QuicksearchJoin our Google GroupPoll boxAre you planning to obtain a security certification in 2008?
Archives StatisticsLast entry: 2008-07-17 15:03
94 entries written
59 comments have been made
|
Home | Contact Us
Thursday, July 17. 20085 lessons learned about computer securityExtracts from the original article found here... include some sane advice to those who get thrilled by the term 'hacker' by none other than the infamous Kevin Mitnick.
Learn the rules before you play the game. I knew hacking was sneaky when I started, but I didn't think it would get me into trouble. Back in my day, they didn't teach us about ethics in respect to hacking or using computers. Now, I tell kids to not follow in my footsteps. As computers become more accessible, there are more ethical ways to learn about computer security. Plus, there are laws now. Use your powers for good, not evil. Before, I was doing something exciting-but it was unauthorized and illegal. Now, I do the same thing that got me in trouble, except I do it with authorization. Clients hand me their network and tell me to break in so they can fix security vulnerabilities. To me, it's the same act but it helps my clients and it's legal and ethical, so it's a win-win situation. Even hackers get hacked. Attackers found a way onto my Web server. Source Tuesday, July 15. 2008
Europe Grants First Privacy ... Posted by Donald Tabone
in Articles at
12:25
Comments (0) Trackbacks (0) Europe Grants First Privacy Certification![]() The European Commission today granted its first privacy "seal of approval" to an online service, paving the way for e-businesses across Europe to certify their practices for protecting users' personal information. The privacy seal, dubbed EuroPriSe (European Privacy Seal), is a detailed conformance and testing program designed to certify that an online service meets all of the European Union's laws and regulations regarding the handling of customer data. Is it a matter of time before we have to comply? Continue reading "Europe Grants First Privacy Certification" Tuesday, July 15. 2008Tuesday, July 8. 2008
Protecting your GMail account Posted by Donald Tabone
in Articles at
07:30
Comments (0) Trackbacks (0) Protecting your GMail account
Google have added a cool feature for users of GMail - the ability to sign out from previously logged in sessions - therefore if you have the habbit of signing into GMail from multiple PC's and "forget" to logoff, scroll to the bottom of you current GMail screen and you will see the new feature titling "Last account activity: xx minutes ago on this computer. Details.." Click the <details> link and you're presented with a list of previous sessions which allows you to quickly verify that all the GMail activity was indeed yours. To be extra cautious you can click on "Sign out all other sessions" - this way you prevent any unauthorised usage of previous sessions. Full report can be read here Monday, June 9. 2008
The perils of popular Facebook Posted by Donald Tabone
in Articles at
10:16
Comments (2) Trackbacks (0) The perils of popular FacebookAn article written for the Sunday Times of Malta - IT Supplement dated 8-6-2008 Often enough, most people tend to have their own way of perceiving how secure they actual are when doing things online. Indeed a lot of people tend to be naive and prefer not to think of what can go wrong right after they post or publish something personal about themselves or even others. The way we perceive how secure we are, largely depends on past personal experiences. If you ever suffered some sort of data loss due to a virus - you would know exactly what I mean - in that - once bitten twice shy. So worst memory tends to prevail over your decisions and even perceptions of how secure you really are. More over, misconceptions surround us such as "I have antivirus software, so I am secure" or “I have a firewall, so I am safe”. The reality is that to be secure you need to employ a suite of tools (antivirus being one of them) to help you reduce your risk exposure to an acceptable level. These days there is a lot of talk about Facebook. First off - it is a social networking tool which anybody can freely sign up for and use. So far so good! One of reasons it is so popular with people (in particular with youngsters) is that it allows for virtual social interactivity - therefore somewhat redefining the way people meet, talk and share things with each other. In many ways I feel it has affected our social culture. If you feel shy, then you can look for your soul mate online without having to sweat it out before you pluck up enough courage to go talk to a guy/girl face to face. One facility Facebook offers is the ability to check how compatible you are with different people and linkup to different friends through existing friends to build a spider web of friends. One idea might be - the more friends you accumulate online (say on Facebook) the more popular you are perceived to be. At face value, Facebook sounds cool especially if you are a budding teen. So where's the catch?
