In case you missed it when this aired on free-to-air australian tv, below is the You Tube cut…
Not sure how much is fact or fiction, but makes you pause for thought. I know lots of Google lovers out there, so will be interesting to see what everyone thinks of this!?
As smartphones such as the iPhone, the Google Android, Nexus One etc become more and more popular (and bigger malware targets) it’s worth considering what lies ahead as far as new security threats in the next few years.
Here’s a recent video discussing what’s on the horizon (yes a bit geeky), but you get the idea…
For those of you who love new web technology – you may already be using location services on your iPhone or Blackberry, or using geotagging with your social online tools such as Twitter.
It’s an awesome new way to keep track of where you and your friends are, however have you considered the potential dangers? What if someone you didn’t know or trust could see your current location, and essentially know that you are NOT at home?
This week, there have been a few reports of new websites which aggregate Twitter location posts – and list potential targets based on their location. Take a look at PleaseRobMe.com or robmenow.com which offers such a service.
The founders of PleaseRobMe.com, claim to have built the site in order to raise awareness of the dangers of posting your location online.
“The danger is publicly telling people where you are,” a message on the site reads. “This is because it leaves one place you’re definitely not … home.”
“The goal of this website is to raise some awareness on this issue and have people think about how they use services like Foursquare, Brightkite, Google Buzz etc,” the site explains.
“Our intention is not, and never has been, to have people burglarised.”
Other Location Service Considerations
There are other new GPS technology offerings out there such as Google Latitude, and Apple me lost my iphone location services, however these currently appear to have effective controls in place to ensure only people you know and trust which you invite can see your location.
However, we’ll have to keep an eye on these solutions to see if any cracks appear.
Apple’s Mobileme Naughtiness…
I have seen people having fun by covertly configuring someone else’s iPhone without their knowledge so that the location services for me.com are enabled. Currently you can track multiple iPhone devices using a single me.com account and view the location of all iPhones configured with the account using the the Apple “find my iPhone” service!Useful if you want to know if your colleagues are in the office or have already gone home, but also scary if someone else you don’t trust does this. Easy way to fix this is to remove the me.com account details from your phone, but you have to go looking for this.
So now you are aware of the risks of geotagging and location services – you have been warned!
Hackers have developed a new distributed WordPress admin account cracking tool which poses a severe risk for the security of blogs whose owners select insecure passwords.
In a nutshell, a new PHP script has been developed which runs brute force attacks on random WordPress sites – hosted on virtual servers. Many sites can be attacked at the same time by the system, with results written into an associated database.
The SANS Institute’s Internet Storm Centre notes that brute force attacks against Wordpress are commonplace. The distributed nature of the latest attack marks an evolution towards blog hacking as a web service, however, thus marking it out from the crowd.
The interesting thing about the new script is that it allows distributed cracking. Information is saved in a MySQL database and the script actually connects directly to the main database. This allows the attacker to run many simultaneous scripts – each of them will take 200 new URLs and mark them with the brute forcer’s ID ($colo).
The script then takes every password from a password script and tries it on each site. The script can even be stopped and when executed next time will continue where it stopped.
“While this particular version is relatively simple, the power behind the script and the MySQL database allows the attacker to distribute the attacks not only by sites, but also by passwords tried as well.” ISC security watcher Bojan Zdrnja writes.
Blog owners and administrators are advised to use strong passwords, and to limiting access by IP address as a security precaution to prevent getting pwned.
Cisco have recently released a free iPhone app that allows users to view customised alerts relating to new security threats and other information for safe web browsing.
The iPhone app, which is now available in the Apple iTunes store, provides information about new malware signatures, bulletins for how to mitigate against threats, ways to see if particular web sites are compromised, as well as links to podcasts and videos.
The Cisco SIO To Go iPhone app gets its information from the company’s Security Intelligence Operations (SIO) system which gathers information in real time from 700,000 sensors located at customer sites, ISPs, and other sites around the world.
The data from the disparate sources allows Cisco engineers to do threat correlation to detect Internet attacks and spam campaigns.
The app is designed for professionals and security geeks, not the average consumer, said Michael Weir, Cisco security marketing director.
Download by searching the iPhone app store for “Cisco SIO”.
On Friday, Microsoft confirmed that an unpatched vulnerability exists in Windows 7, but is keeping the issue low key, saying most users may be protected from attack by blocking two ports at the firewall.
