braintubes.com

Protecting Your Information On Facebook0
Joe M posted in security on April 4th, 2010

In the past few months, we have begun to realize the downside of social media.

Sharing information is a great and wonderful thing…

But many people ignore the most important aspect.

That aspect is, you are sharing information!

That in itself is not necessarily a bad thing…

But the audience composition can not be ignored.

It’s been revealed that many government agencies, local and national level scan Facebook.

Potential employers scan Facebook and MySpace for prospective candidates, to get a picture of their personality, and profile.

The downside to that is… the more information you reveal, the more chances you have to reveal something subjectively undesirable, from an employer’s standpoint.

I would doubt that the list of entities using the social media data is limited to those.

So… it might be pretty easy to get an idea of your habits, from a subjective standpoint.

The other thing that everyone potentially could forget…

There are also undesirable types searching social media for information.

They might use it to steal your identity, stalk you or burglarize your home.

What can you do?

PCWorld has a great article on steps you may take to help protect your privacy.

One Of the Biggest eBay Scammers Convicted0
Joe M posted in opinion, security on February 28th, 2010

A man in South Florida has been convicted of one of the biggest eBay scams in history.

Nilton Rossini was a Brazilian businessman. He had over 260 accounts on eBay. He also had quite a few email addresses including Yahoo, Google and AOL.

He also had about 60 post office boxes.

At last count, he scammed over 5,500 people, possibly more. The scams ran from 2003 to 2008.

He used some of his eBay accounts to provide fake buyer feedback.

He also discouraged his customers from using PayPal… and encouraged them to send cash or money order.

Postal Inspectors began the investigation. The prosecution gathered enough evidence to get a strong conviction.

Rossini was sentenced to five and a half years in prison.

Part of his M. O. was to constantly change P. O. boxes.

If you buy stuff over eBay, it’s never a good idea to send cash, money order or wire transfer.

Paypal and credit cards provide the best protection against fraud.

As a side note… it may not happen as often anymore…

But a couple years ago, I bought a few items on eBay.

During the bidding process, I bid first on the item, with no previous bids.

I noticed a buyer with no previous history seemingly come out of nowhere to bid higher on the item.

It’s called ’shilling the bid.’

It’s also against the user terms of service for eBay.

Since that time, I have been wise and cautious to it.

If I suspect shilling… I do not up the bid.

If the seller is shilling, they win their own bid, unless someone else jumps in.

I do not let my desire to own an item, or a need to win overwhelm me into a bidding war, over an item.

Using Facebook and Twitter Might Cost You More in Insurance0
Joe M posted in security on February 22nd, 2010

There is a story today on Telegraph.co.uk about the use of Twitter and Facebook.

For some time now, some thieves have been using Twitter and Facebook to help them find targets.

Many people, when going out of town, or on a trip, will make a post to a social website.

Thieves follow the threads and do their homework.

It seems as though a trend is developing, enough to affect insurance rates.

Now, according to the article at Telegraph.co.uk, insurance companies could raise home insurance rates as much as 10%, for Facebook and Twitter users.

For some time, we have been learning about the downside to social media.

Many times we are telling everyone things, that we might not want everyone to know.

The article offers some tips on keeping safe when using social media.

I would add…

When you post to Twitter and Facebook, you are essentially telling everyone.

I would not depend on privacy settings to filter out the ‘riff-raff’ either.

Any information you post can be used in a way, other than what your intentions are.

I will be interested to see how social media affects insurance rates, over the next couple of years.

Botnets Are Still Around0
Joe M posted in security on February 20th, 2010

Some new botnets have been reported, in the wild.

A botnet is an internet army of PCs, that have usually been malignantly seized and under control of a remote party.

Someone issues a mass command, to the botnet, and the machines become ‘zombies’ and respond to whatever command they are given, without question.

Botnets can be used to bring down a website, send massive amounts of email (spam) or simply to collect information.

The information is usually used for some nefarious purpose.

The Zeus trojan was recently responsible for infecting and joining several machines to a botnet.

Interestingly enough, another trojan was created by someone else to seize control of the Zeus botnet.

Once that happened, the information, resources and control of that botnet were at the remote controller’s bidding.

So…

Times are getting tough enough… that even thieves can’t ‘make an honest living’ anymore?

It is a little humorous, you have to admit.

For the individual user and average person… the thing to remember is to keep your machine free of malware and viruses.

At the first sign of even the slightest malfunction, you should update your virus scanner and run a full scan of your hard drive.

Remember, if you have one infection, that might signify several.

It never hurts to:

1. Update your virus scanner

2. Run a virus scan

3. Reboot

4. Boot into safe mode

5. Run a virus scan

6. Reboot

7. Run a malware scan

8. Repeat steps 1 – 7 as needed

Botnets are illegal and several government agencies investigate them, fully.

Even though progress is being made against malicious internet entities like these…

It is better to be safe than sorry.

There are plenty of botnets in the wild, still.

Facebook and Mcafee Partner To Help Users Practice Safe Social0
Joe M posted in security on January 14th, 2010

Facebook and Mcafee announced a partnership today.

For six months, Mcafee will offer free protection to Facebook users.

After that time, FB users will be able to purchase protection from Mcafee at a discount.

This is a good move for Facebook, considering security has not really been one of the site’s strengths.

Even though this is a good offer, users should keep in mind that a good virus scanner is only a good start.

Every day, new viruses and malware is being created.

Users will still have to keep it updated, and run scans on a regular basis.

Both of these tasks can be automated, but even setting them to auto will not completely ensure protection.

I saw one guy who set his updates and virus scanner to run at midnight.

Absentminded, he turned off his machine at 10 pm, every night.

