Week 8
Well, a few weeks ago, I spoke on Microsoft ending all security updates for Microsoft XP. A few days ago, the Internet was a-buzz speaking about Internet Explorer (IE) and the new vulnerability that was found. Trust me when I say this, This is NOT good news for the users that still use XP. Due to Microsoft ending support, when the bug is fixed in IE, the users still using XP will not get that update. If they continue to use both XP and IE together, they are keeping themselves open for a serious security risk.
The major information about this bug is that it allows hackers to run code on your computer to allow them to get into your computer and gain admin privileges over it. They can pretty much do anything on your computer after that. They can even create a Web page to mimic one that you normally go to so that they can get information about you such as your user ID's and passwords. The main IE versions that are affected are 9, 10 and 11. This still affects, from estimates, 300 million users. That is an astounding number. Do they really feel that there are that many users of IE out there? To be honest, most the people I know use either Chrome or FireFox. Either way, there is no doubt in my mind that there are millions out there that are still using it and those are probably the XP users as well.
What can you do about it? Well, if you still have XP, upgrade to Windows 7 or 8 and install another browser on your machine. Chrome and FireFox are the two most popular browsers available, in my opinion. I, though, use a combination of three; the two mentioned before and Torch. This is a browser built off the Chrome source code and great for any social networking freak. Anyway, back to what you can do. If you currently have IE, and have a newer version of a Windows Operating System, install a new browser and uninstall IE. I honestly don't trust it and don't have it on my machine. Haven't used the browser in several years.
If you have XP, I again stress that it is time to upgrade your system. I know that costs money but it will cost a lot less than having to get your identity back after someone steals it after hacking into your machine. If you cannot upgrade to a new OS, again, install another browser and get rid of IE. Here are some recommended OS's from me:
Google Chrome - https://www.google.com/intl/en/chrome/browser/
Torch - http://www.torchbrowser.com/
FireFox - http://www.mozilla.org/en-US/firefox/new/
Opera - http://www.opera.com/computer
Sources for Blog:
https://news.yahoo.com/video/internet-explorer-security-flaw-poses-192303274.html;_ylt=A86.J3c1jWFTiScA7PIPxQt.;_ylu=X3oDMTBscmM0aHNtBHNlYwNjZC10aHVtYgRzbGsDc25vYg--
http://gizmodo.com/new-vulnerability-found-in-every-single-version-of-inte-1568383903?utm_campaign=socialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflow
Wednesday, April 30, 2014
Tuesday, April 22, 2014
Verizon's Annual Data Breach Report
Week 7
Tomorrow, we will see the release of the annual report from Verizon that compiles and analyzes security incidents that happened over the year. This year it will be a 60 page document that discusses the main security concerns. This year, Verizon is reporting that 94% of all security related incidents in 2013 can be traced to 9 specific categories. Oh, did I mention that there were more than 63,000 security incidents last year alone! That means that over 59,000 of those incidents came from one of nine categories. This should tell you that we need to concentrate on specific areas to help secure our data. Throughout the rest of this blog, I'm going to go over these 9 threats.
Tomorrow, we will see the release of the annual report from Verizon that compiles and analyzes security incidents that happened over the year. This year it will be a 60 page document that discusses the main security concerns. This year, Verizon is reporting that 94% of all security related incidents in 2013 can be traced to 9 specific categories. Oh, did I mention that there were more than 63,000 security incidents last year alone! That means that over 59,000 of those incidents came from one of nine categories. This should tell you that we need to concentrate on specific areas to help secure our data. Throughout the rest of this blog, I'm going to go over these 9 threats.
- Web App Attacks - This attack is made through, you guessed it, your apps that you use on a daily basis. This is the most common type of breach according to the report coming out. You find an app that you think sounds great and you download it. Not all apps are safe. Some make it through app inspection and have viruses attached to them. You download, click and now you have a virus. Also, you are sometimes required to put in personal information to download the app. A few guesses at your security questions and the hacker is in. Please watch what you download. Apps are scarier than you may think.
- Cyberespionage - Pretty much, hackers are gaining unauthorized access to systems and then hanging around and getting personal information and stealing data. Keep software and security software up to date. This should stop most of the hackers from getting into your system.
- Point-of-sale intrusions - This is when a hacker gains access to a company's point-of-sale data. These are the systems that take the payment transactions that occur through a card transaction and submit those payments to the company. This is what happened with the Target incident this past year. Hackers gained access to the point-of-sale transactions and was able to steal millions of users data. Watch where you swipe that card. In times that there are going to be millions of people making transactions with cards in a short amount of time, for example Black Friday, I would suggest to use cash or checks during that time. Checks still have to go through a system process but it's not as unsafe as swiping that card.