The vulnerability was intially reported by researcher Laurent Gaffie last Wednesday, when he disclosed details of the bug, and posted proof-of-concept attack code on his blog. According to Gaffie, exploiting the flaw completely grinds Windows 7 and Server 2008 R2 to a halt – and the only way to fix is to manually power off the impacted computer. Anyone else tried this yet to confirm?
When this was first publisised, Microsoft only indicated that they were looking into the issue, however it has now been confirmed, as Microsoft acknowledged that a bug in Server Message Block (SMB) a network file and print sharing protocol, could be used by attackers to cripple Windows 7 and Windows Server 2008 R2 machines in a recent security advisory.
Microsoft said it will patch the issue, however haven’t provided details of the timeframe or any commitment to an out-of-cycle update.
The next scheduled patch Tuesday is December 8th 2009.
For now, Microsoft have suggested users block TCP ports 139 and 445. In doing so, this may cause further problems for critical services, including network file sharing and IT group policies.
In Microsoft’s defence, although this is not good news it is worth noting that much fewer issues are being discovered, as compared to the initial days of XP.
Let’s hope that the Windows 7 product remains as secure as Microsoft have advertised.
If like me, you are hosting your own installation of WordPress for your online blog site, you may have some concerns about keeping your install up-to-date and as secure as possible.
Unfortunately the reality is that there have been a number of serious security vulnerabilities found with WordPress recently, and as a result a number of people have had their web sites hacked, and defaced. I personally know of a number of people who have been directly impacted over the past few months.
As social online media becomes more and more popular, celebs and high profile company executives are often looking to host their own blogs or sites. Additionally the functionality that WordPress and it’s plug-ins can provide has become a very attractive and popular solution, especially when most web hosting companies provide WordPress as a standard offering as part of their hosting service. Hence there are all sorts of WordPress hosted websites which are considered easy pickings and potential targets for hackers who are intent on breaking into and defacing – mainly because they are not managed or maintained from a maintenance / security perspective.
For anyone who is currently hosting their website on WordPress, or for anyone from a corporate or high profile – when it comes to security - you just need to ask yourself two simple questions:
1. Would you be embarrassed if your web site was hacked and / or defaced?
2. If your site was hacked – would it impact your personal brand / reputation or your companies brand / reputation?
Some people may not care, however for the majority most respond with a firm ”YES” – so obviously security is a major consideration for most people out there.
It’s not that hard to protect a WordPress site. It comes back to the process of regularly reviewing and plugging any holes to minimise the potential for a person of malicious intent in findings vulnerabilities to exploit.
WordPress Updates
WordPress have released a number of updates to fix the vulnerabilities found, however like any platform or product that has a large following or user base, there are a lot of bad guys who are focused on finding more holes due to it’s popularity. WordPress as a result have released a number of updates over the last few months.
Check the WordPress web site for further details.
Security Recommendations:
Below are a few key points and recommended plug ins which I’d suggest you follow if you want to protect your WordPress installation:
1. Make sure your WordPress installation is up-to-date, and when a new fix is made available update as soon as possible – obviously making sure you perform a full back up prior to doing so. Vulnerabilities are often found enabling the bad guys to create and use exploits in order to gain access to your web site. By ensuring your version of WordPress is up-to-date, you are minimising the potential vulnerability exposure.
2. Ensure that any WordPress plug-ins are up-to-date also. Same logic as per the point above.
3. I’d recommend that you give some thought as to the WordPress plugins you use, in order to further minimise the potential exposure. Only use plugins that provide additional features if you really really need to use them. e.g. you might have a requirement to remotely administer your site using an additional plug-in via an iPhone. How secure is this functionality and it’s related plug-in? Would it be better to just use the more secure browser based functionality?
4. For any functionality or plug-ins providing user input, ensure you use plug-ins that enable full input validation, blacklisting, IP blocking etc etc. Actively block iFrames which helps minimise the usual techniques applied in the input fields to prevent misuse. Also ensure you use a spam filter (see plug-ins below) to enable you to review and authorise feedback / comments prior to them appearing on your site… useful if you have friends or colleagues who are security professionals trying to fun-deface your web site!!
5. There are several security related plug-ins which help to minimise the potential security exposure. I’d highly recommend the following plugins. Note to my colleagues and friends who often try to hack my site – this is not a “complete” list of plug-ins I personally use, but some the core ones that I know, use and recommend to others:
There are a few more things you can do to fully protect your WordPress install, including the hosting operating system and database it sits on. I don’t want to bore you with these details, but for those who are serious about security, you are hopefully aware that there’s a bit more that can be done.
