In general, teaching people is a difficult task. You have to carefully plan on how to address them and be relevant. Each person would have different needs. Whether you plan to teach your staff and employees, or your family and friends, you have to brace yourself.

Some of the factors that would affect how you would teach them about IT security are as follows:

• the person’s experience with computers
  Has the person used a computer before? What has the person done so far? Install an operating system? Used some particular applications like word processing software or a web browser like Internet Explorer?
• the person’s experience with going online
  Each of us would have had different experiences when it comes to our online presence and habits like downloading, checking email and the like. When it comes to downloading materials be it online textbooks or anything else, it would be good to take a profile of the sites the person uses as resources.
• enthusiasm
  Whether you believe it or not, enthusiasm could affect the reception of the person to ideas and all that. Talking about security is not exactly the same as talking about your favorite car or favorite pet. Unless you think you could gush about firewalls and all those details, that is. Then again, it depends on the person’s experience, as said before.

No matter how easy or difficult it could be, no matter what background the person has, this is an important thing to learn. You are the one who can do it. May you teach them well.

Tags: Real-World Issues, Security Policies

Categories: Real-World Issues, Security Policies

Leave a Comment

Living at home means that you have to share your computer with other people. In some companies, people also share workstations in case that they have different work shifts. In any case, it is important for you to make sure that your files are safe. Especially those that you use for work and those that contain confidential information.

Here are some tips for you:

• Make sure you are using a password that is not easy to guess.
  If people know you well enough, they could probably figure out what password you will use. People tend to use passwords based on words, names and dates that important to them. Examples are pets‘ names and anniversaries. If you do this, chances are those who know you will be able to log in your computer using your account. Try changing your passwords every so often and make sure that they will be easy for you to remember but difficult to guess. Think of some cipher for it.
• Set permissions on your files and directories.
  You could set that your files and directories will only be accessible to you. Do a chmod on them. Then again, whoever has root access will be able to get through. Maybe it would be easy for you to do this if you are the one with root access.
• Protect your files with passwords.
  Although not everyone agrees with this, some people do this for their own sake. They feel better to have password protected files. A drawback, of course, is that if it has a difficult password to remember, you might as well have deleted your files.
• Log out of your account or profile.
  If you have set your file permissions that you are the only one who can view, edit and execute the files, it will be pointless if you don’t log out. When you are the one who is still logged on, you leave your entire session open for intrusion.

Hopefully these tips have helped you deal with some of your dilemmas with regards to sharing your computer with other users.

Tags: computers, General, IT Security Basics, omputers, people, Privacy-&-Anonymity, Real-World Issues, security, Tips

Categories: General, IT Security Basics, Privacy & Anonymity, Real-World Issues, Tips

Leave a Comment

With the news of collisions and reductions in attack complexity in both MD5, a commonly used algorithm for checksums on file downloads and integrity checkers, and SHA-1, a commonly used cryptographic hash algorithm in many encryption products, this brings up the question of where to go next, if you are implementing software which uses cryptographically strong hashing.

The SHA (Secure Hash Algorithm) family of algorithms, validated by NIST, and standard hash algorithms for cryptographic use, contains not only SHA-1 but an older algorithm called SHA-0, for which attacks have also been reported, and the SHA-2 family, which consists of SHA-224, SHA-256, SHA-384 and SHA-512, collectively.

SHA-256 forms a new minimum recommendation, in many cryptographers eyes, given the attacks on SHA-1. Whilst these attacks do not rule out SHA-1 for general use, in order for new software making use of hashing algorithms to be secure for the near future; perhaps a decade, it is important to prepare for the attacks on SHA-0 and SHA-1 becoming more feasible, especially as the cost of computing goes down, and the power continues to rise.

SHA-224, SHA-256, SHA-384 and SHA-512 are all named respective to the number of bits in the output hash. The more output bits, the harder it is to create a collision, in general, unless there is a weakness in the hash function itself, as has been found in SHA-0 and SHA-1.

Of course, the SHA-2 family are based on SHA-1, with slight differences in design and larger output, so it is possible that these have potential attacks also, but the size of the brute-force space is dramatically increased, and so these variants of the SHA family will withstand attack for longer, and should prove reliable for the near future.

Looking into the long term, few solutions exist currently that are not based on the SHA format. There are two main contenders, currently, in the form of the RIPEMD family, and the WHIRLPOOL family.

RIPEMD comes in the following flavours, in each case, the number represents the hash size in bits: RIPEMD-128, RIPEMD-160, RIPEMD-256, and RIPEMD-320. RIPEMD-128 is a replacement for the original RIPEMD, which was found to have security issues, whereas the others all increase the output size, and therefore the associated security. Again, this family is based on a construct which has been proven susceptible to attacks in the past, so it is possible that the entire family could have weaknesses.

The other main alternative, WHIRLPOOL, has no known attacks, and has had two major changes to further improve its security.