- Payment Card Skimmers - This is when a hacker plants a device on a card scanner. This can be planted at a gas pump, ATM or even in Restaurants, but the later is harder to do because they could be seen planting it. Anyway, these can sit undetected and take data such as card numbers and your PIN. Watch where you swipe that card.
- Insider Misuse - This is simply put that someone on the inside (an employee) caused some sort of security issue to happen. They could have allowed the wrong person into the building, gave information out to the wrong person over the phone or they could have used the systems within in the wrong way.
- Crimeware - This is like cyberespionage but deals with more illicit activities like stealing banking or financial information. This can be done by creating fake webpages to make the user think they are on their banking site. Keep your browsers up to date and anti-virus software and firewalls up to date as well.
- Miscellaneous Errors - These are common errors that occur that open up a security concern. Nothing to do about this section other than to watch what you do when completing your job.
- Physical Theft/Loss - Of course, this is just theft and loss of equipment. Make sure you have proper physical security and insurance to help combat these losses. You don't want to lose all your computers and find out that you cannot replace them with insurance money.
- Distributed Denial-of-Service Attacks (DDoS) - Ah, the DDoS! One of the most common tools of a hacker. These attacks are a flood of attacks from multiple machines. The flood of information from the machines essentially makes the victim computer shut down and cause a denial of service and systems to the users that need that machine. For instance, several hackers can start to send requests to access a Web Server. That server gets too many of those and it shuts down. The users that really need that server cannot access it anymore, thus a DDoS has occurred. Keeping software and security software up to date can help but cannot help stop it from occurring if there are too many attacking. Software like Wireshark can help determine if there are multiple users trying to access a specific device, which can allow you to get ready and do something about the attack, but Wireshark will not help stop the attack all together.
The main point in this is, watch what you download, keep software up to date, make sure that you have proper anti-virus installed and a firewall defending your computer, and keep passwords and personal data to yourself. The Internet is a dangerous place. You are the person in charge of your security. Don't get mad when you are hacked but yet have no defense on your computer.
Get an early look at the report here - http://www.verizonenterprise.com/DBIR/2014/insider/?utm_source=earlyaccess&utm_medium=redirect&utm_campaign=DBIR
Reference:
Lev-Ram, M. (2014). New cyber-threats that go bump in the night. Retrieved April 22, 2014 from http://tech.fortune.cnn.com/2014/04/22/new-cyber-threats-that-go-bump-in-the-night/?section=magazines_fortune
Sunday, April 20, 2014
Heartbleed!
Week 6
I know I'm a bit late in discussing this topic, but I feel the need to blog about it so that my normal readers get a chance to hear from me on my feelings about it.
First off, let's start at the source, OpenSSL. This is a free and open project that collaborates to develop and implement the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols with a general cryptography library. This is opened and managed by a community of volunteers that communicate through the Internet (The OpenSSL Project, 2014). In layman terms, the two communication protocols that help people communicate across a network (SSL & TLS) are used to create an open source security library (everyone can use this code and do what they want with it to an extent). This library helps encrypt data while communicating on the Internet.
The downside with this project is that it had flaws to begin with. Supposedly, hackers have been using these flaws against the project and been able to hack into Web sites vulnerable with the OpenSSL project. Hackers can take those flaws, find out where users have been on the Internet, create fake Web sites, and then the next time the user goes to that Web site, they actually access the fake site that the hacker created for them. This then allows the hacker to gain information such as User IDs and passwords (Fung, 2014). This is honestly scarier than it sounds. If you haven't taken steps to combat this bug, you are very vulnerable to it.
People have been navigating the Internet for years under the assumption that they were safe on sites. This, as we know now, has not been the case. Many popular Web sites are vulnerable to the Heartbleed bug, and chances are, you use them even today. Sites such as: Yahoo, Facebook, Dropbox, Tumblr, Pinterest, Netflix, Amazon, Paypal, Adobe and many more were vulnerable to begin with. Many have added security patches to help keep this bug from being used against its users but many have yet to do so.
There is a great tool out there that will help you determine if the site you use is safe from the Heartbleed bug. You can go to https://filippo.io/Heartbleed/ and type in the Web page of the site you wish to check. It will link itself with that page and run a scan on it. It will then give you a message. Make sure you read that message. Not getting a green message doesn't necessarily mean that it is a bad site.
