Thursday, March 3, 2011

Facebook https browsing can be turned off by applications.

For those of you playing along at home, we recently learned that Facebook has turned on secure browsing on it's whole site.  You can accomplish this by checking the "Browse Facebook on a secure connection (https) whenever possible" box in the Account Security section of your Account settings.  Now we know that this stops local hackers from stealing information when you are connected to a the network and this prevents advanced hackers from engineering hacks that can dump your information to them.  But I found something interesting the other day while auditing my applications settings.


This is not working so well.


As I went through some of my applications, I wanted to refresh my memory of why I installed some applications.  I click on the application's page in Facebook and I get a page that tells me that I need to switch back to http (non-secure) browsing in order for the application to work.  


So I play along.

Now to check the damage.   I look at the checkbox that I know I have checked previously to browse in https and it is not checked anymore!  WOW!  Facebook doesn't even let you know that this is a PERMANENT CHANGE TO YOUR ACCOUNT SETTINGS!!!!!


Just all the more reason to do what I do. 


Audit your applications!
Go through your list of applications every once in a while to make sure that nothing has crept in there that you don't want.  If that has happened, immediately remove the app from your profile.
Audit your settings!
The same should apply for your settings.  Go through your settings every so often to ensure that what you have set in the past is still applied.

As always, remember that in the end no one is responsible for your information but yourself.  Always check and double check to make sure your information is as private as you want it to be.

Monday, February 28, 2011

Facebook security http vs. https questions answered

There's been a lot of talk on Facebook lately about http and https and how to change it. Do any of the folks touting this wobegone actually understand what is going on here?  Do YOU know what the difference between http and https is?  Let me try to explain.

When a web browser tries to get to a web site, there is a conversation that happens in the network between the browser and the web server.  Basically you browser gives the web server a bunch of information about itself and then asks the web server to transmit back the page it's requesting.  When you're browser address bar has http:// in front of the web server, this happens in "plain text".  This means that anyone that can see the network traffic between your web browser and the web server can read in plain words what is going on in that conversation.  When you are writing an email, writing a Facebook status update, filling in a form on a website, writing a Facebook message, or sending ANY data to a web site, anyone can read that data that really wants to.  Now, this can happen only at the time that you hit save, send, login, update, or any other button that uploads the information.  As soon as the information is uploaded, that's it.  Noone else, besides the folks you sent it to, can read that data.

Now, when you're browser address bar has an https:// in front of the web server name, then the conversation is a little more involved.  First your browser asks the server for it's "keys", server certificate and then goes out to a certificate authority (such as Verisign, Microsoft, or others) and makes sure the server is who you think it is.  Then your browser takes the "keys", looks at it's own "key" and creates an encryption "key" that will scramble the data that is sent back and forth.  The server then looks at that key and makes sure everything is OK.  Then all data back and forth from the server to the browser is sent coded with the "key".  If someone were to look at that conversation in the network, it would look like gobbledygook to them.
This is the preferred way to log into web sites (since you don't want to send your password over the network so that anyone can read it), send emails, Facebook messages, web site forms, etc, etc, etc so that no one can read the information you are transmitting.

Why is everyone worried about this right now?  Because of Facebook "hacking"?  Will this prevent this???

NO!!!

There are very few opportunities to do this type of hacking. The first is an open WiFi network.  Open means that you have to do nothing to connect to it besides hit the button on your computer or phone that says "Connect".  If you did that, and I did the same thing, I can run a program in the network and listen to everything your computer/phone is saying out on the internet.  If you connect to a WiFi that is password protected, then I can't listen in because the WiFi network does basically the same as the web server in the https:// scenario.

The other two opportunities I have to do this is to send you a bogus email with a link to Facebook that looks like Facebook, but really is my bogus server where you put your information in.  Then my server records that information and sends you on to Facebook so you don't suspect anything.  The last one is that I need to hack into the internet.  This is a little more difficult since I will need to get into network devices owned by AT&T, MCI, Sprint, etc.  Not that easy.

Although this is always good practice to make sure that whenever you are sending private information to a web server, that you ensure https:// is in the address bar, this is not how many of the email and Facebook scams are getting your passwords.  They are getting it by "brute force".  Basically, they are just trying a bunch of passwords and getting a success because yours is easy to guess.  (and don't think you're being clever by using P@55w0rd).