Wednesday, April 30. 2008
Wireless modem considerations Posted by Donald Tabone
in Articles at
08:11
Comment (1) Trackback (1) Wireless modem considerations
Unfortunately one other reality is that a number of ISP's install wireless modems without setting up any sort of security. What's worse is that if the client doesn't speak up - they don't quite advise the customer of what could be at risk. Basically as long as your laptop/device successfully connects to the wireless LAN that is setup up for you, they're out of there. SOO - this is where we come in to offer some advice. If you connect to your wireless router without a password, its time to get hold of a technician who knows his business and set up some security on it. That's not all... Recent developments published by Petko D. Petkov reveal some pretty nasty things an attacker can do to Thomson Speedtouch wireless modems - which is what a lot of us Maltese people have at home to connect to the internet. Thanks to a friend of mine who first pointed out the article above, it is now possible that if an attacker sees your default network name (SSID) then it would be possible for him to crack your default password and use your internet connection. Therefore here are some healthy tips you could pass onto your technician if you're not confident to set them yourself. Use WPA2 encryption rather than WEP/WPA. Note that this will affect usage of early PDA's wireless and even computers with Windows XP. In fact you will need to download a patch for Windows XP to use WPA2. Also certain old wireless adapters (802.11b) might not have updated drivers, so do your homework to see if your adapter can use WPA2 before you start changing anything.
Change the default name of your router to something else. Invent an name.
If you don't have a password - PUT ONE. If the router is using a default password, its a good idea to change it unless you don't mind sharing your internet conenction with your neighbours. Continue reading " Wireless modem considerations"Sunday, April 20. 2008The Real Security IconSunday is the most relaxed day of the week. I've been pondering about a strange (and useless) subject, just to fill in my precious Sunday morning. Some time ago I had a brief discussion with Sandro about the padlock and why it's not a very good symbolic figure for security. In reality this is true since padlocks nowadays are a weak and most basic form of physical security. Thursday, April 17. 2008
Yoggie - Personal Laptop Security on USB Posted by Giannella De Leonardo
at
14:50
Comments (0) Trackbacks (0) Yoggie - Personal Laptop Security on USBJust stumbled upon www.yoggie.com, a security 'server' that is able to provide a laptop with the same level of security as within the corporate network. Continue reading "Yoggie - Personal Laptop Security on USB" Tuesday, April 15. 2008
Open ID & Alternative Login Methods Posted by Giannella De Leonardo
in Articles at
11:04
Comment (1) Trackbacks (0) Open ID & Alternative Login MethodsRecently I created an Open ID Login in order to log-in to a website. Since this was something new for me I did some research of my own and I found this instructional video that explains this in detail:
Tuesday, April 15. 2008
Businesses: Top 10 security threats ... Posted by Donald Tabone
in Articles at
08:12
Comments (0) Trackbacks (0) Businesses: Top 10 security threats to watch out for
There are lots of ways business networks can be compromised, and more are developing all the time.
They range from technology exploits to social engineering attacks, and all can compromise corporate data, reputation and the ability to conduct business effectively. Since we all like lists 1. Virtual host security Read the full-article and grab the details here. Take a look at the NSA's published 10 best security practices. Wednesday, April 9. 2008Credit Card Data Leaks
In view of a recent article on the Times of Malta dated 9-4-2008 titled Some Visa cards replaced due to possible fraud we would like to take the opportunity to remind our readers about exercising caution to disclosing personal card details to untrusted people or websites through email or otherwise.