Get in touch with me direct via my contact page if you need any further info or advice.
For all you bloggers out there using WordPress on your own hosted site… it’s time to upgrade to WordPress version 2.8.5 to ensure you are protected against a number of security vulnerabilities.
Many of you may be aware of a number of previous security issues with previous versions of WordPress, so is increasingly important to ensure you are running the latest version.
Backup Backup Backup!
One piece of advice if you are upgrading your version of WordPress. Ensure you do backup your entire site, as occasionally there are some problems with the upgrade process – especially if you are running untested plugins, tools or themes.
The autoupgrade seems to work very well for most plugins or WordPress upgrades, however it’s generally better to do it manually and include creating a full backup.
It’s hard to avoid all the hype surrounding today’s release of Windows 7 operating system (however for us Apple fans it’s easy to be distracted by all the new slick looking hardware released yesterday as a ploy to steal some of Microsoft’s thunder).
So What Happened to Vista?
Windows 7 is the successor to Vista, the highly unpopular operating system that was panned by critics and users alike. Vista was bloated and processor-intensive, and Microsoft hopes that the leaner footprint of Windows 7 will do much to win over consumers. Windows 7 builds on many of Vista’s best bits, but has been tweaked and refined to make the user experience a more enjoyable and less frustrating one.
So What Are the Windows 7 Security Features Like?
Windows 7 security three main areas that have received a fair amount of media attention – namely BitLocker, DirectAccess, and AppLocker. With these, as well as other features and enhancements to the UAC (user account control), officials at Microsoft have announced they feel they are pushing out their most secure operating system yet.
Windows 7 is built upon the security foundations in Windows Vista and retains all of the core technologies, such as Firewall, Windows Defender and User Account Control. Some additional features have also been added based on customer / end user feedback.
BitLocker
BitLocker To Go encrypts removable storage devices such as USB drives. With BitLocker To Go, users can restrict access to the data with a pass code, as well as set a policy that requires users to apply BitLocker protection to removable drives before being able to write to them. The feature also provides configurable read-only support for removable devices on older versions of Windows so BitLocker-protected files can be shared.
Analysts are predicting there will be over 1 billion USB flash drives by 2010, with the average USB flash drive holding almost 4GB of data and costing less than $10. The scary part is that, unlike losing a laptop, users rarely seem to report, or sometimes even notice, the loss of a USB flash drive. BitLocker To Go makes your data secure so you don’t have to worry.
One important point is that there is growing concern within law enforcement & government agencies that the encryption features within Windows 7 may make it harder to gather physical “evidence”. It’s hard to successfully convict a child porn peddler or other types of baddies unless there’s some physical proof. This is hard to provide if the files are encrypted! It’s fair to say that encryption technoloies which can do this have obviously been around for a while, however Windows 7 has brought encryption to the masses.
DirectAccess
Some of the feedback has resulted in “DirectAccess”. Based on IPv6 technology, DirectAccess works alongside Windows Server 2008 R2 to enable users to securely access corporate network resources on the net without a VPN connection. The technology takes advantage of IP Security for encryption and authentication, and integrates with NAP (Network Access Protection) to check for compliance before allowing client computers to connect to internal resources.
More people are working from places other than the office, and accessing corporate network resources securely and maintaining connectivity using remote access solutions, such as VPN, can add complexity and effort. It’s also harder for IT to manage those mobile PCs. DirectAccess is a new feature that helps solve both these issues. Using DirectAccess, workers can easily navigate to intranet sites or internal file shares and access documents from remote locations, without manually establishing a VPN connection.
AppLocker
Enterprises looking to upgrade or switch to Windows 7 can also count AppLocker as a key security feature. AppLocker allows administrators to use Group Policy to specify what applications, installation programs and scripts users can execute. With the Audit Only Enforcement Mode setting, administrators can determine what applications are used in an organization and test rules before deploying them.
AppLocker also introduces publisher rules that are based on an application’s digital signature, which makes it possible to build rules that survive application updates. For example, you could create a rule to ‘allow all versions greater than 9.0 of the program Acrobat Reader to run if it’s signed by the software publisher Adobe.’ In this way, when Adobe [Systems] updates Acrobat, you can safely deploy the application update without having to build another rule for the new version of Acrobat.