He could not figure out how he contracted an infection.

Also… you have to remember that sites that have a large volume of users are prime targets for exploits and vulnerabilities.

When you start to think about virus protection, I leave you with one question:

How many people do you know, that have virus protection…

That have had to get their machine fixed, due to virus problems?

The Evolution Of Malware0
Joe M posted in security on December 21st, 2009

Security is a hot topic these days.

In an article I found here, the author discusses the practice of scraping RAM from end devices.

That could mean POS terminals, or possibly printers.

The impression that I got was that mainly POS terminals tied into a Windows server system were at risk.

I would not be as bold to say that it affects only those systems.

It looks as though malware has really gotten sophisticated.

A team at Verizon has published a warning, in the form a report.

The scrapers could be used to harvest credit card, PIN or other critical account information.

The team at Verizon studied a spike in fraud, and traced it back to activity at a casino.

The information could be dumped to a server, in the form of a DLL file.

Once the information is dumped… the technology and the processes have been designed to traverse and send the data back to the thieves.

The article recommends several steps to take in security measures to lower the possibility of POS systems from being compromised.

The recommended actions are good practices for all systems, not just POS systems.

It’s a good read, even if you do not have a firm understanding of credit card or POS systems.

If you perform a security role, at all, it is a must read.

Lavasoft Warns Of New Trojan Threats0
Joe M posted in security on November 9th, 2009

With those of us running Windows, and with a new version of Windows just released…

The folks at Lavasoft have issued a warning of a new trojan in the wild.

This one is much similar to the ones we have seen in the past.

There are warnings of an infection on your system, and of course, an ‘offer for help.’

Of course, if you click the link, then you see…

It’s more of the same old thing.

If you click on either… you’ll be installing something undesirable, for sure.

That could be any variant of a virus, trojan, worm or root kit.

With Windows 7 out, I would recommend being even more cautious, than before.

Many people may be under a false sense of security.

It’s not that there necessarily is any security problems with Windows 7.

My concern is that with Windows 7 being so highly available, this year, in beta and RC…

I wonder how many people with less-than-respectable intentions have downloaded it, found potential exploits…

And are waiting to launch some sort of campaign or threat against the exploits, just at the right opportunity?

We will certainly find out.

We can also expect some reverse engineering and building on the exploit.  We won’t only see the above two screens, but several more variations of it.

What Does Your Employer Think Of Your Posts On Social Media?0
Joe M posted in homelife, security on November 2nd, 2009

In the news recently… companies are not very accepting of the use of social media.

Several stories recently, involve actions against employees including reprimand and even termination, for the alleged use of social media.

Some stories have involved ‘tweeting’ or ‘twittering’ on the job.  That means that the employees used twitter to make posts, while on the job.

Some stories involved Facebook, and making posts while on the job, or about the job.

These days, it’s important to remember the visibility of social media.

Remember, also, that prospective employers are searching the web with intense to find social media about or by the potential employee.

Whatever you post online, is visible for everyone, for the most part.

Companies with more than 25 employees are much more likely to discriminate.

If you use social media… my tips are as follows:

• 1.  Never mention your company by name.  Remember that Google and several other search engines will create indices and flags based off of words within a post or article.
• 2.  Watch the time frame of your post.  If you make a post, and the company can prove that you were on company premises or company time, it could mean trouble for you.
• 3.  Be careful about what you imply.  If you make comments about your employer without mentioning their name… you may still land in hot water.
• 4.  If your job responsibilities include travel, steer away from posts about your travel.  Any comments about arrangements or accommodations, strictly avoid.
• 5.  Avoid making posts about your schedule or the hours you put in.  Leave no bread crumbs or food for thought, related to projects or company economics.

Facebook, MySpace and Twitter are all fun.  Within all the fun, it’s easy to drop your guard and forget that your audience is not just your friends and relatives… it’s the entire world.

Though the stories are sparse about negative responses from companies, regarding social media, we can expect to hear much more about them.

With the economy downturn, employers are not only looking at offences and current policy…

They are also evaluating their current policy and making changes to it.

We can anticipate tighter expectations related to companies and work environments.  Additionally, we can not anticipate what our employers, and companies overall, will categorize as a security risk, related to information posted on social media.

In the meantime, we have to ask ourselves whether or not each of our actions are something our employer would readily endorse.

If the answer is, “No,” it’s better to err on the side of safety… especially when it comes to a career with our current or potential employer.

Windows 7 Hits The Shelves0
Joe M posted in products, security on October 25th, 2009

Windows 7 was released this week.

Microsoft did a pretty good job of listening to consumers, this time around.

Having tested Windows 7, I can vouch for the improvements over Windows Vista.

Hopefully, we are nearing a new age in technology.

Manufacturers of software and hardware no longer team up, to dictate requirements, or mandate more spending by the consumer.

Windows 7 is a definite improvement over Windows Vista.

Luckily, this time, there are no reported silly sticker campaigns, blurring the lines, definitions and understandings between compatibility and capability.

Windows XP is not completely dead, yet… but Windows 7 is a feasible alternative.

Now, buyers in the consumer and business markets will be able to purchase machines with Windows 7 licenses.

With Windows Vista, it appeared that Microsoft had partaken of too much of their own Koolaid.

They seemed to be under the impression that no matter what they put into Vista, consumers would still buy it… like software-eating zombies.

After a couple of years of having to listen to consumers gripe… it seems they finally paid attention.

But… was it listening, out of pure benevolence and wanting to please consumers… or was it a matter of wanting to improve sales over the returns from Vista?

Whatever the actual case was, Windows 7 has been released and is on the market.

It will come with a new PC or laptop… or can be purchased separately to run on most of the hardware of your choice.

