Category Archives: security

Good Tips on Before/After Losing Wallet

I just happen to stumble upon this tip, from Santa Clara Police Blotter:

Steps to Take to Prepare Before You Lose Your Wallet
Make life easier! Now that you know all of the hoops you will need to jump through to replace the items in your wallet / purse and protect your identity, take these simple precautions:

• Strip your wallet / purse of anything you don’t really need (e.g. SSN card, checkbook, health insurance card, gift card, passwords, personal identifying information, etc.)
• Never keep your SSN card or PIN numbers in your wallet / purse
• Photocopy everything that is in your wallet / purse
• Contact your bank to see if they offer text notification for charges to your credit card
• Turn on any two-step verification features your financial institution may offer
• Be aware of your surroundings and keep an eye on your belongings (e.g. never leave a purse or wallet in a shopping basket, in-sight in a parked car or anywhere else criminals may have easy access)

What to do Immediately After Losing Your Wallet / Purse
As soon as you realize your wallet or purse is missing – whether it is lost or stolen – immediately take steps to reduce the chance of being a victim of identity theft or having unauthorized charges to your accounts.

• Retrace your steps from the last time you saw the item (e.g. restaurant, work, store, school, home, etc.)
• Notify the bank that issued your credit, debit or ATM card and cell phone carrier
• If your checkbook disappears, close the account and reconfigure any direct deposits and auto-payments
• Report the loss or theft to the Police Department via an online report, or by calling the non-emergency phone line at (408)615-5580
When doing so, you will need:
– Where and when yo u believe you lost, or had your wallet stolen
– Description of the wallet / purse
– List of everything in the wallet / purse(e.g. amount of cash, credit cards, etc.)
– Suspect description, if any
– Card number of any cards used as well as location, date, time and amount of transaction
• If key(s) are missing, change the locks to your home and vehicle
• If your social security card is missing, initiate a fraud alert or credit freeze and monitor your credit report at https://www.annualcreditreport.com/index.action
To place a fraud alert / credit freeze go to https://www.identitytheft.gov or call the three major credit-reporting agencies:
– Experian: 1-888-EXPERIAN (1-888-397-3742)
– Equifax: 1-800-525-6285
– Trans Union: 1-800-680-7289
• Contact the Internal Revenue Service Identity Protection Unit at (800)908-4490 or check online at https://www.irs.gov/identity-theft-fraud-scams
• Replace your driver’s license

Enable 2FA Now!!!!

With the growing number of web sites that are compromised, it’s still shocking to me that web sites don’t have 2 factor authentication, or derivatives of that. Just having a username/password is not good enough. A second authentication, something that you have that’s external to the web site is a must.

However, even with some sites, the method of 2FA is via text message. They’ll SMS the 6 digit code to your cell phone, but that communication mechanism is hackable.

From what I have read, the following are the “safer” mechanisms of getting your 2FA sent to you:

  1. Push Notification. So far, I have seen two sites which support this. The first is Google, which of course would include gmail, YouTube, or any other Google related web sites. I’ve also seen this on Facebook. The third is WordPress. Why don’t all sites use this mechanism. It seems to be more secure.
  2. Email notification. Some web sites, most notably sites that are financial in nature, like banks, or insurance, will offer email notification, as a mechanism to send you the code. Email would seem to be more secure than SMS, just as long as the email is via https (which I assume would be most emails).
  3. Yubikey, which is a hardware USB dongle. I haven’t used this, but it would seem to be the most secure (as there doesn’t seem to be a way a hacker can intercept the communication of a code). The only drawback with this is lack of vendors supporting it. Looks like the only popular ones that support this are Google and Facebook.
  4. Third party Authenticator. The most popular one is Google Authenticator, which I use all the time. You just need to have the Google Authenticator app handy

Now options 1 and 4 require your cell phone. However, if you lose your cell phone, or change your cell phone, that means you no longer have a mechanism to retrieve your 2FA code. For this reason, these apps will give you backup codes. These are OTP (one time password) backup codes. The idea is that you store this somewhere, outside of your cell phone. Perhaps a little index card you keep in your wallet, or on one of your other devices (PC or iPad).

However, I did find web site, Amazon, who didn’t even offer you backup codes. They do offer 2FA code to Google Authenticator, but the backup is to your cell phone. But what if you don’t have your cell phone … that’s why they have 2FA backup codes in the first place.

I really wish there was an easier way to enable 2FA on various apps. It shouldn’t be that difficult.

Android Pay a Little Too Easy

Android Pay, formerly known as Google Wallet, had been around for awhile.  I first used it about 6 months ago, only because I was out on a ride and I forgot my wallet.  I had previously set up my debit card with Android Pay.  I guess this forced my hand to use it.  

Well, I ran into the same scenario again.  Oh crap forgot my wallet … Hmm, here’s Android Pay on my phone.  But debit, then give my phone over the ATM kiosk, and voila …. Lunch is paid for.

