Tag Archives: security

Thoughts

Dropbox Security Breach

Leave a comment

haveibeenpwnedIn the language of black hat hackers (bad hackers), being pwned means having your defenses breached or your data taken. The excellent online serviceĀ haveibeenpwned.com tracks major security breaches around the world, and alerts users if their data has been pwned and released online.

The bad news for many of us, is that in a July 2012 attack, Dropbox had account details for 68 million users stolen from their systems. This haul, which includes email address and passwords has just recently become public, a fact I discovered when haveibeenpwned.com alerted me to the presence of my data within the data set. On the plus side, the passwords were hashed and salted, but half were only protected with SHA-1, which is not nearly as strong as the bcrypt protection on the other half: so, many will not be cracked and available in plain text.

At this point, if you use Dropbox, and have been a user since before July 2012, I would suggest you reset your password.

If you used the same password from Dropbox on other sites, I would recommend you change those passwords too. Especially if you have used it for your primary email account, which hackers will target as a way to get to many of your other accounts.

Although this might seem alarming, please don’t panic. These things do happen from time to time, and as long as you respond appropriately, you can keep your data, identity and systems safe.

Remember, having strong, private passwords is all part of being a good digital citizen.

Please let me know if you have any questions.

Thoughts

Heartbleed: What You Need To Do

Leave a comment

Heartbleed LogoThis week, tech news websites have been raising the alarm about Heartbleed (a massive Internet security scare), and the mainstream media are slowly catching up. With this media exposure, a lot of non-technical people are uncertain of the risks, and consequently have a lot of questions. Below is a quick summary of the threat, and some recommendations of what you should do.

Please note that I am not a security expert, but through my work in IT, I have developed a strong interest in security. It is something I take seriously, and spend a lot of time thinking about. However, this guide comes with no guarantee: use it at your own risk.

The Threat

In the beginning, all web traffic was unencrypted: this meant that information was sent across the Internet in plain text, readable by anyone on one of the Internet’s many backbone or ISP servers. In short, the Web had no security: if you sent a password, an email or a credit card number, there was a chance someone could read it. As commerce warmed to the Web, protection was added in the form of a technology called Secure Sockets Layer (SSL), which uses public key encryption to protection data in transit. If you visit a website whose address starts with https:// (instead of the normal http://), it means that SSL is in use, and your data is (in theory) protected.

Out of all of the different ways to use SSL, the most popular on the web is a library called OpenSSL, used on over half of all SSL-enabled Web servers on the Internet. For years it has proven to be stable, efficient and secure enough to literally power the world of electronic commerce. Heartbleed is a way of exploiting a weakness that appeared in OpenSSL two years ago, and seems to have gone unnoticed since. The nature of the attack (covered very well by the Ars Technica and the New Yorker) allows a clever attacker to bleed small amounts of information from a server, using a flaw in the design of OpenSSL’s heartbeat mechanism (hence the name heart+bleed). The information the attacker gets is completely random, but it can include passwords, credit card information and anything else recently accessed on the server. A persistent hacker can repeatedly attack the same server, bleeding information until something interesting turns up. Like, for instance, your username and password.

Despite the flaw in OpenSSL existing for over two years, it seems to have gone unnoticed until recently, when researchers at Google and Codenomicon uncovered it and took swift action to have it patched, before going public with the information. At least, that is the best case scenarios. Worst case is that other less scrupulous users have known about it, and have been exploiting it covertly for months. It leaves no trace, so we may never know.

The upshot is that thanks to some quick work on the part of many IT professionals, lots of servers are now protected against a Heartbleed attack. All the sites I have tested, including the majors (Google, Twitter, Facebook, Wikipedia) have been fixed, although it seems that an alarming number of servers are still vulnerable, presummably due to poor system administration.

What To Do

The first thing to do is stay rational, and understand that this attack may not be as bad as people are making out (the media live for sensation, remember). It is possible it was not discovered before Google, and the rapid response worldwide has nullified much of the threat. With that said, if you value your privacy, identity and money, then it is worth taking precautions nonetheless. Do keep in mind that any service you have used in the past two years might have been open to this attack, and you won’t know unless you do some work testing them out. With this said, I would recommend you do the following:

  1. Make a list of all the sites you use, from the most sensitive (email, bank) down to the least (lesser used services lacking important data).
  2. Test each of the sites on your list that you feel has some sensitive data, or that shares a password with a site with some sensitive data. There are quite a few tests available online, but this one seems to work well (as far as I can tell) and is very easy to use. Simply enter the site you want to test in the large text box, and hit the Go! button (screenshot).
  3. If a site passes the test (screenshot) it means the bug has been patched, or OpenSSL is not in use. This means it is safe to change your password, and even though the site may not have been compromised, you should. Login and choose a secure, new password (in theory this means preferably 8 characters, hard to guess, not used on other sites, but see notes below). If your account was compromised before the attack, it is now safe.
  4. If the site fails the test, it means that it is still vulnerable, and changing your password may, ironically, cause your account to be compromised. If you use the same password elsewhere, this could be bad news. For such sites, contact the site’s support team and share the results of the test with them. Ask why they have not patched their server yet. Once patched, change your password.
  5. If you run a site that uses HTTPS, you will want to update your cryptographic keys and certificates as soon as possible, as these might have been compromised, meaning any communications going forward may be at risk of interception.