It comes in two basic architectures, 32 bit and 64 bit.

One of the best deals of late… is that you can purchase a family pack license for about $150 for three machines.

A word of caution… as with any widely available and popular software package…

Vulnerabilities and potential exploits will most likely be identified.

Windows 7 has some advantages over its predecessors, but I would still recommend a full virus protection package.

I would recommend a ‘better safe, than sorry’ approach to Windows 7 and security.

Microsoft Vulnerabilities, In Record Numbers0
Joe M posted in opinion, products, security on October 14th, 2009

With a record number of flaws being patched, it’s time once again to run Windows Updates.

According to a post at Microsoft, 34 vulnerabilities have been identified.

The patches include fixes for critical exposure in several Windows functions.

There are vulnerabilities in Windows Media Player, SSL, XML and SMB2 (for Vista).

There’s 13 bulletins and 34 flaws published.

Once you start thinking about software “Time-based” licensing, and the vulnerabilities, it makes for an interesting scenario.

Would it put Microsoft at a disposition of greater exposure?

Think about leasing an apartment.

You tell your landlord, “The locks are unsafe, and need to be replaced.  I am afraid my belongings are at risk of being stolen.”

If the landlord ignores you, can you launch a civil suit for your losses?

Now, think about Windows as your apartment, and Microsoft as your superintendent and landlord.

Your identity gets stolen, through malware and viruses.

Would you expect Microsoft to take the blame, or at least part of it?

The suspected caveat… I bet there is a loophole / waiver in the EULA that prevents it, and protects them from user and consumer lawsuits.

For everyone running any version of Windows…

If you have not run a virus scan, malware scan or Windows Updates in a while, now is the time to do so.

The Art Of Double-talk0
Joe M posted in homelife, security on September 16th, 2009

An article on Ars Technica this week describes some activity by Sears and Kmart, related to their on-line customers and business.

To visitors at Sears.com, they offered a deal.

In exchange for $10, visitors were offered a chance to participate ‘in research,’ and download and install a piece of software… “My SHC Community.”

The ‘research’ software is said to have reported an extensive amount of information about the user.

It might include a complete spectrum of information about the user’s bank, prescriptions, email information and even information about the user’s PC in use.

The FTC got involved and determined in settlement that Sears had to destroy all data collected, and help users remove the software from their machines.  That’s in addition to determining that for the future, Sears had to reveal whether the information would be disclosed to third parties.

For the most part, for someone to see most of my browsing habits, I could care less.  They would discover that I am a geek. Big surprise.

As for getting my bank, prescription or other security information… I am as paranoid as the next person.

The troubling part of this is that more than just browsing habits were being reported back to Sears.

With all of the concern over identity theft, this is not a good move in winning web community trust.

The problem in this case… is that Sears reports that it disclosed all of these details in the Terms and Conditions.  Was it written in legal-eese?

This is another problem with the twisting of Terms and Conditions.

There is no Plain English.  Companies and entities are allowed to bury details in mumbo jumbo… and no one can understand it.

I think in the next couple of years, we can expect legislation to address issues like this.

Will there be a “Plain English” or “Plain Language” clause requirement for website or company Terms and Conditions for users?

What other concerns should we have with this software… does it qualify as spyware?  Does it install a root kit on my system?  Will it hose my Windows system in a couple of months?

The BSOD Vulnerability In Vista And Windows 70
Joe M posted in security on September 9th, 2009

A couple or three years ago… I remember hearing a report of Microsoft ‘making changes’ to the SMB protocol within the Vista version of Windows.

SMB is the protocol that Microsoft uses to share files and printers, for the most simple explanation.

I have not had time to confirm it, but I want to say I heard Steve Gibson and Leo Laporte talking about it, on their Security Now podcast.

If my memory serves me correctly, they discussed a test in which the Vista machine exchanged an unGodly number of packets over the network.  (I tend to think it was credited to the SMB changes in Vista.)

To my recollection, it slowed the machine and the network down, quite considerably.

It seems that I recall the test / discussion to involve a beta copy of Vista.

Samba is the open source implementation of SMB, or Server Message Block.

What was going on… and was Microsoft attempting to ‘mess with’ the open source world, and their ability to communicate with Windows machines?

For that question, I cannot provide an answer… or go as far to confirm that it happened, or did not happen.

An interesting development, though…  it seems that the Microsoft Vista and Windows 7 implementation of SMB has a newly discovered flaw.

A vulnerability in the Vista and W7 version of SMB could be triggered to crash Windows, displaying the dreaded BSOD.  That’s the Blue Screen of Death, as it is known in the IT industry.

Without saying that any of the former is true… wouldn’t there be a little irony and humor if any of it, did take place?

Another point of interest… I have heard both Vista and W7 have been touted as being ‘BSOD-free’.

There is a full write-up at The Register… including steps to take to avoid the vulnerability.

Protecting Your Personal Information With Truecrypt0
Joe M posted in security on September 5th, 2009

With security becoming the focus for companies and individuals, more and more…

We have to think about information, differently.

15 years ago, you had

Some less-than-respectable types have learned to exploit even the smallest pieces of information.

These days, some thieves are using information they find on Facebook or Myspace.

They also are using publicly available knowledge to circumvent security measures, and break into email and text messages.

I am not putting on my tinfoil hat, but if someone were to get access to your PC or laptop, what would you do?

Chances are, if they get physical access… they will steal it.

There have been numerous stories in the news over the past few years, in which techs at reputable establishments will copy anything that you might have available.

I saw one video in which a driver left his car at a repair shop.  The driver left his USB drive on his keyring.  The mechanic took the key and downloaded everything off the drive, without the driver’s knowledge.