VISA provides a link with Fraud Prevention TIPS some of which are listed below - so there is no excuse for being negligent. Take your time to make sure you are duly diligent with personal details. There are many physical and logical attacks that can take place such as skimming, phising and even social engineering. When providing payment information online, look for the 'padlock' icon on your browser's status bar - this signals that your information is kept secure during transactions. Precautionary measures are good - but prevention is better than cure - and preceding that being aware is the first step. The hard part is getting the message out there - and that is where strive to make a difference. Sources/References http://www.timesofmalta.com/articles/view/20080409/local/some-visa-cards-replaced-due-to-possible-fraud http://www.visa.ca/en/personal/securewithvisa/fraudprevtips.cfm http://www.visa.ca/phishing/ Thursday, March 27. 2008Blackhat Europe + Twitter[Sandro] Just a quick notice - If anyone's interested in what's going on @ Blackhat Europe, I'm posting quick notes on my twitter account. http://twitter.com/sandrogauci [Donald] So we're back from Black Hat and the cold Dutch weather and I must admit that overall the amount of cool stuff that goes on during the conference overwhelmed me. More than the presentations (which hook you in themselves) - it was the people that we met and socialized with in the evenings. Amsterdam city is a great city for the urban runner - a must visit if you enjoy hectic run-arounds. Fine restaurants and lots of good company. On the other hand, if you're a bit like me, I would tend to go for a more relaxed area - nevertheless (I'm not complaining) - I loved it and would definitely jump at the opportunity to go there again next year. Wednesday, March 19. 2008SMART City - Malta
We'd like to show you some big aspirations for Malta through SMART City - Malta!
Original source Continue reading "SMART City - Malta" Wednesday, March 19. 2008Congrats: you are a winner
PLEASE BEWARE:
This morning I recieved an SMS with the following text:
Doing a little research, first thing to notice is that the number above (+234) is Nigerian. Already smells bad... A little more research on google and you will find other reports of this message with people asking whether it is a hoax or not. The sum, number and email vary accordingly - and it IS a hoax. So readers BEWARE - as much as everybody likes the sound of it, don't bother calling or emailing or disclosing any personal information. If you know of any other reports, feel free to comment below. Wednesday, February 27. 2008
Recovering passwords from RAM Posted by Donald Tabone
in Articles, Forensics at
09:37
Comments (0) Trackbacks (0) Recovering passwords from RAM
A joint group of people from Princeton have recently managed to prove the fact that RAM chips, when cooled to a very low temperature, can continue to retain the contents of RAM for up to several minutes after they have been physically removed from a computer.
The group, then built their own tools and programs to read off the contents of the memory after the computers were rebooted - proving that disk encryption technologies (such as Truecrypt for instance) can be defied. This is demonstrated in a video posted on youtube (see extended body of article) The concept can also be also easily demonstrated following a simple experiment outlined on the groups page here. Q. What can users do to protect themselves? Following up this, according to Ivan Krstic, director of security architecture at OLPC (One Laptop per Child) - the recently announced MacBook Air is resistant to what is now known as the "Cold-Boot Encyption Attack" simply because the machines DDR2 RAM (2gb) is soldered on and cannot be physically removed. In addition, if Apple release an EFI firmware upgrade to zero the contents of the RAM at every boot, then the MacBook "...would become one of the only—if not the only—mainstream laptop featuring full-disk encryption that's highly-resistant to the troublesome Princeton attack." (source) Microsoft also reacts to this vis-a-vis their BitLocker technology in Vista. Ryan Naraine reports on this here. Microsoft suggests that the most secure method to use BitLocker is in hibernate mode and with multi-factor authentication. The Register also has their views on this...BitLocker, meet BitUnlocker. A question directed to Digital Forensic experts - Is this a blessing in disguise? What's your take on it? Update: More information on the discussion can be found here Continue reading "Recovering passwords from RAM" Wednesday, February 27. 2008
Safer internet campaign launched Posted by Donald Tabone
in Articles at
09:36
Comments (0) Trackbacks (0) Safer internet campaign launched![]() We acclaim another step in the right direction, in line with the scope of http://maltainfosec.org In a bid to combat cyber exploitation of children, IT Minister Austin Gatt yesterday announced an intensive awareness campaign as students marked Safer Internet Day. Echoing a post on the Times of Malta 27th Feb 2008 Thursday, February 21. 2008A followup on PassPack and online password managers
Our post on PassPack last week attracted quite a bit of attention. We were able to have an interesting discussion over security concerns that have to do with most (and probably all) online password managers. Similar to PassPack there are other services like Clipperz and Just1Key, all of which would be subject to the same concerns that we raised - the basic question of trusting a 3rd party server with your passwords. If you missed out, check out the post to learn about the actual concerns.