Microsoft Vs Apple
The improvements come as Microsoft—which still holds a large share of the OS market—has been hit with public attacks on its security reputation by Apple, as its Mac OS X is relatively malware-free compared with Windows.
Windows 7 is a definite security improvement over XP and it will definitely decrease the Windows desktop attack surface. But Windows still has to run on an infinite variety of hardware and still has to maintain compatibility with huge numbers of third-party apps—problems the Mac OS really has never had to deal with. So, it might be fair to say that Windows will always have unique security challenges.
So What’s Next?
So when is Windows 8 due for release!!!?
So how many user accounts and passwords do you have? How many passwords do you need to remember for access to your various work and personal related systems?…
The advent of Web 2.0 and the rise of social networking sites and other web services has compelled most of us to create dozens of new online accounts – each requiring a username and a password.
Let’s face it… trying to manage various user ids and passwords can often be a frustrating & sometimes time consuming thing to do. This article looks at some of the common scenarios, related issues & pitfalls, and some tips to help you better manage your passwords.
Not yet another user id & password?!
Many of us have access to multiple systems be it work related, or personal ones such as our online banking & personal finance sites. As an example, just being an employee at a regular sized company means that you already have a wide range of user accounts and passwords you need to remember and use. There’s your network domain account, email account, time tracking systems, expense systems, HR systems, training systems…. the list goes on and on.
Add to that – your list of personal user accounts and passwords for sites such as LinkedIn, Facebook, Twitter, etc, and you’ve probably got anywhere between 10 to 30 or more user ids and passwords to remember.
Some you may not use very often, and some you might use every day, however in order to successfully gain access to all of these various online systems, you need to use and remember a variety of user accounts and passwords. Add to this a mix of different password complexity requirements, password lengths, lockouts and expiry dates, and we have a fairly complex situation.
Why Can’t I Just Use a short & easy to remember word?
Meet your opponent – the cracker…
These bad guys are basically people who use the method of employing various techniques and tools to guess, methodically determine, or otherwise obtain a password to gain unauthorised access to a protected resource. Password cracking was once a very specialised skill, however thanks to tools such as L0phtcrack,or other utilities which can be easily obtained and used to crack office document passwords & Windows operating system passwords, it’s child’s play to do.
Without going into too much detail, these tools use dictionary or brute force guessing to work out what your password is. These days, the tool can do this very quickly, especially if you are using dictionary words – hence why you should avoid using dictionary words, and incorporating symbols and numbers into your passwords. There are many other ways of breaking someone’s password, such as defeating the secret questions and answers as in the Palin example, and lots of ways to help protect against these forms of attack, however let’s park this topic for now, and get back on track to the topic of passwords.
The not so secure things to do with your passwords
To simplify the laborious task of remembering our various passwords to different work & personal systems, people often make use of less than secure practices, and do one or more of the following:
Write down their user ids and passwords insecurely. i.e. write down each user id and password on an A4 piece of paper or a single post-it note, and then store this next to the monitor, in their top draw, or within easy arms reach somewhere on their desk. The pieces of paper are often very very easy to find. In a similar way, some people store their user IDs and passwords within text files, or word / excel documents and keep these files on their laptop or desktop’s local hard drive – not quite as bad as handwritten password notes, but again is not very secure.
Use the same password or small handful of passwords across multiple systems. Some people use the same password for their various work systems, but also use the exact same password for their personal accounts such as Gmail, Facebook, Linkedin, banking site, and other online systems. The problem with using the same password for everything is that if it’s compromised and someone finds it, the rest of your identity and system access is at risk. Not a good situation.
For example if you accidentally disclosed your Gmail password or it was compromised, and you use the same login & password details for other online accounts, such as your Amazon shopping account or worse still your online banking account, thieves could potentially gain access to all of your financial information, & personal information.
Making Password Management Easier
There are a variety of ways to help us remember passwords. There are various point solutions available on the internet (such as Keepass & Roboform) which are software solutions for password management, however for now, below are some quick and simple tips relating to passwords, which will hopefully help you create and manage your passwords helping you make them easier to remember without needing to write or store them.
Remembering all your unique passwords with some “generation logic”!
Coming up with a password when setting yourself up with access to a new system, which is both easy to remember and safe – is no easy task. However, you don’t need to remember 100 strong passwords if you have one piece of logic for generating them in the first place.