This same scenario has been reported by people leaving their computer at a computer repair shop.

Truecrypt is a great application.  It’s free and open source. It runs on Windows, Mac OS X or Linux.

You can encrypt a directory or an entire volume.

If someone steals or gains access to your hard drive or USB drive, when they plug it in… they will only see one file for the directory.

If they install TrueCrypt, they will still not have the password or the key information to decrypt the file or directory.

You can find TrueCrypt here.

(Note:  You can encrypt an entire volume, but they do not recommend that for first time users.  Read the site documentation for more information.)

The Myth Of *nix Freedom0
Joe M posted in security on September 1st, 2009

In an article at BetaNews, they discuss the potential for viruses on a Mac, or OS X.

It’s possible.

The same is true for Linux and BSD.

Although, there is probably more need for a little more social engineering…  think about the following:

The tools are in place.   If you give someone permission, they could create a program with a GUI interface that fools you into entering valuable personal information.

It saves your personal information, hides an email that gets sent out to someone the next time you open your email program or IM client.

That scenario has been pretty easy to do in Windows, over the last few years.

Given that fact, and given that most people run Windows… it’s been the main target for malware thieves.

It’s a duck shoot.

Now… consider this:

You switch to Linux.

You download a Unix or Linux script, written to do xyz task, from a website that you don’t know much about.

The script is extremely long… and hard to follow.  You give up, looking over it… and run it anyway.

It does xyz task, but puts software on your Unix or Linux box that harvests information and forwards it to thieves via your email, or an IRC channel.

It could happen.

My guess is… we’ll see it more and more over the next 18 months.

That’s as more people feel the tight economy and look to alternative OSes… it will create a black market for malware… and the emerging shares.

The important thing to remember…  is to use software and scripts from reputable sites… whether you run Windows, OS X, Linux or BSD.  Cross-check your solutions, before you implement them, with other sites.

(I saw a couple of posts on one of the Linux sites.  Someone posted a simple problem, and the response offered a command to completely wipe out the OS.)

Remember, there are bad apples in every bunch.

With the right trickery and social engineering, you could install something on Linux that does the same thing as some of the malware and viruses on Windows.

As of right now, there are few, if no viruses –that we know of– in the wild for Mac OS X, Linux or BSD.

That’s not to say, there won’t be more in the near future.

Hidden Danger In Social Media0
Joe M posted in security on August 24th, 2009

I have gotten several questions, this weekend, regarding viruses and malware.

The authors of malware and viruses are great at adapting.

Most people know enough to understand that viruses and malware are bad.

So, in their strategy, they have made it hard for people to distinguish their software from virus scanners or malware scanners.

In many cases, they fool you into thinking that they have scanned your machine, and they are ready to help… all you have to do is click on the link they provide you.

After you do… your machine slows to a crawl, or becomes non-responsive.

What is going on behind the scenes?

If you are lucky, you might just be sending out spam for them.  (That’s until your ISP disables your mail account.)

Your machine could be joined to a botnet.  If someone that owns the botnet wants to take down a website, they issue a command, to flood the website with an overflow of traffic.  That includes traffic from your machine, and all the others on the botnet.

Some of the nastier strains of stuff floating around might have a key-logger or some other type of data collection routine.  After it gathers enough personal information, it packages the information and emails itself to either the original author, or to someone that has paid the author to have the information forwarded to them.

Just because you don’t have MS Outlook (or whatever email program you use) open, that does not mean that the email can’t successfully make it out of your system.

Best case scenario – your machine just slows down.

Minor worst case scenario – rogue charges show up on your credit card.

Worst worst case scenario – your identity is stolen. (We have not fully discovered all of them, yet.)

The social media websites have their hands full.

Their main priority is in protecting themselves and their users from predators and other offensive users.

That’s not to say, that they don’t care about malware and viruses… but on occasion, viruses and malware find an exploit in or around their sites.

I am happy that I am not tasked with security administration, in any form, for any of those sites.

Bottom line:  If you use social media, make virus and malware scans part of your normal routine, every time you use social media.

Explaining Phishing To Grandma0
Joe M posted in security on August 12th, 2009

We all have to eventually explain concepts that can be a little daunting.  This is a pretty good approach to explaining the Phishing concept.

Uncle Sam Wants You (If You Are In Cyber-Security)0
Joe M posted in security on July 24th, 2009

While job security is at the top of everyone’s worry list… some jobs are still thriving.

According to a report from The Register, some computer security jobs are still growing.

The U. S. Government is in demand for IT personnel with a background in cyber-security.

As new government IT plans are executed, the number of personnel in the field will grow several times the current figure.

Want to make a career change?

If you are not in a cyber-security job, now… this could be a good area to target for a change.

As users remain online, and as companies continue to embrace the web, cyber-security is one area that is still growing.

It doesn’t look like it will slow down, anytime soon, either.

While companies usually cut other areas, like training and research… one could perceive a paranoia in the need to maintain security.

Cyber-security experts work in several factions of most companies… including other areas like the un-seeming Human Resources Department.

The downside?

As with any technology-related discipline, you can expect to spend a great deal of time keeping up with trends in the industry… as well as vulnerabilities, threats and exploits.

Many companies require their experts to maintain certifications in their respective areas.

Other jobs that are still thriving, include nursing and healthcare, education and childcare.

I wrote a post a few weeks back on jobs and Maslow’s Hierarchy of Needs.

For the most part, the employer with the employees that feel the most secure?

The U. S. Government.

The bottom line is…

There are still jobs out there… but you have to cultivate your talents and challenge yourself to remain competitive the job market, today.

Microsoft Security Essentials Looks Promising0
Joe M posted in security on June 25th, 2009

A few days ago, Microsoft revealed a few details on their upcoming anti-virus product.