WHIRLPOOL is a 512-bit hash function. The changes mentioned involve a change from a randomly generated s-box (substitution box) to one designed to be cryptopgrahically stronger, and also easier to implement in hardware, along with a change in the diffusion matrix.

Some leading cryptographers are calling for new cryptographic hash functions to be designed, perhaps in the same design-by-committee method as the AES encryption standard.

Tags: Cryptography

Categories: Cryptography

Leave a Comment

Mark your calendars, IT security enthusiasts. April 13, 2010, Tuesday, is the day when Microsoft is releasing patches for Microsoft Windows and Microsoft Office. It is a big day, and it actually has been dubbed as Microsoft’s Patch Tuesday. More than Microsoft, however, Adobe is also planning to release patches of its own. The patches are for Adobe Acrobat and Adobe Reader. All in all, there will be 27 issues to be addressed by the patches.

Do we have any details about the patches? People can wait for a couple more days, of course, but for those of you who are hungry for information – as I am sure you are – you’re lucky enough to have someone like Amol Sarwate. He’s the manager of the Vulnerability Research Lab of Qualys. He says:

“There are 11 security bulletins that affect a range of Windows operating system components as well as Microsoft Office and Microsoft Exchange. This is a fairly large update and will keep system administrators busy on Patch Tuesday. Out of the 11 security bulletins, five are rated Critical and affect components in Windows 2000, XP, Vista, 2003, 2008 and Windows 7. If left un-patched, an attacker could execute code or programs on the victim’s machine and therefore all are categorized as remote code execution.”

Both companies are releasing the patches through their automatic update features. If you’re the safe kind, your auto updates are probably enabled. If you have experienced extreme slowdown because of these updates before and you’ve disabled them, then better turn them on before Patch Tuesday. You wouldn’t want to miss this.

Tags: Adobe, Microsoft, security patch

Categories: News, Operating Systems

Leave a Comment

It hasn’t been a month since the latest Firefox Update was released, but it has already caused a considerable stir. As with a lot of software releases (and usually with Internet browsers), Firefox 3.6 comes with a flaw. This isn’t really all that surprising, is it?

Anyhow, this flaw was discovered by Evgeny Legerov, the founder of Intevydis. This is a company that specializes in providing IT security solutions for various situations. The flaw discovered by Legerov was taken so seriously by the German government that it issued advisories to the effect that users should stop using this version of Firefox until Mozilla gets it fixed. To Mozilla’s credit, they were right on top of things – they went ahead of schedule and fixed the problem. More from eWEEK:

According to Mozilla, the Web Open Font Format (WOFF) decoder contains an integer overflow in a font decompression routine. As a result, too small a memory buffer could be allocated to store a downloaded font, and an attacker could exploit the situation to crash a victim’s browser and execute arbitrary code on the system.

The fix is contained within Firefox 3.6.2, which was initially scheduled to be released March 30. After the German advisory however, Mozilla announced it was moving up the release date. While security researchers are divided on the idea of switching browsers every time a vulnerability appears, it was not the first time a government had made the recommendation.

So is the latest version safe? Only if you download 3.6.2!

Tags: Firefox, Internet browsers, internet-security, Mozilla

Categories: Firefox, Web browsers

Leave a Comment

Have an iPhone? Or maybe you have another smartphone. Personally, I am setting my eyes on the Google Nexus One. It’s just as pretty and from most accounts, it is even more functional than the Apple iPhone.

In any case, most everyone has a smartphone now and that means that their children are getting exposed to mobile computing as well. If you think that it’s such a headache to ensure that children are protected when they go online on laptops and home computers, then think again. It’s even more of a hassle to make sure they are safe on mobile platforms!

One thing you can do about the iPhone is to use the built-in parental control. More than that, however, you can check out Safe Eyes Mobile, a web browser made specially for the iPhone. It gives you additional control on top of the parental controls that the iPhone has.

Forrest Collier, CEO of InternetSafety.com endorses this mobile web browser:

“Apple has gone a long way toward child-proofing the iPhone with the new parental controls in the iPhone 3.0 software, but those controls apply only to content that Apple itself distributes through iTunes and the App Store. They don’t address the #1 source of objectionable material: the Internet. If you combine Apple’s parental controls with a browser that blocks pornography and other offensive websites, however, you can completely protect your child from harmful content both online and off.”

At the end of the day, these are excellent tools but I believe that your parenting skills will still emerge as the most important factor.

Tags: internet-security, iphone, mobile web browser, Safe Eyes Mobile

Categories: Real-World Issues, Web browsers

Leave a Comment

I have become more active on Tweeter in the past months, mainly due to a self-imposed Facebook hiatus. I just found Facebook to be so tiresome and irritating (not just the platform but the people using it). I have had my Twitter account for many years now but I rarely use it. Now that I have been using it a lot, though, I realized that it is NOT exempt from spam.