It turns out Lucky Supermarket takes Android Pay, so I guess that’s how I’ll do my shopping.  I wonder if this is any safe than using my debit card directly on the card machine.  Since it doesn’t read the card directly, I wonder if it would be affected if the ATM machine was hacked.

That Time of Year Again – Change Your Password

I’m a little grateful that at work, they send me nag emails every 6 months, or whatever it is, to change my password.  Yes, it can be a pain in the butt, as I have to come up with both a Windows 16 character password, and a unix 8 character password (along with the special characters, non-repeating patterns, etc).  Thanks to Lastpass, it helps me keep track of all my passwords.

It’s funny, the day that IT sent those emails, there was a flurry of helpdesk calls (I had to go to IT for a different reason).  Every time employees are forced to change their password, expect IT Helpdesk to be really busy.

With the password change reminder, this got me thinking about all my other passwords.  It’s good they remind me, which prompts me to go ahead and change my personal passwords too!  How often do you change your passwords?  Personally, I don’t do it enough.  Although I do have two-factor authentication, I still think changing your password is necessary.  Don’t give hackers even the opportunity to compromise you.

Another Reason Why I Love My Nexus Phone

Recently, there have been some exploits on Android, and most recently, there was Stagefright.  This is ones that allows you to remotely control your phone.  Scary. 

I found out about this from an app I have called Lookout, which is like a antivirus for the phone.  It alerted me of this, started some workarounds, but really, you would need to get an update on Android to fix it.  Coincidentally, I see an Android update.  More specifically, a security update.

It updates, and then I check for Stagefright, and no longer vulnerable.  Cool.  That’s one of the benefits of Nexus, and that is they are the first ones with the latest Android update.

Why Don’t All Merchants Adopt Two-Factor Authentication?

With all the stories in the media regarding customer accounts being hacked, it makes me wonder what type of authentication protections those merchants have.  Of course, the big buzz in security is to enable two-factor authentication wherever possible.  I agree … in fact, all my social media accounts (including WordPress), has some type of two factor authentication.

Thanks to Google Authenticator, when I go to Google, WordPress, or Evernote, it will ask me for a second factor of authentication.  First is the password on the web site.  Once I authenticate there, then it asks me for a second authentication, which I locate on the Google Authenticator app that is on my phone (and only on my phone).  Other sites have their own individual two factor authentication scheme.  With twitter, when I am prompted for a second authentication, it alerts me on my phone, and I simply do one click on the phone, then it allows the app through.  On Facebook, I go into the Facebook app on the phone, and look for the code authenticator, then punch in that code.  So as you see, no outside hacker would be able to authenticate as me.  The only concern is what if they stole my phone … well, that’s another issue.

For any online merchant, where you would log in for sensitive data, two factor authentication, IMHO, is a must.  So Target, Starbucks, why oh why don’t you adopt two-factor authentication?  This could have prevented customers having their accounts drained.  Now, I’m not saying it would never happen, but it surely would reduce the likelihood of having your account drained, due to someone hacking into your account.

This is one reason why I cringe when I see someone pay at Starbucks with their phone.  Even if you have a cute password, it can be hacked.  I use a password generator, and I have it changed on a periodic basis.  Will this prevent being hacked?  No, definitely not, but it’s all about making it harder for someone to hack you.  It’s just like locking your bike to a bike rack.  Will it prevent someone from stealing your bike?  No, but it will make it harder to do.

3CDaemon Security Issues or Windows Firewall Issue?

I was recently trying to configure syslog on my Windows XP PC … typically, what I do is on the firewall, have it send logs to an external syslog server … that being my PC.  So I was trying a test, to see if using a different listening port on syslog what work.  I do have 3CDaemon on my PC, but it doesn’t allow me to change the syslog port.  So I went ahead and downloaded Kiwi syslog server.

In my testing, I was not able to see Kiwi log any messages.  I thought that was strange … should be slam dunk.  I went to my 3CDaemon syslog server, and I was able to see messages being logged, so I know it’s not a configration issue with my firewall.  After looking through the help files on Kiwi, I see that Windows Firewall will block all incoming connections.  I normally don’t enable Windows Firewall, because usually, I am behind a firewall … but this time, I saw that it was enabled.  So I went into the Control Panel, disabled the firewall, and voila …. I now see messages being logged.  Cool.

But what is disconcerting is that 3CDaemon is logging even with the Windows Firewall enabled.  Hmmm … is 3CDaemon using some special process that communicates at a different stack level than Windows Firewall?  That’s a little bit alarming … maybe that’s why some don’t like 3CDaemon.  However, it is quick and convenient, but may not be the most secure thing … or should we say that Windows Firewall is not the most secure?

Securing Yourself Online

With all the threats of being hacked, phished, spammed, etc … I thought I would give a very basic primer for some of my friends on getting yourself secured.  This is common sense to some people, but not all are as experienced … so here is my first attempt at this.

Twitter:

This can be as open as you want it to be, but that comes at a cost.  For that reason, the easiest thing to do is make sure anyone that follows you is after your approval .. i.e.  lock your profile.  When someone wants to follow you, you will be notified, and you can either allow or block them.  Many spammers and phishers on twitter will get to users this way.