The product was code named Morro.

Microsoft said that the new project will be renamed Microsoft Security Essentials.

Trial versions will be available for download in September.

According to reports, the product beta tests are performing very well.

The product offers real-time protection, and was tested up against nearly 3,200 common viruses, Trojans and worms by the firm AV-Test.

According to the reports, several viruses harvested from ‘the wild’ were included in the test which also utilized Windows 7, Vista and XP as platforms.

While it’s important to note, I don’t think there is a perfect anti-virus… the tests sound promising for Windows users.

A Simple Explanation Of Social Engineering0
Joe M posted in security on June 9th, 2009

Talking with someone, today… They told me that they had received an intriguing phonecall with a deal that seemed too good to be true.

Listening, a little further, it was pretty clear it was a ploy to get an account number, or a credit card.

Social Engineering is a term that has been coined to describe the ability of someone to use means to get others to surrender sensitive information.

I’ve said it before.  The economy is getting tighter.

Theft is on the rise, and that includes identity theft.

I won’t go into a rant.

What it boils down to, is… these days…

Thieves will utilize whatever means necessary to get you to turn over personal information.

Sometimes, they have a deal that is so inviting… or an emergency that is so dire… or a sick family member or friend.

All they need is just a little information, so you can help them.

When security auditing firms analyze most companies, you would think that vulnerabilities they find are mostly infrastructure, or software related.

The biggest vulnerability, usually?

Social Engineering.

Thieves always find it easier to find people and pick them for information, rather than trying to hack their way through the software and infrastructure.

Many times, the exploit relies on the realization that many of us discount the value of information and can be careless with it.

Something as simple as disclosing your birthday or the high school from which you graduated can seem harmless enough… but even information that seems as benign as that can be used in several ways to either gain access to certain confidential and secure items.  They can also be used to extract more information.

The bottom line?

Be careful about disclosing information.

Be an information cheapskate.  Don’t even give your name, if it’s not required.

These days, the less information you give, the better.

The Cutting Edge In Technology From DHS0
Joe M posted in Musing, security on May 23rd, 2009

With security in main focus, everyone is familiar with the Department of Homeland Security.

DHS seems to be keeping up with the times.

There are teams within DHS working with outside firms via contract on cutting-edge development in technology.

According to an article from The Register, the DHS is ready to field test a device similar to a Star Trek medical tri-corder.

The device is designed to measure muscle movement, breathing and body temperature.

How far the measurements actually go, is yet to be described.

The device is said to make its measurements from up to 40 feet away.

With the recent H1N1 news over the past few weeks, I am not so sure this is a bad idea.

The question I have is… If you take my temperature with this thing, am I going to glow in the dark, when you get done?

According to the same article, DHS also has two other projects deeply rooted in technology research from several months back.

One is called the Puke Ray Light Sabre, the other is the Lobster Beam Scanner.

The Puke Ray is designed to subdue a mob, and render them harmless… through some type of frequency emission, I assume.

And, the name is not arbitrary. Guess how it renders them helpless?

There is talk that it could be mounted on robotic equipment, for remote control.

(I guess the ACME uniform-puke-stain-remover is still on the drawing board.)

The Lobster Beam Scanner is designed to see through walls and most materials.

Seems like that would be good to have at the border checkpoints.

If you examine the pictures, it resembles a megaphone.

Not sure what the ‘glow-factor’ is on that one, either.

Beyond the jokes and ethical questions, these actually sound like pretty intriguing technological advances… as scary as they may be.

‘Kung Fu’ For Your Operating System2
Joe M posted in free stuff, opinion, products, security on May 10th, 2009

I had a couple of days off this week.

After a couple months of begging from a friend of mine, I finally surrendered, and brought her machine home.

It was REALLY slow.  Running Windows XP Home, and it looked as if everyone in the household did whatever they wanted on it.

No virus scanner updates, malware ridden… there was much to do with it.

I took several hours.

I went through what used to be my usual regimen.  (Virus scan, reboot, malware scan, reboot, msconfig, reboot, registry tweaks, reboot, virus scan, reboot, etc.)

With each task, I would start it, then walk away.

After two days, I finally gave up.

Malware and viruses have gotten so sophisticated, I could have worked on the machine for a week… to no avail.

I finally used the HP recovery utility to restore the machine to the original factory fresh settings.

After that, I used PCDecrapifier to remove all of the junk that comes pre-loaded.  (That’s all of the trialware, upon first inspection, looks like a great deal?  That’s until you use it for 30/60/90 days and then it prompts you for your credit card info.)

Since no one in the user household really seems to pay attention to preventative maintenance… I was trying to figure out a way to allow them to surf the web, without putting the entire OS at risk.

Think of it as a software ‘Kung Fu’ for the OS.  The Goal is to keep the OS isolated from web activity, as much as possible.

Sandboxie is probably a pretty good solution for them.  (Sandboxie is about $41 US.  That’s actually a pretty good deal.  Lifetime registration, for any computer that you own… non-transferrable.  That means you can’t just install it for a friend to use.)

Instead of using Sandboxie, I decided to install VirtualBox (SunMicro) and set up a virtual machine running Ubuntu Linux as a guest OS. I also installed the Guestbox Additions, to make using the VM a little simpler.

For all of their surfing, outside of updates, they will use the Ubuntu VM.  That will place an addtional layer of security between Firefox and Windows.

If you would like a little info on VirtualBox, check out the website.

I set up a VM running Sugar, but you can substitute the Ubuntu ISO instead of Sugar.  Check out the details on my post here.

My rules of thumb for them?

