IT Security Blog

Complacency – the IY industry’s Worst Enemy

By

complacency.jpgThis has been proven true by incidents broadcast around the world in minutes or hours after they have happened. Many have suffered the consequences of such incidents in the UK, US and mostly each and every place on earth where people have had their information taken and used for no good before there was even a sign that there was a problem.

Big business has been reminded again and again that complacency is it’s worst enemy and they have failed again and again at the area. Why? Well first, total protection is almost always imperfect and somebody out there with enough intent and resources can break-in however expensive the protection methods may be. Next is that the best systems for protection is always the ones that cost too much yet they still remain vulnerable and hackable. Contrary to most ad’s you see in print, the internet or your Television there is no one true solution to protection, for if the hardware and software measures succeed in protecting you, the human behind the computer/s are always the biggest risk. That is why even the most expensive solutions are used in conjunction with other solutions to provide the best of both worlds combining physical and software solutions hoping that combination will be enough protection from the continuous influx of attacks from the web and elsewhere. Encryption is nice but it takes a lot of computing power to implement making it too expensive for implementation on all levels of the company. All of these high-tech solutions and hardware would be nothing if the people using the various computer systems in the said organization fail to use them so the weakest link in every system is still the human. Strict adherence and compliance is the key with systems that process information somewhat autonomously already in use doing the searching and classification of information without the user’s input. This uses the latest in Artificial Intelligence with minimal intervention or input from the users.

Wireless Security Tips

By

Wireless networks are becoming increasingly common these days, ranging from home use to businesses. Increased mobility within the network’s range and the reduced cost of installing a LAN without cabling are but some of the advantages you can get when using Wi-fi. It’s major disadvantage lies in the higher security risks of unscrupulous users hacking into your personal data and gaining access to the Internet to your network. Here are a few precautions you could take to ensure your network security:a laptop

Change the default administrator passwords. Default administrator passwords to network devices are easily available online and well-known to hackers. Most routers allow you to change this easily.

Turn on data encryption. This allows you to scramble the messages and data sent through the network. Most devices come from the manufacturers with this option turned off, so users have to activate this. Also note that all Wi-fi devices in your network must share the same data encryption settings to work together.

Disable SSID broadcast or change the default SSIDs. SSID is short for service set identifier, and is attached to the header of all packets in a wireless network. It also uniquely identifies your network. This is broadcast at regular intervals, and hackers can use this to identify vulnerable networks. Also, change your SSID from the default, and refrain from using IDs that can reveal who owns your router and where it’s located.

Restrict the computers that can access your network. You can do this by filtering the MAC (Media Access Control) addresses to those of the devices in your network.

Install antivirus software and firewalls. This might seem obvious, but after the initial install most users forget to update their virus definitions. Computers on a wireless network needs the same protection as other computers.

Fuzzing: What Is It?

By

A computer (credit: http://www.flickr.com/photos/amagill/

Fuzz testing may sound like a term far removed from the IT world, but fuzzing is a good way of discovering weaknesses in a network, application or server before others do. Fuzzing involves bombarding a program with randomly generated data to see if it’ll withstand the overload. If it fails, either by crashing or not executing a specific code, then there’s a defect you need to find and correct. Hackers can use fuzzing to find what bugs exist in an application, for example, a web browser, and then create specific code to exploit the application’s weaknesses. But if these bugs are discovered before they can be exploited then a way can be found to fix these exploitable bugs.

Testers can use fuzz testing to find out if the current software being used have easily exploitable vulnerabilities. It is probably the closest approximate to a real-world situation when data coming into a system or application doesn’t always follow validation rules. While fuzzing, testers keep a record of all the data they create, so it’s easy can keep track of what specifically caused any errors. It’s also relatively cheap to perform fuzz testing, and it can be used to compare the security of different programs and operating systems. Open source fuzzing tools and tests for different applications and systems are now available online. Though fuzzing doesn’t guarantee to find every error-producing event and bug that can occur on your system, it does give an idea of where intruders might try to attack. Errors like buffer overruns and attacks on cross-site scripting can be prevented by fuzz testing.