Thursday, February 18, 2010

Over 75,000 systems compromised in cyberattack

Over 75,000 systems compromised in cyberattack
via computerworld.com

Security researchers at Herndon, Va.-based NetWitness Corp. have unearthed a massive botnet affecting at least 75,000 computers at 2,500 companies and government agencies worldwide.
The Kneber botnet, named for the username linking the affected machines worldwide, has been used to gather login credentials to online financial systems, social networking sites and e-mail systems for the past 18 months, according to NetWitness.
A 75GB cache of stolen data discovered by NetWitness included 68,000 corporate login credentials, login data for user accounts at Facebook, Yahoo and Hotmail, 2,000 SSL certificate files and a large amount of highly detailed "dossier-level" identity information. In addition, systems compromised by the botnet also give attackers remote access inside the compromised network, the company said.

 Read entire article

Posted using ShareThis

Saturday, February 13, 2010

Passwords make a difference in keeping your accounts safe from hackers

Lately I've had an influx of people that have had their Facebook, Gmail, Yahoo and other accounts hacked only for someone in Nigeria to ask me to wire them money.  Do they really think that I am going to wire $2000 to someone I have just reconnected with?  No.  What I usually do is throw in a stumper in the chat.  Something the hacker won't have a clue about.  Not something that is true, but something that is false because the hacker will agree.  The other day someone asked me to wire them $3500 to London.  Now I haven't seen or heard from this guy since 8th grade so the fact that he's asking for money is already throwing up red flags, but I go with it.  Then I ask "How's my best UVA roommate doing?"  He answers; "I could really use the help."  Now, I know he went to Virginia Tech and saying he went to UVA would be like branding him with red hot pokers.  Furthermore, we did not even go to school together so being roommates was definitely not the truth.  At that point I knew his account was hacked.


How did his account get hacked?  Every account you open up on the internet requires a password.  It's the old daunting "what password can I make up today" scenario.  Most of us have one password that we use over, and over, and over, and over, well.... you get the point.  How secure is that password?  Can I guess it? Is it a variation of your username, real name, wife/girfriend's name, kids' name, dog's name?  I can guess those.  Most of the time, the hackers run programs that just try a bunch of passwords in a list.  This is what I call the "well known passwords and variations" list.  Do you really think that Pa55w0rd is a unique password you thought up and was cool?  No.  As soon as they get one password, they look for other accounts.  They then try the same password on the other accounts.  Once they have your email account, watch out, because they can reset passwords on just about any other account on the internet you created with that email address.


So, you ask, what is the casual, non-geeky internet user to do?  


Build a better password.  There are plenty of random password generators out there so use one.  When you register for a site, make sure that the password is random.  Now, you ask, how do I keep track of all these passwords?  I don't want to have to remember a different gobbledygook password for each site.  Well here's where technology comes into play.  In your browser, you have the option to save the password for each site.  Use that.  Many security experts say not to use it, but I say go for it.  There are only two scenarios where this poses a risk and those are when your computer gets physically stolen or totally hacked into.  I'll put up another blog post about securing your computer so that nothing can get accessed when it gets stolen, and someone trying to hack into YOUR computer doesn't really happen much anymore.  You can secure your computer against that with good anti-virus, anti-spyware/malware and a decent firewall.
If that doesn't tickle your fancy, you can use a password manager.  This is a program that you install on your computer that keeps track of all your passwords for the different sites.  Some can even automatically log you in or copy & paste your password onto the webpage.  My personal favorite is KeePass password Safe. (http://keepass.info)  This password manager will not only keep your passwords, but will automatically generate a new random password for you every time you create a new site.  The second bonus, it's FREE.


Give better answers.  Many of the sites ask you some "challenge questions".  "What's your mother's maiden name?" or "What city were you born in?" are the most common.  These are also easily guessed.  I can research the 'net and find out where you were born or what your mother's maiden name is without even having access to anything but your full name.  Here is what I like to do.  Make up your own and rotate the answers.  Put together a decoder key of sorts.  Every time a site asks for your mother's maiden name, put in your birthplace, or your first pet's name, or the street you grew up on, or even better some non-sensical answer. Just make sure you have a good decoder sheet for it.  You can also use the KeePass Password Safe to manage this since each site has a "notes" section.  In here you can put in the challenge question and how you answered it.


Stay safe out there on the 'net.  It's powerful, fun, entertaining, and dangerous.  When you put a lock on your house, you use a unique key that's hard to guess what the ridges look like.  You don't use one that has no ridges or only one.  Do the same for your online "house".  Use a good key to lock it all up.