• No file sharing
• Stay off the web, except inside the Ubuntu VM
• Never use Internet Explorer, except for software updates
• Don’t install anything in Windows, unless you are completely aware of what you are installing
• Regularly, run defrag and protection updates (malware and virus)

I think this is the best strategy, especially since there does not seem to be anyone really technical in their household.

It’s been a while since I took on a task like this, and I am amazed at how little I got accomplished in trying to clean the machine.

I knew cleaning the OS was like beating a dead horse, but I decided to try it for kicks.

The easiest thing to do, if you are having major problems?

Reinstall or restore!

After the restore, I ran the updates, and some tweaks.  The machine is practically flying, now.

Sometime this next week, I am going to post a refresher on setting up VirtualBox on Windows, with a Linux guest OS.

VirtualBox is free for personal use, as is Ubuntu.

Boosting A Bot-Net… For Research0
Joe M posted in security on May 5th, 2009

People at the University of California (Santa Barbara) successfully hi-jacked a bot-net earlier this year.

Ars Technica has a good write-up on the topic.

The bot-net is / was controlled and propogated by malware for Windows, called Torpig.

The researchers maintained control of the bot-net for about 10 days, before it was seized from their control.

Credentials for 300,000 logins and 56,000 passwords were observed during the time that the researchers controlled the network.  Traffic for some 410 financial institutions traversed the bot-net.

The conclusion?

Windows users evidently are still not very security conscious… and their info is ready to harvest.   Basically, we live on an information ‘pig farm,’ with no shortage of choice pork.

The interesting part of this story is, by hi-jacking the bot-net, the researchers could in theory be violating the DMCA.  That’s a little scary, considering that the results have been shared, and ultimately should lead to more solutions for combating malware.

Reading over the article, I am reminded at how many techniques the malware authors use to gather information.

Reading over some of the results, they’re sophisticated enough to collect statistics and analyze trends.

It’s pretty obvious that planning and forecasting have become a major part of the dark market for collecting financial and personal information, then subsequently employing malware to mine the data.

It appears to be a dark plan, complete with experienced project management.

When you think about the number of casual Windows users out there, with the attitude… “One day I want to learn more about my PC and the internet.”

It puts a different perspective on what each user is up against, every time they log on to their laptop or PC.  It’s a little intimidating, to say the least.

The researchers have published a PDF file, “Your Botnet is My Botnet: Analysis of a Botnet Takeover.”

This is on my list of items to read, over the next few days.

Beware The Swine Flu & Social Engineers, Too0
Joe M posted in homelife, security on April 30th, 2009

Social Engineering is a term that has been coined to describe a genre of activity designed to influence people to engage in activity that they normally would decline or not engage in.  It usually involves lies or deception of some sort.

The activity is subversive, and the unsuspecting victim shares information that helps the Social Engineer to gain information or an exploit.

Phishing is a form of Social Engineering designed to influence the user to click on links that redirect them to a website.  Subsequently, the destination is a fake site designed to look like a legitimate site.  Usually the user is coerced into typing in their username and password, and possibly account numbers to an online bank or payment company.

And… the information is collected and saved.  It’s either immediately used or saved and sold on the black market.

Ultimately, these days, it boils down to money.  They want your info, to get at your money.

The BBB came out today with a warning regarding schemes drawing focus on the recent Swine Flu (H1N1) outbreak.

One ad offered a ’survival guide’ for $19.95.

The ultimate goals of such schemes could be any of a growing list of objectives.

It’s possible that the scheme is a website designed to get your username and password… or your username, password and bank account number or credit card number.

It could also be a matter of getting you to click a link to install a virus or trojan on your machine.  It might be designed to collect your keystrokes (a keylogger).

The focus… is to present something intriguing that sparks your interest… that makes you want to open the attachment, click the link or type in your username and password… or simply use your credit card.

If I haven’t said it enough… scammers and schemers, virus authors and crooks are actively designing new routines both in software, hardware and ‘the real world’.

As money gets tighter, there is a relative increase in Social Engineering.

It will get worse, before it gets better.

Beware of emails and websites that sound too good to be true, or just too doggone intriguing.  If they include a time-sensitive deal, RUN.  In the opposite direction.

These days, if it sounds too good to be true, it probably is.  To top it off, just checking it out might cause you problems, too… if you click the link, or open the attachment.

Remember, Google is your friend.

If you really have to know about that great deal, Google the subject line.

Usually the first page of results will tell you if there is a virus or something nasty circulating with that subject line.

And… even if you don’t find anything… still beware.

Who’s to say that you are not one of the first victims of a new scheme?

Simplifying Admin Tasks As A Limited User (Windows)0
Joe M posted in Home Support, security on April 23rd, 2009

After reading my post on Tightening Home Computer Security, someone stopped me.

In a nutshell, I talked about creating multiple accounts, one for each user.  You have only one admin account, that is used ONLY for administration.

“… But I have to change things that require administrative privilege.  That means I have to log on with my regular user account, then log off… and log back on as the administrator… log off… log back on with my user account.  Using separate accounts is simply not feasible.”

Off the cuff, that may seem true.

There is a good work-around.

I brought up my XP box.

I opened notepad and preceded to create a batch file.

The batch file above, starts the User Manager, as my administrative user(4dm1n1str4t0r); using the RUNAS command.

XPIMAGE is my machine… and my admin account name follows it with a ‘\’.

(If you need to run another program as administrator, you can simply substitute the complete path to the executable inside of the quotation marks.

Make sure you locate the program you want to run, first, in explorer.  That will help you discover the path.

You’ll also want to substitute your machine name and your administrator account name in place of mine.)

I save the file to my desktop, as PWD MANAGER.BAT.