Of course, if one of your accounts was compromised, data might have been taken from within it, and changing your password will not get that data back. If you have lost credit card details through this, your bank should refund the money as it is has not been lost through your negligence.

Two Notes On Passwords

  1. We all have a lot of passwords. We know they should all be different and complex and long, but few of us have the time, interest or energy for this. My recommendation is to have three levels of password: one that you use only for the most important sites (email, banking), one you use for sites you use a lot (Facebook, Twitter) and finally a throw away password for sites you don’t value. Each password should be 4 random words stuck together, to make it very long, with some numbers and punctuation thrown in to make it stronger (e.g. goatManicure72!FenceBanana). This should give you good protection in case of an attack. It will be easier to remember than a more random password, and very hard to crack. Please don’t use the example given above….it is no longer secure!
  2. Your email is the center of your online existence, and deserves the highest level of security. If someone can get into your email, they can reset all your other accounts, which you registered under the same address. Accordingly, I use 2-factor authentication on my Gmail accounts (personal and work). This requires me to receive and enter an SMS code any time I use my Google account on a new computer. A bit of a hassle, yes, but more than worth it when something like Heartbleed breaks out. Even if someone knows my password, without my phone they cannot use it.

Final Thoughts

This week has been a reminder that the Internet is an amazingly fragile resource which we all share and rely on. Hopefully lessons will be learned and applied by companies, coders and individuals in the wake of this extreme event.

Other Resources

2 Minute Warning

Leave a comment

Earlier this year I asked my Year 8 students to record a 2 minute warning to their parents, aiming to highlight risks which they might face online. This piece of work followed several smaller tasks (such as Me vs Me), and lots of discussions, regarding digital citizenship, what being online means and how we can stay safe. Of all the excellent pieces submitted, I was most taken by work of Chloe, who I believed manage to convey a lot of meaning in an easy to understand message:

Chloe runs a nice blog where she posts some of her other work, if you are interested in taking a look.

Thoughts

Java Security Threat

Leave a comment

Java_logoNumerous government and news organisations are raising a the alarm on the latest Java 7 security threat. Potentially affecting all platforms, the exploit is already being used “massively in the wild” to allow the installation of malicious software on the computers of unsuspecting users. In short, users running Java with a web browser plugin enabled, run the risk of being infected by certain compromised websites. At current there is no fix available for this issue, and no news from Oracle as to when one might be available. Apparently, Apple have released an update to stop Mac OS X systems from using Java until a fix is released.

To keep yourself safe, do the following:

  • Test to see if you have Java installed (instructions).
  • Remove Java from your computer (Windows, Mac).
  • If you really must run Java outside of your browser (for example, in using a desktop app), disable it in your browser (instructions).
  • Run some anti-malware software to check for malicious software installed on your computer (e.g. Avast for Mac, Sophos for Mac both free)

 

Other Resources

Firefox Addons for Web Designers & Developers

Mozilla Firefox is a free, open source web browser which aims to provide a simple, light and fast way to browse the web. It is one of the main driving forces in the web today, and the competition it provides is one of the reasons that Microsoft’s Internet Explorer has seen so much development in the last 3 years (it is scrambling to become relevant again).

In an effort to avoid the bloating that effects many mature software products, Firefox ships with a relatively minimal feature set, including some of the best features that most people require from a browser (such as tabs, smart addressing etc). However, to ensure that Firefox can meet the needs of all users, there is a huge selection of additional functionality, available as optional addons. The purpose of these plugins ranges from the sublime to the ridiculous, and there are literally thousands to choose from. As an indicator of their popularity, the Firefox website shows that there are currently more than 127 million addons being used around the world! The list below shows some of my favourites, most of which are related to website design and development:

  • Firebug provides a sophisticated environment for analyising and debugging websites. Of particular use is the feature which allows users to see the effects of CSS code visually, making the process of turning an idea into reality that much easier.
  • Wappalyzer shows which technologies (such as Drupal, Google Analytics, jQuery, etc) are used in the website you are currently viewing. This is very useful if you are curious as to how a particular website is put together, and to gauge the popularity of various technologies.
  • ColorZilla provides a color picker, allowing you to grab the RGB code of any colour you happen to see on the web.
  • Firesizer allows users to make their Firefox window a particular size. I mostly use this when creating training videos, to ensure that the Firefox window matches the size of my video container.
  • FoxyProxy extends Firefox’s built in proxy settings, allowing a user to store multiple proxy settings and quickly switch between them. I made extensive use of this whilst working on my laptop in government schools in New South Wales, as it allowed me to quickly switch between work and home settings.
  • Delicious Bookmarks: I am a massive Delicious fan: in fact, most of the articles on this site begin life as Delicious bookmarks. This addon allows you to quickly create and manage Delicious bookmarks from within your browser. In the development process I often bookmark sites that I find interesting and inspiring, and Delicious provides a great way to store, index and retrieve these.
  • Download Statusbar: one of my few gripes with Firefox is its download window, which always pops up and gets in the way of the site I am using. This addon replaces the window with a discreet bar, making browsing flow that little bit better. This addon also ensures that you can keep an eye on your downloads and continue browsing at the same time: great when downloading lots of fonts, images and software during the development process.
  • Flagfox is very simple: it displays, in flag form, the country in which the current web page is hosted. I find this interesting for its own sake, but it is also useful for security and localalisation issues.
Other Resources

Hivelogic – The Enkoder

http://hivelogic.com/enkoder

Spam bots crawl the web looking for email addresses which they can harvest for their evil overlords. This means that posting your email address online can lead directly to an increase in the amount of spam you receive. The Enkoder helps protect email address by encrypting them with JavaScript, effectively hiding them from spam bots, but allowing them to be read by humans.

Thoughts

Home & Internet Security

The last decade has seen the Internet morph from a little-known academic and military communications network into a world-wide phenomenon. For many people around the world the Internet has become an indispensable tool, deeply integrated into everyday habits of life and work. The advent of home broadband Internet access has furthered this trend greatly.

However, having a worldwide communications network running into your home or office also has it’s disadvantages, the biggest of which is security. Very few Internet users realise how exposed the Internet”s open communications protocols leave them to people with malicious intent.

The aim of this article is to introduce you to 4 of the biggest threats on the Internet today, and to give you an idea of how to protect yourself.

Risks & Solutions

1. Exposed Ports
Network-enable computers maintain many open ports, which listen for and allow network connections with other computers. Open ports can be detected by malicious Internet users (and software) and used to attempt entry into a computer system.

Solution: Use a Firewall (such as Windows Internet Firewall or Norton Personal Firewall) to hide unused ports, reducing the risk that your computer will be discovered and attacked by online “port scanners”.

2. Viruses
Viruses come in many shapes and sizes, but can be generally defined as “software capable of reproducing itself and usually capable of causing harm to files or other programs on the same computer”.

Traditionally, viruses were unable to spread without human assistance (such as on a floppy disk), but the Internet has lead to a new generation of viruses, known as worms, which are self-propagating, and so can spread extremely swiftly.

Solution: Invest in Anti-Virus software (such as Norton Anti-Virus or Trend Micro PC-cillin) which can protect you from viruses as they emerge into the Internet. Ensure you keep your Virus Definitions files up-to-date.

3. Spyware/Greyware/Malware
Much of the “free” software available on the Internet has a hidden cost: it secretly tracks your computing actions and reports them back to a central computer. This ranges from the invasive (tracking websites you visit for marketing purposes) to the illegal (stealing credit card numbers from your keyboard as you type them in and then using those numbers to make purchases).

Other annoying features include pop-up ads, disabling of anti-virus software and reduced computer performance due to misappropriation of system resources.

Solution: Install an Anti-Spyware product (such as Spybot Search & Destroy or Lavasoft Adaware) and update it and run it regularly. Be careful of which Anti-Spyware products you install, as there are many examples of Spyware being disguised as Anti-Spyware. Spybot S&D and Adaware are tried and tested solutions.

4. Improper Internet Usage
In many cases Internet users expedite their own online demise through ignorance. If you are aware of the threats that are out there, then you can behave in ways that protect rather than expose you.

Solution: Exercise caution when using the Internet. Do not install software unless you know it is trustworthy. Be cautious when opening email attachments. Remember that email is about as secure as a postcard. Watch our for “cyber predators” when using chat and instant messaging software. Be wary of online scams.

Conclusion

In conclusion, it is safe to say that the Internet is like most good tools: it is great when used sensibly and with caution. Used in any other way it can prove to be dangerous and ultimately painful.

It is also worth noting that whilst securing your system is essential, it is impossible to achieve 100% protection. In order to cover yourself against the chance that things do go wrong, it is also important to make regular backups of your system and your data.

Useful Links

Norton Personal Firewall
Norton Anti-Virus
Trend Micro PC-cillin
Spybot Search & Destroy
Lavasoft Adaware