[tags]fuzzing,bugs,buffers,phishing,pharming,software,errors,intruders[/tags]

Managing Your Passwords

By

passwordmanagerscreen.jpgAre you like me who has the bad habit of forgetting the passwords to your online accounts? Except for sites I frequently visit, like those for web-based services, I can’t keep track and lose passwords all the time. There’s no true solution to this problem. I’ve tried using the same passwords for multiple accounts, but that’s pretty dangerous – if one of your accounts gets hacked, they can guess what sites you frequent and gain access to your data. Writing it down can be downright dangerous – it’s even easier to lose paper and notebooks during your daily routine. It also boils down to an issue of trust with the people you live and work with.

The situation’s pretty dire if a relative passes away and all his contacts are in an online address book. The was the the case of William Talcott, a San Francisco poet who passed away in June and basically took his password to the grave. His daughter was unable to contact his friends, and though the web provider will grant them access after a court order, it will take months of legal haggling in court, causing needless emotional pain for his descendants

The solution? A password manager that keeps track of your passwords. Some users make their own with their database and password locking it, but these makeshift databases aren’t encrypted and they’re quite easy to crack. There are commercial and open source password managers available for download online. All you need to do is add the website, your account name and password, select one password to lock your data, and then it will keep track of your passwords for you. They offer different features, which can include password generators, autoform filling, and different levels of encryptions. Some sites, like those of banks and other e-commerce activities, don’t allow autoform filling for security reasons. Though most of these are currently made for Windows, there are also versions for other operating systems. A word of warning though: if you forgot your password to your password manager and it doesn’t have a retrieve password option, you can’t access your database. So make sure to remember your database password!

[tags]passwords,e-commerce,operating systems,online security,phishing[/tags]

Your computer and iptables

By

If you are using Linux and you have been wondering what you can use to make your system secure via a firewall, you could try out tools with graphical user interface and all those other stuff. In any case, there’s also another method: using iptables.

What are iptables?

iptables are used by system administrators in creating rules for packet filtering, as well as NAT modules. It might seem a little too weird for those who have not much experience on the command line but this is essential so that people would be able to make sure that they are secure, especially if they are connected. Sometimes you never know what’s going on in the background, right? But with tools like this, you’d manage.

There are different states of connection and the nice thing about iptables is that it monitors the state of the connection. It could do redirects and modify or stop data packets. Because of its ability to detect the state of the connection, it is considered as better compared to ipchains.

Making rules

The system administrator makes the rules for the iptables. These rules determine how to deal with network packets. They are grouped into chains.

a. filter table – For filtering packets, obviously.
b. nat table – This sets up how rewriting ports and packets.
c. mangle table – Does it sound terrible? Mangle? But as the name implies, there is some mangling involved because it adjusts packet options.

The thing about these chains, these rules is that the packets that go through these chains would be evaluated according to the rules.

As one of the people I know have told me, you must make sure that you check out the settings of your computer first. Before you even think about downloading anything, make sure you are not vulnerable to some attacks that could happen. Make sure that the important ports are closed and that you’re in stealth. Stay tuned for more IT security tips and news to help you in your everyday life.

You and your passwords

By

password

There are different ways of creating passwords for your computer and online accounts. It seems like these days, the usual six characters as length of passwords is not enough. There are sites that when you sign up and you give your desired password, they will let you know whether or not your password is strong. Most of the sites that have it even point out that it is better to have characters that are more than six characters long. For another, they usually recommend that you have numbers and letters in your password. Mixing up uppercase characters along with it is also recommended. Sounds tough, right? Because the the passwords would seem random or something like it.

Here are some tips from different people so that you could have more secure passwords that you could easily remember:
1. Use two words with six characters each.
If you have two words, you have a twelve character long password. But here’s the clincher. You have to make some funky code that you would be replacing some of the letters with numbers. So it could be that every two letter you could replace the letters with numbers that have some signifance or maybe some random numbers.
There are people would use the names of their pets and something else that is totally random and those are combined by mixing the letters, alternating each letter.
2. Use some other language and make a phrase. Then turn it into leet speak.
It is similar to the first suggestion. However this takes it a step further because it will involve other countries’ languages. It is as if you are writing code indeed.
3. Have around three sets of passwords.
Rotate among these three passwords that you have. And change your passwords every so often. At least this makes it more difficult for others to find you your passwords.