When I  double-click the shortcut on my desktop, it pops open the DOS window… and pauses for me to enter the password for the admin user, 4dm1n1str4t0r.

After I enter the password, it fires up User Manager.

The /savecred switch allows me to enter the password the first time I run the batch for the current session.  Subsequently, it no longer prompts me for the password for the current session.  The next time I log on, it will prompt me for the password, again.

For good security practices, you probably want to omit the /savecred switch from the batch file.

I have not heard of any vulnerabilities, using it, but it’s probably much safer without it.

You’ll also notice that I changed the name of the administrator account.  It’s another good measure in securing your home computer.

If you stick with the vanilla ‘administrator’ name, the measure left to break into your machine is to acquire the password.

If person posing a security risk has to find both the username and the password, the chances of someone circumventing your security diminish pretty quickly.  That’s as opposed to only having to get through the password security.

Even though the multiple user / single admin security model may seem triffle, there are ways to perform administrative tasks without complete surrender.

The Right Response?0
Joe M posted in opinion, security on April 20th, 2009

Michael “Mikeyy” Mooney, a 17 year old from Brooklyn, New York made international headlines last weekend.

According to reports, the teen did a little research and found a vulnerability in Twitter.

He subsequently created a worm to promote his website, StalkDaily.

Using a series of steps with the cache and the Twitter API, the worm sent spam tweets to several accounts.

Twitter users and followers were upset, to say the least.

Several thousand Twitter accounts were affected.

The interesting part, a few days later, Mikeyy’s account got hacked.

During the hack, Mikeyy’s personal information was exposed… not to mention his coding skills were criticized.

To complicate the story, a couple of companies decided to give Mikeyy job offers.

The story is still unfolding.

As of right now, it appears that Mikeyy has accepted one of the jobs, with exqSoft Solutions.  According to the reports, he will be working in security analysis and web development.

We haven’t heard much of the legal repercussions, as of yet.

I think that this brings up some interesting questions.

Did Mikeyy Mooney get rewarded for his alleged and self-proclaimed ‘hack’ of Twitter?

Is exqSoft Solutions simply looking for publicity?

As our information and internet law continues to grow and mature, undoubtedly, it will change.

In recent years, we have seen prevention of convicted criminals from profiting from their crimes.  Basically, they are not allowed to earn a profit in selling their stories to publishers or media companies.

I think that somewhere along the line, we can expect similar responses or legislation to prevent ’script-kiddies’ and information vandals from receiving rewards from their ill-administered fruits.

Rewarding them with a job offer is the wrong response.

Kevin Mitnik, author and alleged hacker, received an extensive sentence from the court systems for activities prior to 1995.  The decision included a five year prison term, among other things, and disallowed him access to any communications device other than a landline telephone up until 2003.  At that time he got the ruling overturned.

If Mikeyy really wanted to alert people to a problem with Twitter, I think a better place to start would have been alerting the staff to the vulnerability.

The scary part of the whole ordeal, and other similar ordeals… How will the resulting legislation (if there is any) be worded?

Even scarier… how will the wording for that legislation subsequently be interpreted?

A Word Of Caution On ‘Free’ Software0
Joe M posted in free stuff, opinion, security on April 19th, 2009

On OSNews, a trojan designed for Mac OS X piggybacked on cracked copies of Adobe CS4 and iWork has been activated for the first of its kind Bot-net attack.

The software was distributed over some Warez sites.

What happens is… the virus author decompiles (or unassembles) the code for the package, inserts the malware and recompiles (reassembles) the whole package.

The resulting package includes the unwanted malware or trojan, hidden.

When they install the package, they get asked for their administrative username and password.

As soon as they enter it, the software package gets installed, as well as the trojan.

This happens pretty often.

Someone wanting a free copy of an expensive software package will Google the package, and land on one of these sites.

There are plenty of these less than desirable packages floating around.

If you land of a ‘free download’ of a paid software package, be very discerning.  Most of the time, it could be laced with just about any time of infection, probably several.

The more expensive the original package, the more people want it, and the more cautious you should be.

Social engineering is at an all-time high.  Essentially, these authors put packages like this together, to make them as desirable as possible.

There is still a cost associated with these ‘free’ versions.

If the user practices include downloading packages, like this, they can count on re-installing their OS every few months… even weeks.  That’s provided that they become alerted to ’something is not quite right.’

If you want a free package, SourceForge is full of safe and stable releases of free and Open Source alternatives to popular software.

You’ll find Windows, Mac and Linux software offered in a safe community, with the source code readily available.

For a good comparison, hop over to alternativeto.net.  It offers some additional info and correlations to the popular package, should you want a little more than what’s listed on SourceForge.

More Of The Downside Of Social Media0
Joe M posted in opinion, security on April 18th, 2009

Social Media is great.

It’s a great way to catch up with friends and old acquaintances.

It can be both positive and addictive.

The uses for it, we are still discovering.

Not all the aspects are always positive, as we found out earlier this week, with two employees from Dominos Pizza.

Today, Ashton Kutcher appeared on Oprah, talking about Twitter and his one million followers.

There is something addictive about the prospect of following a microblog of someone or an organization that you consider interesting.

That’s part of the upside.

In Denton, Texas, the police department has joined ‘the latest craze.’

So, if you live in Denton, and you want to fly under the radar of your tech-savvy friends…

Make sure you obey the law.

Not sure if this is intended as an additional deterrent, or if it is purely coincidental.

The question I have… With Twitter and it’s recent vulnerability to the mikeyy worm from last weekend, how long before the page gets hacked… or someone complains of problems with potential identity theft?

Tightening Home Computer Security1
Joe M posted in security on April 17th, 2009

Almost everyone I know uses some version of Microsoft Windows.

