Category: Security

Facebook news feed settings update

Facebook has changed its News Feed, so that by default, you can only see updates from people you’ve "recently interacted with." If you don’t change this and aren’t that active, then only a few of your friends will actually see your posts and vice versa.

YOU ACTUALLY HAVE TO CHANGE IT AT THE BOTTOM OF YOUR HOME PAGE, CLICK EDIT OPTIONS AT BOTTOM AND ADD "ALL FRIENDS" TO MAKE THE CHANGE

So Here is how to do that:

Login to Facebook:

clip_image002

To Search for ‘Options’ link at the bottom of the page. The best way to do this is to

Press Ctrl F (if you are on a Windows PC) or Command F (if you are on a Mac) this will open a ‘find’ dialog box. The box will be located in the upper right, upper left or lower left depending on your Browser.

clip_image005

Type in ‘Options’

clip_image009clip_image006

You will find it at the bottom of the page. Click on it to bring up the options:

clip_image011

Open the drop down menu

clip_image013

Change and then save and you’re done.

Thoughts on Privacy, Anonymity and Security

One thing I deal with a great deal in the information/technology  and security field are the very separate concepts of privacy, anonymity and personal security.

Do you think that anonymity and privacy are the same things? Wrong. Do you think that because you are anonymous your information is secure? Wrong There are differences that are important when we want to distinguish what methods you need to protect yourself from attackers and surveillance. Let’s define anonymity,privacy and security. First the definitions:

Anonymity typically refers to the state of an individual’s personal identity, or personally identifiable information; being publicly unknown. Or a condition in which an individual’s true identity is unknown. Read more here

Privacy is usually thought of a person’s right and or ability to control access to his or her personal information. Read more here.

Computer (and ‘information) security primarily means the collective processes and mechanisms by which sensitive and valuable information and services are protected from publication, tampering or collapse by unauthorized activities or untrustworthy individuals and unplanned events respectively. Read more here

So anonymity does not equal privacy or security. Let’s see two examples:

In the first example say you are using a proxy server, a VPN service or Tor to surf anonymously (these offer different levels of anonymity). Your true (or should I say ‘originating’) IP address and therefore your identity (computer/network wise) is hidden. Someone who watches the traffic between your computer and the network cannot see your true identity. However, he can see the traffic and therefore gain access to your personal information. In this case your anonymity is safe but your privacy is not. Worse still, your personal data can contain information to identify you so that both your anonymity and privacy are undermined.

In the second example you protect your data using both data encryption and a secure protocol such as SSL. You control who has access to your personal information. The actual packets of digital information are hidden/encrypted and the information therein cannot be accessed. However, if you don’t protect your anonymity an attacker will know who you are. This might help him in password and social engineering attacks or allow a law enforcement agency to force you to reveal your passwords and lose your privacy.

For true online safety, both privacy and anonymity must be secured.

There are literally thousands of more detailed articles available to you by doing a simple search on Google, Bing or Yahoo or whatever on “privacy vs anonymity”. There are guys who’ve written their PhD thesis’ on this subject, so there is obviously loads of information available if you want some greater depth than my simple explanations.

But I just wanted to remind you to do some of the simple things that can mean a great deal.

  • 1st. And foremost get some kind of security software or suite (Symantec, McAfee, Trend Micro, MalewareBytes, Eset, MS Security Essentials etc.) AND KEEP IT UPDATED AUTOMATICALLY!!.
  • 2nd. Keep your Operating System updated.
  • 3rd. Keep your browsers and especially the plug-ins (like Adobe Flash and Acrobat) updated.
  • 4th. Use ‘HTTPS’ on ALL your important communications like email, Twitter, Facebook etc. For Facebook look here. You should also use something like ‘no script’ to ensure https connections.
  • 5th. Clear out your internet cache every time you close your browser. You can set all the common browsers to do this automatically or use one of my favorite tools – CCleaner. There is even a Mac version which I wrote about recently.

It is nearly impossible to be truly anonymous and completely private. BUT you can have some security in both of these with a little diligence and common sense. Read some of my other posts on security for other more detailed information.

Please practice safe and secure computing.

Blacksheep add-on to protect against WiFi session Hijacking

This is a Firefox add-on everyone should use if you use public WiFi anywhere anytime.
It’s called ‘Blacksheep’.

Blacksheep will find and block ‘Firesheep’ – a highly popular new hacking tool used to ‘sniff out and steal your sensitive information on WiFi networks.