My suggestion is that if the site gives you a green light, go to that site and change your password. I also recommend that you get into a habit of changing your password once every 2 to 3 months. Yes, that does get tedious but it will save you in the long run. Also, use passwords that are not easy to guess. Suggestion, use at least 1 capital letter, 1 lowercase letter, 1 number and 1 symbol within your password (that is if the site allows the 1 symbol, some do not). The more advanced you make your password, the safer you are.
A good site to use when testing your password strength is https://howsecureismypassword.net/. You can go here, type your password in and it will tell you how long it will take a computer to crack your password. It's not 100% accurate but it at least gives you an idea of how hard it is to crack your password. Don't worry, this site does not save a password. It doesn't even know where you will be typing this password nor does it know the user IDs associated with the password. You are safe on this site, and the filippo site I provided earlier that checks for Heartbleed vulnerabilities also says it is safe. Good luck in your quest to better secure your accounts.
References:
Fung, B. (2014). Heartbleed is about to get worse, and it will slow the Internet to a crawl. Retrieved April 20, 2014 from http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/14/heartbleed-is-about-to-get-worse-and-it-will-slow-the-internet-to-a-crawl/
The OpenSSL Project. (2014). Welcome to the OpenSSL Project. Retrieved April 20, 2014 from http://www.openssl.org/
I know I'm a bit late in discussing this topic, but I feel the need to blog about it so that my normal readers get a chance to hear from me on my feelings about it.
First off, let's start at the source, OpenSSL. This is a free and open project that collaborates to develop and implement the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols with a general cryptography library. This is opened and managed by a community of volunteers that communicate through the Internet (The OpenSSL Project, 2014). In layman terms, the two communication protocols that help people communicate across a network (SSL & TLS) are used to create an open source security library (everyone can use this code and do what they want with it to an extent). This library helps encrypt data while communicating on the Internet.
The downside with this project is that it had flaws to begin with. Supposedly, hackers have been using these flaws against the project and been able to hack into Web sites vulnerable with the OpenSSL project. Hackers can take those flaws, find out where users have been on the Internet, create fake Web sites, and then the next time the user goes to that Web site, they actually access the fake site that the hacker created for them. This then allows the hacker to gain information such as User IDs and passwords (Fung, 2014). This is honestly scarier than it sounds. If you haven't taken steps to combat this bug, you are very vulnerable to it.
People have been navigating the Internet for years under the assumption that they were safe on sites. This, as we know now, has not been the case. Many popular Web sites are vulnerable to the Heartbleed bug, and chances are, you use them even today. Sites such as: Yahoo, Facebook, Dropbox, Tumblr, Pinterest, Netflix, Amazon, Paypal, Adobe and many more were vulnerable to begin with. Many have added security patches to help keep this bug from being used against its users but many have yet to do so.
There is a great tool out there that will help you determine if the site you use is safe from the Heartbleed bug. You can go to https://filippo.io/Heartbleed/ and type in the Web page of the site you wish to check. It will link itself with that page and run a scan on it. It will then give you a message. Make sure you read that message. Not getting a green message doesn't necessarily mean that it is a bad site.
My suggestion is that if the site gives you a green light, go to that site and change your password. I also recommend that you get into a habit of changing your password once every 2 to 3 months. Yes, that does get tedious but it will save you in the long run. Also, use passwords that are not easy to guess. Suggestion, use at least 1 capital letter, 1 lowercase letter, 1 number and 1 symbol within your password (that is if the site allows the 1 symbol, some do not). The more advanced you make your password, the safer you are.
A good site to use when testing your password strength is https://howsecureismypassword.net/. You can go here, type your password in and it will tell you how long it will take a computer to crack your password. It's not 100% accurate but it at least gives you an idea of how hard it is to crack your password. Don't worry, this site does not save a password. It doesn't even know where you will be typing this password nor does it know the user IDs associated with the password. You are safe on this site, and the filippo site I provided earlier that checks for Heartbleed vulnerabilities also says it is safe. Good luck in your quest to better secure your accounts.
References:
Fung, B. (2014). Heartbleed is about to get worse, and it will slow the Internet to a crawl. Retrieved April 20, 2014 from http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/14/heartbleed-is-about-to-get-worse-and-it-will-slow-the-internet-to-a-crawl/
The OpenSSL Project. (2014). Welcome to the OpenSSL Project. Retrieved April 20, 2014 from http://www.openssl.org/
Wednesday, April 9, 2014
The Death of Windows XP and What It Means to the Internet's Security!