Windows security has tightened, progressively with Windows 2000, Windows XP, Windows Vista and Windows 7.

Their general practice is to use one account for themselves and all of their family members.  That user account usually has administrative rights, in hopes of simplifying administrative tasks.

The one place in our homes that lacks the most discipline is how we administer and use our PCs.

With security issues and malware production on the rise, we have to take the initiative to protect ourselves and our homes, first!

A good home information security model is much like a good backup.  You don’t really think about it, until after a calamity.

That’s when you really need it!

Of course, the ideal is to create separate accounts for each user.  There should be a separate administrator account, seldomly used, to install software and hardware or for troubleshooting and problem isolation and resolution.

The regular user accounts should be given only limited user rights.  That’s not to complicate things, as it might seem.

If you look back during the Windows 3.0, 3.1, 3.51, 95 and 98 eras, you’ll remember how easy it was to contract an infection of some kind.  During that time, there was no distinction between users and their respective rights.

The administrative user account looked exactly like all the others, so just about anyone could make changes to hardware and software… and so could just about anything they clicked on.

Now, back to the ideal…

It has one administrative account with super user rights.  All of the other accounts have limited rights, with practically no administrative rights.

The idea is not based on a lack of trust for all the users, but a lack of trust for everything else.  You want to protect them and your Operating System.

Your son or your daughter, your wife, your husband, or your mom and dad… might have completely innocent intentions while web surfing or using email.

What happens?

Think about these two scenarios:

1)  Everyone has administrative rights.  They click a link on the web or through email.  Without their knowledge or intention, they run an executable program that installs itself on your machine.  It could be a virus, worm, key logger, IRC-bot and / or even worse… a rootkit.

2)  Each user has limited rights, with no administrative privileges.  That includes the members of the household that ‘know what they are doing.’  Once again, they click a link over email or the web.  This time, the program displays an error message and the program fails to run.  Before anything bad could happen, the executable was stopped, which is what you want to happen.

As a rule of thumb, never log on as administrator, unless you have a special reason to do so.  That reason should only include maintenance tasks, installing or uninstalling software or hardware, or troubleshooting and repair.

Importantly, stay off the web, except for updates.  Never use the admin account to randomly surf or check email.

The knee-jerk reaction is that it’s frustrating.  You can’t do anything.

The frustration usually only lasts during the adjustment period,  which also includes tweaks and allowances in getting enough function to run your programs.

Once everything is functional, remove administrative rights from each regular user.   Getting used to the new balance will take a little adjustment.

Don’t share the administrative account and password with everyone else in the household.  Pick one trusted assistant, and share it with them.  Explain the full reasoning in behind the new security precautions.

Assign each person a username and password in confidence.  Ask them never to share their username and password with anyone else inside or outside of the household.  Help them to understand the importance of maintaining the security, integrity and responsibility.

If everyone knows the administrative password, what will happen?  At that point, it becomes easy for everyone to use the administrative account.

And they will.

It’s human nature to take the easy road.

Separate user accounts will simplify the processes of reviewing logs and troubleshooting issues.

These days, more schemes are aimed at stealing information.

A good home information security model includes a sort of ‘Information Kung Fu,’ and it is a team effort from the whole household.

I’m New Here, Where Is The Computer Lab?0
Joe M posted in opinion, security on March 28th, 2009

Universities, like other institutions, are feeling the economic crunch.

Ars Technica has a post on the University of Virginia shutting down their computer labs.

As it turns out, most students these days entering college come with a laptop, or at least a desktop.

The cost of infrastructure and the cost of preventative maintenance to an educational institution for a dedicated lab don’t seem to be much cheaper than they were years ago.

Does this mean that colleges could save money by shutting down the computer lab?

Yes and no.

They will no longer have to realize the costs in staffing and spacing.  So from that standpoint, they save money.

Yet, the infrastructure and security that goes along with keeping all of those people online at the university could conceivably become greater.

A lab with 50 to 100 PCs and a few servers might actually be easier to maintain from a cost standpoint.

Having staff or volunteers assigned to assist students and faculty with an assortment of issues from an assortment of hardware and software could be quite daunting, in itself.

Security, now, more than ever will become much more important.  So, money saved on maintaining a computer lab will probably have to be re-directed into budgeting for security infrastructure and personnel.

If more universities move in this direction, policies born out of necessity will become more standard.

“If you want to purchase a laptop or desktop, here are the requirements it will have to meet in both hardware and software.”

The great thing about this happening at universities, in my opinion, is the fact that you have more geeks than ever in the student population; willing to offer their input and help.

This should be an interesting topic to follow, considering Microsoft’s cease of support for Windows XP, and the unknown final release date for Windows 7.

Update Reminder: Conficker C In The Wild0
Joe M posted in Home Support, security on March 27th, 2009

CNN had a story regarding Conficker C, a Windows virus in the wild.

As it turns out, the virus is a modified version of an earlier form of the worm.

The virus joins the machine to a BOT-net, and effectively turns the infected machine into a zombie.

Essentially, the machine will wait for a command from the master.  It could be used to bring down a website, send out spam or a host of other possibilities.

Looking over the forensics, the experts say that the worm will become active on April 1, 2009.

They suspect that between 5 million and 10 million machines have been infected.

No one is exactly sure what the goal or what the purpose of the infection actually is.  Guess we will find out on or after April 1.

(Remember AV2009?  You can expect similar problems with this worm and any evolution of it.)

If you visit Windows Update and install the updates successfully, and have success in updating your virus scanner, you should be fine.

If you have problems with either of those tasks, it could be a sign of an infection.  It might not necessarily be Conficker C, but it’s still cause for concern and time to do some serious PM.