What Firesheep is:
Firesheep is the Firefox extension that makes it easier to steal logins and take over social media and email accounts after users log in from a WiFi hotspot or even their own unprotected network. It is designed to sniff out weak security and hijack web site credentials on open Wi-Fi networks. This technique is technically called ‘Session Hijacking’.

Session hijacking is nothing new. Web sites typically use SSL connections for initial login pages, but revert to non-encrypted traffic for all subsequent communication. As such, while a user’s username and password may be protected, once they are authenticated, any user on the same network can simply sniff network traffic, obtain a user’s session ID and then hijack their session for a given website. Although this has always been a serious risk, especially on insecure networks such as public WiFi hot spots, some degree of technical knowledge was required to accomplish the attack. Firesheep, opens such attacks to the masses as it turns session hijacking into a point and click exercise. Unless websites mandate SSL for all traffic on the site, session hijacking will always remain a threat.

Fortunately, BlackSheep can be used to let you know if someone is running Firesheep on the same network and protect you.

Read some more here.

and here

or just add the extension to Firefox by going here!

Be safe folks!

Apple Security news end of June 2011

Apple has released Mac OS X v10.6.8 and Security Update 2011-004 addressing a total of 39 vulnerabilities in OS X 10.5.x and 10.6.x.

Many are critical errors which could allow an attacker to take control of the system!

Please use the System Update. You can read the notice here:

And get the direct download here:

As usual I would remind you to also make sure you also update your Web Browser(s) and plug ins – ESPECIALLY Adobe Flash and Adobe Acrobat!

Another serious Web Browser hole

Contexis Security has found a BIG problem with WebGL implementations on Windows, Mac and Linux have numerous vulnerabilities which allow malicious web pages to capture any window on the system or crash the computer, according to research from Context Information Security. They actually demonstrate how to steal user data through web browsers using this vulnerability!

The report comes right on the heels of Microsoft’s denunciation yesterday of the security architecture of WebGL and announcement that it wouldn’t be seen in Microsoft products any time soon see here .

Sheesh! IE 9 is proving to be WAY more secure that FireFox and even Chrome! But until I can get the Firefox Extensions I use (or comparable) in IE I’m still a FireFox guy.

So let’s fix that:
To Disabe WebGL in Firefox 4

1. Type about:config in Firefox address bar and continue on through past the warning dialog.

2. Type "webgl.disabled" (no quotes) into the Filter box then Double click Webgl.disabled entry and turn its value into “True”.

3. Restart Firefox browser, WebGL is now disabled in Firefox 4.

To disable WebGL in Google Chrome you will need to:

1. Rright-click your Google Chrome shortcut or from your Windows menu on your desktop, click ‘properties’ and add “-disable-webgl” to the Target Shortcut box

2. Restart Chrome

As always please keep your systems, Web Browses and their plug-ins, Anti-virus/Antispyware software, and applications (especially Adobe products!!) up to date and fully patched.

And try and be vigilant about security and always ‘on guard’.

More OS X utilities

While this is an early Beta, I am very happy to see one of my favorite tools now available on OS X – CCleaner.

I have been using this for some time on ALL of my Windows machines. In fact I have it scripted for all my users – every time they login CCleaner is run. This helps keep any lurking nasty’s in temp folders from being able to be run – since they are removed.

This early Mac version does not of course have as many features as the Windows version yet but looks real promising. Have a try. I hope you find it useful.

You can get it here

You should also have (if you don’t already from my previous posts – Onyx

You can get that here

Security news – Gmail spear phishing attack

There are some very splashy news stories going around saying ‘Google was Hacked".. Oh no sky is falling.

Let’s be clear. GOOGLE WAS NOT HACKED!
What happened is that many ‘targeted users’ were ‘Phished’ – the users where ‘conned/tricked’ into giving up their security information and passwords. This is called ‘spear phishing’

Essentially Gmail’s login screen was mimicked, and people were tricked in ‘re-entering their information, and hundreds of Gmail accounts, including those of U.S. Officials were then compromised in this very targeted Phishing attack. You have to read a little bit into these articles to actually find the true nature of the supposed ‘attack’.

To be clear – Hacking is done by a very skilled person on whatever his target is, phishing is done by almost anyone to anyone dumb enough to let themselves be tricked!