Week 5
Yesterday, we all witnessed the death of probably the best Windows Operating System. Windows XP was introduced in 2001 and served most of us until the release of Windows 7. The crazy thing is, there are still close to 30% of computer owners who have XP still installed as their main OS. Who blames them though? That OS was one of a kind; flawless, dependable and secure. Now, when the patches come out next month from Microsoft, they will not be including XP. This means that for the first time in 13 years, the XP OS will not be updated or upgraded if needed. Security on that OS is now an issue. *Que intense music*
What surprises me is that even today, 30% of computer owners have XP as their main system. I don't blame them because it was a great OS. There is the word, "was". People need to understand that the Internet is changing and the source code for XP is not what it should be to defend against today's security threats. Now, with no support coming from Microsoft, security holes will be found and exploited and will not be fixed. Hackers will be able to use those holes to gain entrance into systems.
The dropping of the OS actually was announced months back to allow for people to go out and upgrade their systems prior to the cut. Why did so many people and companies decide to drag their feet? No one can answer that but them. Now, companies that have XP as their OS are having to quickly find a way to migrate and upgrade their systems. Companies need to understand the importance of upgrading. If they do not, they will find themselves in hot water before too long. Their data is at risk of being stolen. IT security should be the utmost importance to them.
I found an article that discussed how the dropping of XP will help make the whole Internet safer. The article couldn't be more right. Now you wonder, how could that be if only 30% of users have XP? The thing you have to realize is that those XP systems are touching other systems. We are all connected via the Internet. An XP system sending something to a Windows 7 machine makes that Windows 7 machine vulnerable because it is now exchanging packets with the XP system. Those packets, if sniffed out and hijacked would make both systems vulnerable to the attack. This is why it is so important to get upgraded to a newer OS, preferably Windows 7 and above and not Vista! That is my own opinion, but I think many will share the same feelings toward Vista that I do.
So, in closing, get rid of XP! Upgrade soon! Don't wait until your system has been compromised! It will end up saving not only you but the rest of the Internet.
Links to sites where I got some of my information for this blog:
http://www.informationweek.com/software/operating-systems/windows-xp-diehards-face-the-music/d/d-id/1204247
http://mashable.com/2014/04/09/windows-xp-security/?utm_campaign=Mash-Prod-RSS-Feedburner-All-Partial&utm_cid=Mash-Prod-RSS-Feedburner-All-Partial&utm_medium=feed&utm_source=rss
Yesterday, we all witnessed the death of probably the best Windows Operating System. Windows XP was introduced in 2001 and served most of us until the release of Windows 7. The crazy thing is, there are still close to 30% of computer owners who have XP still installed as their main OS. Who blames them though? That OS was one of a kind; flawless, dependable and secure. Now, when the patches come out next month from Microsoft, they will not be including XP. This means that for the first time in 13 years, the XP OS will not be updated or upgraded if needed. Security on that OS is now an issue. *Que intense music*
What surprises me is that even today, 30% of computer owners have XP as their main system. I don't blame them because it was a great OS. There is the word, "was". People need to understand that the Internet is changing and the source code for XP is not what it should be to defend against today's security threats. Now, with no support coming from Microsoft, security holes will be found and exploited and will not be fixed. Hackers will be able to use those holes to gain entrance into systems.
The dropping of the OS actually was announced months back to allow for people to go out and upgrade their systems prior to the cut. Why did so many people and companies decide to drag their feet? No one can answer that but them. Now, companies that have XP as their OS are having to quickly find a way to migrate and upgrade their systems. Companies need to understand the importance of upgrading. If they do not, they will find themselves in hot water before too long. Their data is at risk of being stolen. IT security should be the utmost importance to them.
I found an article that discussed how the dropping of XP will help make the whole Internet safer. The article couldn't be more right. Now you wonder, how could that be if only 30% of users have XP? The thing you have to realize is that those XP systems are touching other systems. We are all connected via the Internet. An XP system sending something to a Windows 7 machine makes that Windows 7 machine vulnerable because it is now exchanging packets with the XP system. Those packets, if sniffed out and hijacked would make both systems vulnerable to the attack. This is why it is so important to get upgraded to a newer OS, preferably Windows 7 and above and not Vista! That is my own opinion, but I think many will share the same feelings toward Vista that I do.
So, in closing, get rid of XP! Upgrade soon! Don't wait until your system has been compromised! It will end up saving not only you but the rest of the Internet.
Links to sites where I got some of my information for this blog:
http://www.informationweek.com/software/operating-systems/windows-xp-diehards-face-the-music/d/d-id/1204247
http://mashable.com/2014/04/09/windows-xp-security/?utm_campaign=Mash-Prod-RSS-Feedburner-All-Partial&utm_cid=Mash-Prod-RSS-Feedburner-All-Partial&utm_medium=feed&utm_source=rss
Saturday, April 5, 2014
Cybergeddon!