One way to generate unique passwords is to choose a “master” or “base” strong password, and then apply a piece of logic or rule that mashes it in some form with the service name or web site address you are using:
So it would look something like this:
{your base password} & {sitenamelogic}
For example, say your base password was the following:
M3and&{sitenamerule}
And then the rest of the password could be the first two consonants and first two vowels of the service name you are using, and the month backwards.
So with this particular password rule for example, the Yahoo email password using the above bass password and the yahoo account would be:
M3and&yhao40
And for eBay would be:
M3and&byea40
Before you decide on your single base password generation rule, keep in mind that while password requirements are different for each service in terms of length and characters allowed and required, a good guideline is a password at least 8 characters long that includes both letters and numbers. To make a password even more secure – or applicable for services that require special characters – add them around it, like @M3and&byea40!
Here’s some additional password memory tips:
Try one or all of these different techniques below to create a secure but memorable password. Note, one problem with rules-based passwords is that some sites have their own password requirements that conflict with your established password, such as “no special characters” or “at least 12 characters in length” or “all numbers/numbers and letters/just alphabetical.” In those cases, somehow you have to remember the exception to your rule for those services:
Use a favorite Song or Phrase
Use the first letters of a favorite phrase or song lyric. For example, if you wanted to use lyrics “It’s a beautiful day” from the the U2 song “A Beautiful Day”, your base password might be “Iabd.” Remembering the password is a matter of humming the song. Then combine this base with some extra information unique to the service you are logging in to.
Connect the first letters
Develop a password using the first letters of a sentence or phrase that means something to you – like your national anthem or a slogan you have seen somewhere. ‘Where the Bloody Hell are you!?’ would become “WtBHay!?”.
Pass Phrases
Length can be a huge advantage to memorisation. If your typing is accurate, consider large phrases from a favorite book. Phrases are easy to memorise and can be combined with some easy to remember symbols and / or numbers:
“It was A dark and stormy night! ”
“Houston, we have @ problem!2″
The length of a pass phrase has several advantages:
• The length can provide security even if special symbols are not used. This can help with sites that prevent the use of symbols.
• Make good use of punctuation and capitalization to make a secure pass phrase that complies with common password rules.
• When coming up with a mnemonic sentence, try and make the sentence funny or relevant to yourself. That way you will find it easier to remember the sentence, so you can remember the password.
You might combine several of these methods and still come up with a truly memorable yet very strong pass phrase. You might use a favorite quotation, song lyric, or the advertising slogan you despise most (preferably six words long or more) and create an acronym by using the first letter of each word (Where Would You Like To Go Today = wwyltgt).
The Most Secure P@55w0rd5!
The most secure passwords contain lowercase letters, capital letters, numbers, AND symbols. This sounds painful, however using the above methods can help make all of your passwords more secure, but easy to remember.
Use one of the above methods to create a password with both letters and numbers, and then hold down the shift key while typing part of it. This helps to create special characters. For example, make a standard of holding down shift for the first four characters, or characters three through seven, or whatever you like. You won’t have to stop and remember where you inserted that pesky exclamation point or whether you replaced the ’s’ with ‘5′ or ‘$’ this time.
Additional Password Tips:
• Avoid using the same password for several logins, especially if they involve sensitive financial or other personal information.
• When registering new accounts on websites that ask for your email address, never use the same password as you do for your email account.
• Don’t use common words or dictionary words as your password. These are easy to guess or break with automated password cracking tools.
• When using numbers only, make sure the sequence is completely random and has no importance. It’s best not to use any number that is a matter of record, such as a publically known phone numbers or a date of birth.
• Do not simply combine two or more dictionary words even if you think they are rare. Many password crackers try combinations of dictionary words first.
The Future of The Password
This is unfortunately only the tip of the iceberg when it comes to this topic. There are a variety of other issues and considerations when it comes to passwords.
The main point to this article however is to provide you with some easy and cost effective ways of creating and remembering your various passwords.
From here onwards however, the future of the password is an interesting one, and is something which is frequently debated. There are a variety of centralised Single Sign On & Simplified Password solutions out there today, as well as other means of confirming someone’s identity, such as biometrics, voice analysis, and token based authentication options.
There are also a variety of solutions out there which when combined with other security measures help to protect systems and their users (such as “Captcha” & secondary authentication token solutions), however again these are not 100% bullet proof and can still be compromised.
Over the next couple of years, authentication solutions will mature further, and will become a part of a longer term Identity Management Strategy which many enterprises will adopt.
For now, try some of the above tips to help you create stronger but easier to remember passwords.