that don't use real names and I think that's part of Facebooks success.
Something I saw from an article on a scripting.com article about G+:
This made me think twice. Google use your data and pass it onto third parties? Yes this happens everyday without users even thinking about it and mostly it wont really effect us but when it comes to social networking, what users are interested in and what kind of topics are in their circles isn't to be shared with the world, data should be kept private.
Yes I realize G+ is still very young at only 4 weeks old but with over 10 million users already, Google needs to start thinking about what people want, not what they want.
Over the past few days, Google have been removing accounts G+ that don't use real names, or "pseudonyms". Now, I myself use a pseudonym name, for I am Belahzur and my G+ name is set to that as well just because I'd rather use that than my real name online.
Google said they wanted Google+ to kill Facebook? that wont happen if they force people to use their real identity. Yes it's a "social network" but that doesn't mean Google should be allowed to force users to either use their real names or be locked out of G+, I know plenty of friends and family on my Facebook that don't use real names and I think that's part of Facebooks success.
Something I saw from an article on a scripting.com article about G+:
There's a very simple business reason why Google cares if they have your real name. It means it's possible to cross-relate your account with your buying behavior with their partners, who might be banks, retailers, supermarkets, hospitals, airlines. To connect with your use of cell phones that might be running their mobile operating system. To provide identity in a commerce-ready way. And to give them information about what you do on the Internet, without obfuscation of pseudonyms.
This made me think twice. Google use your data and pass it onto third parties? Yes this happens everyday without users even thinking about it and mostly it wont really effect us but when it comes to social networking, what users are interested in and what kind of topics are in their circles isn't to be shared with the world, data should be kept private.
Yes I realize G+ is still very young at only 4 weeks old but with over 10 million users already, Google needs to start thinking about what people want, not what they want.
Monday, 25 July 2011
In recent news...
BBC did an article recently about Sony hiding behind insurance companies in regards to the data breach back on April, see the article here: http://www.bbc.co.uk/news/technology-14247883
Why should anyone help Sony? it was their lack of security that caused this, they care more about money than they do about customer service and customer safety.
Let me explain what I mean. I watched day after day of new attacks on Sony, investigations in the the sony breach showed that Sony KNEW that they were using old outdated Apache software on their servers with no firewall installed.
But anyway, Sony are now trying to hide behind their insurance companies to help pay for their screw-ups, I don't see why anyone has to help Sony, this was their problem and they could of prevented this from happening.
Let me rewind a bit though, back before the attacks started. As a wise person once said "How did this happen? Who's to blame?" Look how long the PS3 went without a jailbreak because customers loved what the PS3 offered. When they removed Linux, they messed with the tech boys community and that's one group of folks you don't want to mess with. This all started when Sony removed Linux from the PS3. I'll show it in a chain of events, like this:
Sony remove Linux from PS3 > Geohot jailbreak to put Linux back > Sony targeted Geohot and other hackers with legal action > Sony requested sites to remove jailbreak software > Anonymous & LulzSec got involved.
If they didn't remove Linux and started targeting hackers, would any of this of happened? Think about it.
Looking back at my other article about Sony, see the fact of their poor customer service, their bad reputation and now PSN is back up, their poor attempt at getting customers back with crap games that are years old.
I wont ever use a Sony product ever again.
Zurich American Insurance has now gone to court in New York seeking a declaration that it does not have to help Sony with current or future legal action related to the data breach.
Legal papers filed by Zurich reveal that 55 separate class action lawsuits are pending in the US because of the breach.
Also underway are investigations by state and federal regulators that could also end-up before the courts.
Sony has made claims on several of its insurance policies, including one with Zurich, to help pay its legal bills and provide compensation.
However, Zurich argues that the policy it set up for Sony does not cover the part of the business that suffered the breach or the sort of damage the theft caused.
Why should anyone help Sony? it was their lack of security that caused this, they care more about money than they do about customer service and customer safety.
Let me explain what I mean. I watched day after day of new attacks on Sony, investigations in the the sony breach showed that Sony KNEW that they were using old outdated Apache software on their servers with no firewall installed.
But anyway, Sony are now trying to hide behind their insurance companies to help pay for their screw-ups, I don't see why anyone has to help Sony, this was their problem and they could of prevented this from happening.
Let me rewind a bit though, back before the attacks started. As a wise person once said "How did this happen? Who's to blame?" Look how long the PS3 went without a jailbreak because customers loved what the PS3 offered. When they removed Linux, they messed with the tech boys community and that's one group of folks you don't want to mess with. This all started when Sony removed Linux from the PS3. I'll show it in a chain of events, like this:
Sony remove Linux from PS3 > Geohot jailbreak to put Linux back > Sony targeted Geohot and other hackers with legal action > Sony requested sites to remove jailbreak software > Anonymous & LulzSec got involved.