One solution that PassPack seem to be seriously considering is the option to license their server technology to 3rd parties. In the case of a company that buys a license and installs PassPack on an internal server, this would shift trust concerns from the service provider (happens to be PassPack) to the company's own systems administrators. This assumes that proper code review is done by whoever is concerned. We also picked on the One time passwords feature in PassPack, and why it is not a panacea solution to the keyloggers problem. The conclusion was that PassPack needs to clearly inform the users that passwords need to be generated ahead of time. Without doubt, making use of public computers such as the ones found in internet cafe's or kiosks, is a bad idea by itself. There are too many layers which an attacker can target - the computer's memory, the web browser by replacing the logout button with one that does nothing, and so on. All that said - PassPack has a lot of potential, they put a lot of focus on both the user experience and security. Upcoming features such as being able to share passwords with other users can definitely be useful (although that is a bad practice and should be avoided most of the times). From our part, we look forward to seeing how PassPack and similar services will change the way we threat our passwords. Thursday, February 14. 2008
Happy Valentine’s Day from: The ... Posted by Giannella De Leonardo
in Articles at
09:46
Comments (0) Trackbacks (0) Happy Valentine’s Day from: The Storm TrojanValentine’s Day isn’t stopping controllers of the Storm Trojan from using the holiday theme to trick users into downloading the malware. Wednesday, February 13. 2008PassPack and why it does not work
Note: We posted a followup on this.
PassPack is an online password manager for people who travel or change computers often. Unlike other password managers, PassPack is available 24/7 via internet, nothing to download or install. Great! Problem solved. But how do they achieve this? With AES encryption (the same as used by the US Government) and an SSL Secure Connection, your data travels safely over the internet. But let's suppose a hypothetical "bad-guy" gets into our servers, all he'd find would be a bunch of illegible data (not even PassPack can read your data). What caught my eye was the part where they state that not even PassPack can read your data, which reminded me of the Hushmail incident. The free secure email service makes claims that: By using Hushmail, you can be assured that your data will be protected from that kind of broad government surveillance. Which is simply not the case. In fact later on in their FAQ, Hushmail have a section which explains that they have to comply with the law just like everyone else. Same with PassPack - the encrypted data on their servers cannot be accessed off their servers without the password. The problem is that, if need be, PassPack is able to read your password and then use it to decrypt your information. So what about the other claims?
Well - not today's loggers! Nowadays, both commercial and underground/malware keyloggers support screen capturing. This means that if you are in an internet cafe, there always is the chance that not only are your keystokes monitored, but also your all your activity on the computer, including screen captures and mouse clicks. But it is not all bad - I do like PassPack's idea of tackling the problem of multiple passwords. Some of the features that they offer are also pretty interesting such as the "Anti-Phishing Welcome Message". While this is not nothing new and Yahoo and others have been using such features, it is good to see them more widespread. However, as you might have guessed, I won't be handing out my google, hotmail or amazon passwords to PassPack. Wednesday, February 13. 2008Humor: Microsoft vs Google
On February 1st, 2008 Microsoft offered $44.6 billion for Yahoo. A truly desperate attempt to catch Google.
![]() Source: http://eatliver.com/i.php?n=2801 |
CalendarCategoriesQuick links
MadVIP.net
MySQL Geek Computer Domain - MALTA SecGeeks Google Blogoscoped SIPVicious ExchangeInbox GiGa in Security Forensics Wiki Security Catalyst Forum Forensic Focus Google Online Security CCCure online testing Layer 8 InfoSec Writers Our GOOGLE group MaltaMeter SearchMalta.com Richard Bejtlich Matasano Chargen Previous | Next Blog AdministrationRSS Feed |