Most of the time, you will know who wants to follow you.  Be wary of users who have 0 are a small number of tweets.  Someone who has a large number of follows, but has done a small number of tweets is a big warning sign.  If you are big into cycling, like I am, most of my followers will by cycling related.  But if it looks like someone from a completely different interest type, I usually block them.

Facebook:

I normally avoid any facebook games.  When it says it needs to look into your profile, that’s a big big no-no with me.  Perhaps I’m paranoid, but that helps not getting pawned.  I usually configure anything to inform me first, before they invoke anything … i.e.  eye your permissions

Emails:

Ok, this is the most difficult.  Of course, we all have some type of anti-spam from email hosts, but that won’t catch everything.  Again, if the subject seems like something unfamiliar, it is most likely something to be forewarned about.  Be very careful of this.  Sometimes, I deliberately force my email settings to use txt only, but some people don’t like txt, and require html.  Okay, fine … but when I see a link, I typically copy and paste that link into a web browser.  This avoids what’s called click-jacking.  Sometimes, when you click something, it may go to a URL that you are not expecting … and then, it takes you to a phishing site, where it taps into your personal account information, which is a bad thing.

If, you happen to get a dialog box that seems out of the ordinary, make sure you don’t click inside the box.  Try clicking the “X” on the border of the window.  This way, you exit from the windows function, instead of possibly executing the hackers code, and possibly hacking into you.

One last thing … it may be a good idea to rotate your passwords every so often.  Make them non-standard spelling, and not a typical pattern that can be guessed.  One suggestion, which seems to be a good idea, but I haven’t employed yet … is to come up with a phrase you remember the most … and take the first letter of each word, and use them in your password.  I haven’t used this password, but consider the phrase “Who are these people and why do they keep following me?”.  You could translate this into a password “wrtp&ydtkfm?”  Yes, it may take a while to get used to this, but that pattern will definitely be harder to hack than “cyclist”.

Exploit or Vulnerability?

Lately, these two terms have been buzz words in the news, and usually, people use them interchangeably, but are they actually the same?  I’ve always been told that IDS (Intrusion Detection Systems) or AV (Anti-Virus software) can typically detect the exploit, but will not be able to do anything about the vulnerability.

Now I am not a security expert, by any stretch of the imagination, but I will give it a shot here.  If any security experts are out there, please comment and correct me if I am wrong in my assumptions.

Okay, here it goes.

Vulnerability – this is when there is a weakness in a software application, that can be “exploited” by a hacker, to cut through the hole, and launch a virus or worm.

Exploit – this is the generator of the hacker, who attempts to break through the weakness or vulnerability, that could eventually cause havoc to anything that the application touches.  This “exploit” is the real danger.

So when you think of protecting yourself, you may want to think of how effective your tools are at detecting an “exploit”, and quarantining or blocking it.  It also seems that vulnerabilities are simply holes in an application.  The only that can be done here, is assuming the software vendor provides a hot patch to fix the holes, and make sure you apply the latest patches available for that application.

Conclusion:  AV and IDS can detect and protect against exploits, but will not be able to do anything about vulnerabilities.  That’s an application problem.

Or do I have this all wrong?

Javascript Exploit Fixed on All OS’s … Except Mac OS

I’m not sure if I divulged this, but I am an avid Mac OS fan. No, I’m not the creative type, but most of my computer knowledge was done via Mac. My very first Mac was a Mac Plus (never really owned a PC till I built one much later on). Then I got a job at E! Entertainment Television, and they were an all Mac OS shop. So my point is I’m a big Mac fanatic.

So it disheartens me to a great extent when I find this Java Exploit (CVE-2008-5353). As with most exploits, if compromised, the attacker may take over a system. Now the popular thought was that Mac would not be vulnerable to all these various attacks that Windows have been vulnerable for a long time, but that is a dangerous assumption to make. This particular one, is not Windows specific, Mac specific, or even UNIX specific. This is in the Sun Java code, which they really did fix, and it has been incorporated in all Windows, Linux, Solaris, and all other OS’s that use JAVA Runtime Engine … except for MAC. Why, oh why, Apple, why?

This exploit was patched and fixed by Sun in December 2008, so this fix has been around for coming up on 6 months. Is there a good reason for not putting this in? I kept trying to think of a good reason, but I can’t. In fact, one individual got so frustrated with Apple, waiting for them to fix this, that he decided to put an exploit out in the wild, and publish this, in hopes that Apple will finally do something about this. This has been distributed throughout the security community … I’ve seen it posted on securemac, slashdot, zdnet, and even US Cert. We’ll have to wait and see if Apple actually does anything with this.

So for now, I have turned off all Java and Javascripting from the browsers I use on the Mac. The problem is there are so many web sites that use Java for their video streaming, and Java is such an integral part of the web browsing experience. This is really annoying, and will force me to not use my Mac until they fix this, and use my PC more often. Damn … I was hoping only to use that damn friggin’ PC only for work.

Nice job, Apple!