If they didn't remove Linux and started targeting hackers, would any of this of happened? Think about it.
Looking back at my other article about Sony, see the fact of their poor customer service, their bad reputation and now PSN is back up, their poor attempt at getting customers back with crap games that are years old.
I wont ever use a Sony product ever again.
Facebook Security
Well as much as I slate Facebook for not really combating the Facebook scams, I have to give them thumbs up for the login approvals they added recently, it's good to know they take security seriously.
Whenever an unauthorized detection accesses my account, they'll send a text to my phone with a security number and right now only 2 authorized devices can access my Facebook account. Image below showing my setup, I've blacked out a little bit of the information, my device names and my location (even though my location is wrong) for my own security.
While your in there as well folks, switch on the HTTPS option! I can't stress this enough.
For more information, visit facebook.com/security
Whenever an unauthorized detection accesses my account, they'll send a text to my phone with a security number and right now only 2 authorized devices can access my Facebook account. Image below showing my setup, I've blacked out a little bit of the information, my device names and my location (even though my location is wrong) for my own security.
While your in there as well folks, switch on the HTTPS option! I can't stress this enough.
For more information, visit facebook.com/security
Upcoming Company
Okay, so the past few days, there's been article after article of how malware is quickly spreading to Android devices, mainly because of the fact the OS is open source. Don't get me wrong, I love open source, that's what attracted me to buying an Android phone (Samsung Galaxy S) but this open source means malware writers will always find new ways to exploit something on the phone to run their malware on.
But, it's not all bad news. One upcoming company called Lookout Security made a security program for Android, and if your a Windows Phone or Blackberry user, they have you covered too.
https://www.mylookout.com/
I personally use Lookout on my Android and I can only say I fell in love with Lookout from the day I installed it, for how much the app offers to be free on Android Market, it almost sounds too good to be true.
The image to the left is taken from my Android phone. Now lets quickly give this a run down. First option is the security, it scans all the apps installed (currently 152) for malware or spyware, none found so it's ticked green.
The next 2 options are greyed out at the time this photo was taken, my premium ran out and I need to renew it, but never the less, I'll tell you what they cover.
The Privacy Advisor shows me what information my apps are accessing, and lists them in a very neat order to make it easy to read.
Next, the Safe Browsing option is there to protect you against harmful links and phishing attempts when your browsing online with your mobile device.
The fourth option for backup. Not a lot to say, it's what you expect it to be, backup everything I've input on my phone, pictures, contact numbers, etc
The last, and I think best feature of Lookout, the Missing Device option. This one has to be linked to mylookout.com account for it to work, but if you ever lose your phone, is it gone forever? what can be done? well this allows you to remotely access your phone (providing it's switched on) and turn on your built in GPS.
Now, you've got the GPS switched on, next thing to do, on mylookout.com it's linked to Google Maps, it shows you where your phone is, right there on the screen in front of you.
Okay, so your in the same location as your phone but you can't see it and still can't find it. Another feature of the missing device option comes to the rescue. It has a "Scream" option, your phone will make a very loud sound which without mistake HAS to be your phone.
That is the best case scenario, but now lets cover the worst case scenario. Lets say you've lost your phone, again you can switch on the GPS remotely through your mylookout.com account, but it's miles away and you may never get it back, so anyone could be accessing your private information right?
Wrong, another feature you need to know about. Lookout lets you remotely lock and wipe your phone, so if you ever lose your phone and aren't able to get it back, Lookout is here to keep your privacy safe.
I *highly* recommend anyone not already using an antivirus product on their phone to install Lookout Security, you'll never want to uninstall it.
But, it's not all bad news. One upcoming company called Lookout Security made a security program for Android, and if your a Windows Phone or Blackberry user, they have you covered too.
https://www.mylookout.com/
I personally use Lookout on my Android and I can only say I fell in love with Lookout from the day I installed it, for how much the app offers to be free on Android Market, it almost sounds too good to be true.
The image to the left is taken from my Android phone. Now lets quickly give this a run down. First option is the security, it scans all the apps installed (currently 152) for malware or spyware, none found so it's ticked green.
The next 2 options are greyed out at the time this photo was taken, my premium ran out and I need to renew it, but never the less, I'll tell you what they cover.
The Privacy Advisor shows me what information my apps are accessing, and lists them in a very neat order to make it easy to read.
Next, the Safe Browsing option is there to protect you against harmful links and phishing attempts when your browsing online with your mobile device.