Here is one headline

and another

Google’s blog page has more details here

The simple thing to take a way from this is to be ever cautious of where, when and how you enter in any information online – to ANYONE.
AND use strong passwords.

The way this attack was carried out can be seen in this analogy I used with someone.

Suppose you went to the bank ATM, put in your card and entered your PIN. You then carried out your transaction; looking up your balance and making a withdrawal. After you are finished you take your cash, receipt and card and prepare to walk away.

At that moment someone comes around the corner wearing a shirt with the bank name – looking ‘all official’ and asks to look at your card because the bank is ‘tightening up security for it’s special clients.

You hand it to him. He then asks for your PIN; you know just to make sure you are who you say you are. He writes down your name, card and PIN number and hands back your card and says, "thanks, we just have to be extra cautious nowdays…"

In this scenario you just handed that person everything they need to know about how to royally screw you.

This is the same thing that happens with these ‘phishing’ and other types of ‘social engineering’ cons and scams.

People – please use extrodinary caution when dealing with personal information.

Google has an awesome security protocol called ‘Two Step Authentication’ and it is well worth the extra time and effort to set up.

You can learn about Two step authentication in this video:

[Remember about Application Specific passwords if you use Gmail on your Smartphone or desktop (Outlook, Thunderbird etc.)]

Apple releases fix for MacDefender Trojan

Ok OS X folks. Looks like Apple finally is releasing a ‘fix/update’ for the MacDefender Trojan.

The update provides a File Quarantine definition for the "OSX.MacDefender.A" malware and Mac OS X 10.6.7 will now automatically update the definitions on a daily basis. The update will also search for and remove MacDefender and its known variants.

The knowledge base article is here 

and the actual download is here

Please update your systems.

My previous article is here.

MacDefender Trojoan Strikes Again!

Apple and Mac folks I’d like to welcome you to the Windows world of malicious and pernicious attacks – even ‘drive bys’. For over two decades I and the rest of the security world have been trying to inform people that NO networked system is safe from attack. Because of the sheer number and percentage of Windows machines vs. Mac and Linux machines, they have been the most easily targeted and exploited target. But that is changing! With the spread of OSX on the desktop and the realization by the malicious software vendors that Mac people are VERY EASILY duped and exploited because of their false sense of security, they are coming on strong and fast!

I recently wrote about the new Mac Trojan out and how to defend against it and remove it – read here. After 25 days Apple finally did put a notice and instructions on how to remove it. BUT only after telling their technicians AND users that 1st it didn’t exist and then that they would not provide help!

Mac malware authors have released a new, much more dangerous version of MacDefender trojan variant:

"Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind."
Please read this from ZDnet

Apple is promising an update to OS X "in the coming days" that will detect the malware and its known variants, remove it, and remain in order to warn the user if they download it again. But don’t hold your breath!

I’ve spent years worth of time dealing with people who have been ‘sold’ on the false idea that "Macs don’t get viruses or hacked". Wrong wrong wrong! OS X is built on a ‘*nix’ core – one of the oldest operating system architectures in the world. How could you NOT think that there are exploits around that are just waiting to be ported to the newest derivatives? What type of systems do you think the hackers/crackers where getting into in the 70’s and 80’s?
I fault Apple a great deal for this. They have been literally selling the LIE that Macs are not susceptible to hacks for years. AND people believe them!

Again welcome to the world of Windows PC responsible computing. Be careful or get burned.

Please practice safe computing folks.

LastPass Warns of Potential Breach, Ratchets Up Security

OK FOLKS, TAKE NOTE LAST PASS MAY HAVE BEEN HACKED!!

Read about it here.

I don’t use them, but I know many people who do! CHANGE YOUR MASTER PASSWORD IMMEDIATELY!
It’s important to note that they have no evidence that anyone was actually compromised – YET.

Once you change your master password any breach that may have happened will be rendered moot. Their service is still good, I’m sure – just not good enough for me.

I have used KeePass for years and looks like I will continue to do so now for sure – it is open source and resides on YOUR system(s). It may not be as ‘slick’ and completely web based as LastPass but I trust it more. I guess I will NOT be migrating to that service after all.

As a systems administrator and IT guy, I have no less than 78 items in my main password safe! And I have a few smaller ‘safes’ for some of my clients. So it is necessary for me to have a place to keep them all and of course a flat file or piece of paper wouldn’t work.
I keep a KeePass safe on my machines that I sync and also on a usb drive. I have always believed in owning my information.

Be safe folks.