Thursday, January 14, 2010

Google Turns on Gmail Encryption to Protect Wi-Fi Users

via Wired.com

Google is now encrypting all Gmail traffic from its servers to its users in a bid to foil sniffers who sit in cafes, eavesdropping in on traffic passing by, the company announced Wednesday.
The change comes just a day after the company announced it might pull its offices from China after discovering concerted attempts to break into Gmail accounts of human rights activists. The switch to always-on HTTPS adds more security, but does not help prevent the kind of attacks Google announced Tuesday.
All Gmail users will now default to using HTTPS, the secure, encrypted method for communicating with a remote server, for their entire e-mail sessions, not just for log-in. Session-long HTTPS has been an official option for Gmail users since 2008 (and unofficial for much longer), but Google says it hesitated turning it on for all since the encryption does slow down the service.
“Over the last few months, we’ve been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do,” Gmail Engineering Director Sam Schillace wrote in the Gmail blog.
This option often wasn’t necessary when people used fixed and trusted connections, such as their home or office DSL or cable lines. But as Wi-Fi connections, especially public ones, became more popular, hackers began using simple sniffing software to snoop on people’s online activities with the goal of stealing passwords.
Still, the switch doesn’t encrypt  e-mail — it simply encrypts the communications in transit between Google’s servers and a user’s computer — the same as when you use your bank’s website. E-mails sent to other people are transmitted in the clear as they have always been. True encrypted e-mail can only be read by the sender and receiver, regardless of how they move across the internet.
For those whose schools or workplaces that routinely monitor employee or student internet usage, the change also shields their e-mails from the IT department.
A coalition of privacy and security experts called on Google publicly to make the change last June, saying that Google was putting millions of people at risk by not using encryption as the default for their so-called cloud computing services.
Users who find the service slows them down or determine that it’s overkill for their needs can turn the HTTPS off in their account settings.
Rival free e-mail from Yahoo and Microsoft do not use HTTPS throughout their sessions, nor do social networking sites or other so-called cloud-computing services.
Instead, most of those services use the secure “HTTPS” protocol only for logging in, and fall back to unencrypted browsing thereafter.Failing to use HTTPS full time increases one’s vulnerability to a host of nasty hack attacks when using an open or badly secured network, particularly a public Wi-Fi spot.

Posted using ShareThis

Tuesday, January 12, 2010

Another new year and a new focus

So I've had 1 post in the last year. That really pathetic. After looking at the last year or two in happenings and other things, I will post some hints and tips on personal technology and security. There's been a few friends that have had their Yahoo, Facebook, GMail, and other online accounts hacked.  The worst thing is that the hacker is exploiting the relationship that person has with their friends/followers/contacts to extort money or other things.  Lets see how this goes.

Thursday, July 9, 2009

Lost in mobileland

I think that I've given up on my Palm Treo 680. It's lived a good life, but it has failed me. I put it in the beach bag the other day at the pool so as not to get it wet. But according to Murphy, it'll get wet somehow and it did. Nothing too awful, just looked like a few well placed drips onto the case. The battery was dead at the time so I went to charge it. After a while I came back to it to check it out.... it was trying to sync. Hmmm..... so let's throw the cable on it and let it sync. OK. Now take the cable off, and it tries to sync again. Not good. After a few rounds of this, I've determined the phone is shorted out on syncing, hence unusable. So I throw my SIM card into an old Moto Razr of my wife's. Alright. I have a phone.
After a few minutes, I understand how awful this really is. I go to text a buddy of mine... and my address book is still on my palm and sync'd with Google, but not on this phone. Can I get my address book on there? Probably not. So I just look up his number on Google and then text him.
Then one of my twitter friends tweets something interesting with a web link. Alright, this this has a web browser. I go to the link and get a 413 error. (basically, this means the web site isn't compatible with a dinky Razr web browser). Darnit! Strike 2.
Then I get this text. "Wanna have a few beers?" Great. Sure! Uh Oh... who's phone number is this? Back to Google. Oh. Ok. It's one of my other buddies. Sure.
Then I want to tweet something. I've done it through text before, no big deal and plus, Twitter updates my Facebook status automatically. So I tweet......... About an hour later, not literally, but not too far off, I have tweeted two sentences! Wow. This is really starting to bother me.
The bottom line is that I have been pretty spoiled about having a smartphone with a full QWERTY keyboard. I can't live without another one. I can't surf, text, tweet, facebook, play games, use apps, take video, or store alot of things on this darn phone. I don't even have 60 texts in it and it says the memory is almost full. Boo. I'm definitely spoiled.