The fourth option for backup. Not a lot to say, it's what you expect it to be, backup everything I've input on my phone, pictures, contact numbers, etc
The last, and I think best feature of Lookout, the Missing Device option. This one has to be linked to mylookout.com account for it to work, but if you ever lose your phone, is it gone forever? what can be done? well this allows you to remotely access your phone (providing it's switched on) and turn on your built in GPS.
Now, you've got the GPS switched on, next thing to do, on mylookout.com it's linked to Google Maps, it shows you where your phone is, right there on the screen in front of you.
Okay, so your in the same location as your phone but you can't see it and still can't find it. Another feature of the missing device option comes to the rescue. It has a "Scream" option, your phone will make a very loud sound which without mistake HAS to be your phone.
That is the best case scenario, but now lets cover the worst case scenario. Lets say you've lost your phone, again you can switch on the GPS remotely through your mylookout.com account, but it's miles away and you may never get it back, so anyone could be accessing your private information right?
Wrong, another feature you need to know about. Lookout lets you remotely lock and wipe your phone, so if you ever lose your phone and aren't able to get it back, Lookout is here to keep your privacy safe.
I *highly* recommend anyone not already using an antivirus product on their phone to install Lookout Security, you'll never want to uninstall it.
You folks have to see this
Give this article a read, and watch the video. Mikko Hyppönen talks on online security and the malware problem it presents.
The video is worth watching, rather than just jump straight into the issue of todays more modern malware, he starts off with a very funny segment on DOS virus' stored on a floppy drive for anyone who is old enough to remember them.
It's an awesome presentation he did, very informative, give it a watch folks.
http://thenextweb.com/shareables/2011/07/20/mikko-hypponens-brilliant-ted-talk-on-fighting-online-crime/
The video is worth watching, rather than just jump straight into the issue of todays more modern malware, he starts off with a very funny segment on DOS virus' stored on a floppy drive for anyone who is old enough to remember them.
It's an awesome presentation he did, very informative, give it a watch folks.
http://thenextweb.com/shareables/2011/07/20/mikko-hypponens-brilliant-ted-talk-on-fighting-online-crime/
Catching up
Some thoughts for today. Lets start off with the Pwnie Awards 2011.
http://pwnies.com/nominations/
I particularly like the nominations for the "Pwnie for Most Epic FAIL" section. Give it a read, I guarantee you'll get a kick out of what's listed there, but mostly I have to agree with them. Sony are an evil company - stay well away from their products. Why you ask? would you trust Sony with your data? not because of the databreach that happened, every company has holes in security, but because they themselves are malware writers?
See this link folks:
http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html
After reading that, do you really trust Sony now? think before you next buy a Sony product, it could be loaded with malware.
http://pwnies.com/nominations/
I particularly like the nominations for the "Pwnie for Most Epic FAIL" section. Give it a read, I guarantee you'll get a kick out of what's listed there, but mostly I have to agree with them. Sony are an evil company - stay well away from their products. Why you ask? would you trust Sony with your data? not because of the databreach that happened, every company has holes in security, but because they themselves are malware writers?
See this link folks:
http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html
After reading that, do you really trust Sony now? think before you next buy a Sony product, it could be loaded with malware.
Rant #2
Okay, time for another rant. This time about all these recent Facebook scams going round, Oslo bombing, spider under the skin, death video of Amy Winehouse, who's viewed your Facebook/Twitter profile, etc
These scams are stupid, sick and twisted. People, it's time to start using your brains when browsing Facebook, don't be silly and be careful what you click, there's no reason to fall for these.
Something someone told me quite a while back but it's still true. "If it's too good to be true, then it probably is". Facebook quite clearly aren't gonna bother to even attempt to stop the people who write these scams so it's up to us to educate people about these scams, but day after day I see one of my friends fall for a scam and appears on me Facebook news feed, and it seems this message still isn't reaching the majority of people out there.
Next, do people ever bother to hover over a link before they click it to see where it goes? hell, even then it's often a shortened link so who knows where it goes right? Well no, there is a way to see where a shortened link goes. http://www.longurl.org - Put in a short URL, hit Expand and it will show you where it goes - this site works for most everyday URL's like bit.ly and goo.gl links, use it!
As for short URL services, another I often see trying to phish my Twitter is Tinyurl.com links, however longurl.org will NOT work for Tinyurl links, so to see where these links lead, go to http://www.tinyurl.com/preview.php and *enable* the preview, now when you click a Tinyurl link, it wont activate the redirect to whatever site, instead goes to Tinyurl to show you what the link does lead to.
Last, what can be done to prevent this? Do what I do. If you see a Facebook scam appear in your news feed, report it as spam. If that person happens to be on your friends list/in the chat, tell them about it and educate them, get them to remove it off their wall so others don't get caught with the same scam.
