Security Bytes – September 2014 – Password Management issues!
In recent days news media has been abuzz with myriads of password breaches from financial institutions and well as other vendors. It seems that the online onslaught of attacks is increasing and end users are always caught in the middle not knowing what is the best way to defend oneself! Just today, there was a mention of major US banks having breaches where potentially private information was revealed. When we hear of these threats, we need to be prepared to take action to protect one’s assets.
In some of my previous articles I talked about the need to have strong passwords and to make sure that you do not reuse passwords at multiple sites to minimize impact if any of your passwords are compromised. I also talked about the use of a password manager to assist in keeping track of all the passwords one uses to log into multitudes of sites. As I described before, password managers come in 2 basic forms, those that are cloud based and have web browser integration and those that are user managed which require more user interaction to cut and past credentials into websites that one logs into.
Security Bytes – July 2014 – Beware of Phishermen!
This month I wish to revisit the topic of Phishing scams that are on the rise yet again! In previous articles I talked about the various ways that someone can try to get a person to divulge private information. In many cases, such attacks come in the form of a targeted email or web advertisement that encourages one to click on a link to either get more information or to alleviate a problem they may have on their computer. The end results of these scams is either a compromised computer, or possibly worse, where bank accounts and other personal data may be compromised.
Scammers have become even more brazen to the point that they take advantage of people’s fears and make phone calls claiming to be from the IRS or from a heath care organization that needs critical info to assist related family. Another more common example is a phone call from some one that claims to be from Microsoft support claiming that your windows machine has critical errors on it and is “infected” with malware that is going to affect your bank account. In this case the “Microsoft Technician” is actually a hacker trying to get you to allow them to gain access to your machine so that they can upload malware on to the machine that gives them access to your information and then hold you ransom by locking you out of your machine. Usually they claim that for $500 they will “help” you to clean the malware from your system, however the end result of this is never good. Not only do they extort $500 from people, and in many cases private information is also stolen and potentially used for nefarious purposes.
Security Bytes – May 2014 – How the Heart Bleeds!
If you have been listening to the news reports as of late, I am sure hare aware of the latest web vulnerability called Heartbleed. This vulnerability affects SSL secured web servers and potentially allows attackers a venue to gather usernames and passwords and possibly compromise data from any account that gets taken advantage of.
The vulnerability was discovered by a security research firm that privately disclosed the exploit to the OpenSSL creators and to many prominent websites that would be affected by the vulnerability. It was never officially known if this vulnerability was used in the wild prior to the disclosure, however there are a number of unexplained information compromises that came from websites that were thought to be secure. This evidence points to the possibly that black market hackers may have held on to this exploit and strategically used it occasionally to get strategic information..
The core of SSL that secures web sites is the use of digital certificates that use a cryptographic algorithm to secure the connection from the user’s browser to the website they are accessing. If someone were to compromise this relationship, they could gain access to the sensitive information that is accessible via me use of SSL technology.
Security Bytes – June 2014 – Leap from XP.
It has been a little over a month since the final patch for Windows XP was released to the general public and the security community has already found yet another Zero day vulnerability for XP that will go un-patched as a result. The definition of a zero day vulnerability is one that has been present in an operating system from day zero release and has never been patched prior to discovery.
You may be wondering how it is possible that new vulnerabilities can be found in an operating system years after its release, however this is not an uncommon occurrence. Some vulnerabilities may be held back by hackers on purpose only to disclose them after the end of life of a product is disclosed in order to have the upper hand in case they need to exploit a target. Many times such vulnerabilities are found by security researchers working for security companies in an effort to better secure the clients they serve and to ensure that the holes are patched before any harm can be done to their client base. Only then will the researchers release the details of the vulnerability to the public.
The current vulnerability to XP that has been disclosed actually affects Internet Explorer and can compromise a system if it gets taken advantage of. In this case it has to do with the way Internet Explorer uses active scripting, Flash and Java. If a user encounters a maliciously crafted web page that takes advantage of this flaw, they run the risk of having their machine compromised.
Security Bytes – April 2014 – XP or NOT to XP! That is the question!.
We all have heard of the impending demise of XP due to Microsoft pulling the plug on support for the aging windows operating system. I want to enlighten those of us that still wish to get a few extra months out of XP before they have to switch to another version of Windows.
Windows XP was introduced to all of us on Aug 25 2001. It has had quite a service life and as with all aging software platforms it must retire on April 8, 2014 with quite a service record! There are many people out there that still rely on Windows XP as their daily OS of choice and many are not looking forward to forcibly moving on to a new operating system. Despite the fact that newer windows operating systems do share some of the same code-base that XP still uses, keeping XP on the patch update cycle does no longer seem feasible to Microsoft. There are a few tricks that can be implemented to further extend the viability of XP for a few months after the last patches have been released. One of the biggest threats to XP users is that there are many unreleased vulnerabilities to XP that will be taken advantage of once Microsoft retires their updates for XP. Many of these vulnerabilities will probably take advantage of the fact that most users log into XP with system administrator credentials, thereby allowing ANY software that is run using the same login credentials to potentially compromise the system.
What is a simple fix for this?