What am I talking about?

Direct message spam. This is one of the most common things I get. I receive DMs from people I don’t know.

Retweets. I love how you can retweet messages on Twitter but sometimes, they just clutter up my timelines! What’s even worse is that I am not even interested in what some people retweet.

Tweets from those I follow. Yep, they can inundate my timeline as well.

The bottom line here is to KNOW who you follow and who follows you. Every single day, I get “follow” e-mails and many times, I have no idea who they are. Now I know better than to follow people I don’t really know. Once, I even got a “The Real Carrie Underwood is now following you” e-mail. Guess what? It wasn’t the real Carrie Underwood.

More so, disable the autofollow feature. This doesn’t make sense as you get all sorts of followers trying to fish for their own followers. Again, filter those you follow.

Another thing you can do is go to this link: http://twitter.com/spam. They have some practical and useful tips that can help you address Twitter spam issues.

Tags: social media, spam, Twitter

Categories: Tips

Leave a Comment

Early this week, Obama once again made a move that set certain circles a-buzzing. You might have heard of it already – he appointed a cybersecurity chief. President Obama picked Howard Schmidt, who already has a reputation for being good at what he does. He has vast experience both with the government and the IT industry.

This move is no less controversial than others. I guess it’s always like that when you’re a public figure. You can’t please everyone, and you’ll always have various opinions about what you do. According to Richard Waters of Financial Times, the news was welcomed by security experts. He writes:

The appointment of Howard Schmidt, an internet security veteran with experience in both industry and government, was greeted with relief among security experts, where the move was seen as a welcome outcome after a seven-month delay in filling the role.

Like other security industry experts, Mr Silva said that Mr Schmidt’s broad experience and personal contacts in both the public and private sectors would put him in a good position to make the most of the role.
The Computer and Communications Industry Association added that the new official will also be in a position to represent the administration’s position as momentum builds on Capitol Hill for legislation on cybersecurity.

Of course, there remains some skepticism as to just how effective the role will be. It’s not even the person that some are questioning – it is the office and the powers that are associated with it. What do you think?

Tags: Barack Obama, cybersecurity, Howard Schmidt, News

Categories: News, Real-World Issues

Leave a Comment

Windows 7 fans were rejoicing when Microsoft released a patch on Tuesday because their system was not affected in any way by the six security issues. The rejoicing was short-lived, however, as news has been released that there IS a bug that can crash a Windows 7 system. The bug has been named Zero-Day Exploit and was discovered by Laurent Gaffie.

PC World provides further details:

The issue is in the SMB (Server Message Block) protocol that forms the backbone of Windows file sharing. When triggered, the flaw results in an infinite loop which renders the computer useless.

Tyler Reguly, Lead Security Research Engineer with nCircle, explains “Exploitation of this vulnerability occurs when a user attempts to browse to Windows Share hosted on the malicious server. On Windows 7, the DoS (denial of service) will occur as soon as you type ‘\\\’ in the search box. ” The vulnerability actually impacts both Windows 7 and Windows Server 2008 R2.

While the threat is very much real, experts say that the chances of the bug being exploited are quite low:

There are currently a couple different proof-of-concept exploits circulating, but there are no reported attacks in the wild at this point. Because the flaw only enables an attacker to crash the system, and doesn’t provide any unauthorized remote access that could lead to compromising information or performing other malicious activities, the odds of the exploit being actively used by attackers is fairly slim.

So what are Windows 7 users supposed to do now? Currently, Microsoft has not yet released a patch to deal with the threat. I suppose the only sensible thing to do is to be more careful with regard to visiting web sites, especially if you are unsure of its legitimacy.

Photo courtesy of Megaleecher

Tags: bugs, Exploits, Operating Systems, Windows 7

Categories: Operating Systems

Leave a Comment

Viruses and malware issues are far from being a thing of the past. On the contrary, they seem to grow large by numbers as each day passes. Thus the works of security software companies have their work cut out for them. There is not definite date to which such threats and intrusions would wholly be resolved.

For the time being, it would be advisable for people to scan third party storage devices such as diskettes, USB drives and mobile storages to be safe and sound. These wandering viruses can attack at any time and this is a fact anywhere computer related materials are concerned.

Files can go as far as infecting the executable files, hence document, excel and compiled scripts are baits for immediate infection and malicious intrusions. Software applications also have their limits as their development teams cater only to a specific genre for known harmful files. But it is better to lower the risk of intrusion than not having protection at all.

[tags]scan, spyware, virus, infections, spyware, malware, trojans[/tags]

Tags: infections, Malware, scan, Spyware, trojans, virus

Categories: Backups, IT Security Basics, Malware, Network Security, Operating Systems, Programming, Real-World Issues, Security Policies, Spyware, Storage, Tips, Wireless Security

Comments Off