Also, help spread the word of an app I and several friends in the security community use - MyPageKeeper. The app is designed to detect scams/spam posted on your wall and uses an automated service to comment on it and warn others away from it.
http://apps.facebook.com/mypagekeeper/
Start being smart people, there's no reason for this, it's just sad that there is no cure for stupidity, don't be one of these people that falls for these scams daily.
Thanks for reading.
- Belahzur
These scams are stupid, sick and twisted. People, it's time to start using your brains when browsing Facebook, don't be silly and be careful what you click, there's no reason to fall for these.
Something someone told me quite a while back but it's still true. "If it's too good to be true, then it probably is". Facebook quite clearly aren't gonna bother to even attempt to stop the people who write these scams so it's up to us to educate people about these scams, but day after day I see one of my friends fall for a scam and appears on me Facebook news feed, and it seems this message still isn't reaching the majority of people out there.
Next, do people ever bother to hover over a link before they click it to see where it goes? hell, even then it's often a shortened link so who knows where it goes right? Well no, there is a way to see where a shortened link goes. http://www.longurl.org - Put in a short URL, hit Expand and it will show you where it goes - this site works for most everyday URL's like bit.ly and goo.gl links, use it!
As for short URL services, another I often see trying to phish my Twitter is Tinyurl.com links, however longurl.org will NOT work for Tinyurl links, so to see where these links lead, go to http://www.tinyurl.com/preview.php and *enable* the preview, now when you click a Tinyurl link, it wont activate the redirect to whatever site, instead goes to Tinyurl to show you what the link does lead to.
Last, what can be done to prevent this? Do what I do. If you see a Facebook scam appear in your news feed, report it as spam. If that person happens to be on your friends list/in the chat, tell them about it and educate them, get them to remove it off their wall so others don't get caught with the same scam.
Also, help spread the word of an app I and several friends in the security community use - MyPageKeeper. The app is designed to detect scams/spam posted on your wall and uses an automated service to comment on it and warn others away from it.
http://apps.facebook.com/mypagekeeper/
Start being smart people, there's no reason for this, it's just sad that there is no cure for stupidity, don't be one of these people that falls for these scams daily.
Thanks for reading.
- Belahzur
Rant #1
There was an article on ZDNet the other day about MS wanting Windows 8 (when it's released) to kill the zombies of XP and Vista users, but this doesn't seem like MS are planning this out carefully.
Can W8 kill XP? To me, no, not straight away. Aslong as MS support XP still, then I have no reason to change my OS, XP doesnt use as much memory as the others. Oh and it was the UAC that turned me away from Vista, yes it can be switched off but the "Do I want to run this program?" - no I just opened it for fun, of course I want to run it, that's why I double clicked on it. Vista just felt more restricted than XP to me.
But I honestly think it will be much harder than MS are planning, you get stubborn people like me who refuse to change OS, killing XP wont be easy, there will be a big outcry by people cause XP is still loved by many. They originally wanted 7 to kill XP and it's still going, MS need a very big incentive for people to move onto W8, cause the Linux/OSX competition is growing as well.
I don't want to have to learn a new GUI layout, I like my XP, I know where everything is and I don't want that to change.
Even if I was (on my last breathe) forced to update to Windows 8, I'd go looking for an XP theme, I don't like the glass look, I like the Start button more than that Windows flag icon, I don't like the buttons for your stuff along the bottom, I prefer the tabs like look of XP.
Now, MS also will have the upcoming competition of the Google ChromeBook, I'm still tempted into that, and if MS pushed me away from Windows, I know I'd go to either Linux or Chrome.
Can W8 kill XP? To me, no, not straight away. Aslong as MS support XP still, then I have no reason to change my OS, XP doesnt use as much memory as the others. Oh and it was the UAC that turned me away from Vista, yes it can be switched off but the "Do I want to run this program?" - no I just opened it for fun, of course I want to run it, that's why I double clicked on it. Vista just felt more restricted than XP to me.
But I honestly think it will be much harder than MS are planning, you get stubborn people like me who refuse to change OS, killing XP wont be easy, there will be a big outcry by people cause XP is still loved by many. They originally wanted 7 to kill XP and it's still going, MS need a very big incentive for people to move onto W8, cause the Linux/OSX competition is growing as well.
I don't want to have to learn a new GUI layout, I like my XP, I know where everything is and I don't want that to change.
Even if I was (on my last breathe) forced to update to Windows 8, I'd go looking for an XP theme, I don't like the glass look, I like the Start button more than that Windows flag icon, I don't like the buttons for your stuff along the bottom, I prefer the tabs like look of XP.
Now, MS also will have the upcoming competition of the Google ChromeBook, I'm still tempted into that, and if MS pushed me away from Windows, I know I'd go to either Linux or Chrome.
Subscribe to:
Posts (Atom)