Week 4
I had the privilege a little over a year ago to watch the series Cybergeddon, now on DVD as a move. I was absolutely in love with it so bought it when it came out on DVD and watched it just the other night, again. The plot of the movie is about a Cyber FBI agent that is being framed for unleashing a virus on a water plant, that ends up getting unleashed on the entire Internet. The "bad guy" uses bots to unleash the virus across the Internet thus ending up taking control of 1 billion devices. With a click of a button, the infrastructure of the U.S. will come crashing down. It makes you ponder if this can actually happen.
The thing you have to realize is how fake the movie actually is. Just with a few clicks here and a few clicks there and some typing here and typing there, the "bad guy" is able to defend against the "good guys" network shut downs and buffer overflows and also hack into seriously secured networks. It takes much more than a few words and clicks to hack into systems as it is portrayed in the movie. You have to realize, while watching the movie, that for suspense reasons and the time it actually takes to get into systems, things are cut. That is the case with this movie. It also shows how the "bad guy" supposedly gets into the Cyber FBI site by just scanning for open ports. Chances are, in real life, the FBI Cyber Crime Lab doesn't have any open ports.
When it comes to taking over 1 billion devices, to be honest with you, it is possible. With the new "Internet of Things" going on, this could eventually happen. You have to look at what is all connected and what will be connected in the future. Soon, your refrigerator will be able to talk to your computer, your furniture will be able to learn your sitting habits and conform to you body, and devices that help you live will be attached to your body relaying information to your computer. To be quite honest, it is a scary situation if you think about it. With some smart hacking, a "bad guy" could hack into the Internet of Things and start to take control of one device at a time. Soon enough, they could have control of 1 billion devices.
The sad thing is that this has more of a chance at happening now than it did 5 years ago. Everyone is getting contempt with using the Internet and computers for everything they do. Many do not use the proper passwords or user IDs to help keep their own system secure. Mobile devices can attach themselves to any wireless network at any given time. If the public is not educated on how serious this is, Cybergeddon is closer than it is farther away. People need to change their tune about how they play around in the Internet of Things before it is too late.
Internet of Things:
http://www.computerweekly.com/news/2240212690/Internet-at-risk-of-cybergeddon-says-WEF
Movie:
http://www.imdb.com/title/tt2189240/
I had the privilege a little over a year ago to watch the series Cybergeddon, now on DVD as a move. I was absolutely in love with it so bought it when it came out on DVD and watched it just the other night, again. The plot of the movie is about a Cyber FBI agent that is being framed for unleashing a virus on a water plant, that ends up getting unleashed on the entire Internet. The "bad guy" uses bots to unleash the virus across the Internet thus ending up taking control of 1 billion devices. With a click of a button, the infrastructure of the U.S. will come crashing down. It makes you ponder if this can actually happen.
The thing you have to realize is how fake the movie actually is. Just with a few clicks here and a few clicks there and some typing here and typing there, the "bad guy" is able to defend against the "good guys" network shut downs and buffer overflows and also hack into seriously secured networks. It takes much more than a few words and clicks to hack into systems as it is portrayed in the movie. You have to realize, while watching the movie, that for suspense reasons and the time it actually takes to get into systems, things are cut. That is the case with this movie. It also shows how the "bad guy" supposedly gets into the Cyber FBI site by just scanning for open ports. Chances are, in real life, the FBI Cyber Crime Lab doesn't have any open ports.
When it comes to taking over 1 billion devices, to be honest with you, it is possible. With the new "Internet of Things" going on, this could eventually happen. You have to look at what is all connected and what will be connected in the future. Soon, your refrigerator will be able to talk to your computer, your furniture will be able to learn your sitting habits and conform to you body, and devices that help you live will be attached to your body relaying information to your computer. To be quite honest, it is a scary situation if you think about it. With some smart hacking, a "bad guy" could hack into the Internet of Things and start to take control of one device at a time. Soon enough, they could have control of 1 billion devices.
The sad thing is that this has more of a chance at happening now than it did 5 years ago. Everyone is getting contempt with using the Internet and computers for everything they do. Many do not use the proper passwords or user IDs to help keep their own system secure. Mobile devices can attach themselves to any wireless network at any given time. If the public is not educated on how serious this is, Cybergeddon is closer than it is farther away. People need to change their tune about how they play around in the Internet of Things before it is too late.
Internet of Things:
http://www.computerweekly.com/news/2240212690/Internet-at-risk-of-cybergeddon-says-WEF
Movie:
http://www.imdb.com/title/tt2189240/
Subscribe to:
Posts (Atom)