Security and Technology Ramblings…

Security

Disclaimer: Most things in this post would be considered a criminal activity if you do them. So, don’t do them.

I always marvel at the things in life that need no verification. The mischief you could cause someone just by making a few phone calls. You’d think you would need proof to make changes. But, surprisingly, all you really need to know is an account number, their name, and maybe their last four of their social security number.

But, before you start telling me how hard it is to gather this info, let me tell you it is not. You would be surprised about what online trails you leave every day. Facebook, Google, Twitter, and other social media sites are not your friends.

In this hi-tech world we live in with solid methods to prove who you are that can be unbreakable, we still have a thousand ways to do things “old school”.

Example…. Go buy (with cash of course) a magic jack IP phone dongle and port the phone number of anyone you choose just by entering it in the website when you set it up. Sure, they can get the phone number back, but it would cause a few weeks worth of pain. There is no process to verify that you actually own the number when you ask to get it to be ported.

Example…. My mother passed away a few weeks ago. In the process of letting various credit cards, utility accounts, and even retirement pay accounts that she had passed, very few asked for more information than I listed above. At least 25% didn’t need a death certificate. Now go prove you aren’t dead!

Example…. If you give anyone your routing and checking numbers, they can go to VistaPrint or anywhere else and have checks printed with your account numbers, but with their name.

Example…. There are millions of subscriptions that you can choose “bill me later” on.

I could keep going with examples….

Have a great day!

PS: Read this book. It’s one of my favorites and it is sure to scare you way more than my post did…

http://www.amazon.com/The-Art-Deception-Controlling-Security/dp/076454280X

Skype started out as an IM chat client based around end-to-end encryption. Since the purchase by Microsoft, it would appear that this has changed and now all sessions terminate within Skype servers within Microsoft. A security company in Germany claims to be able to show where a backdoor exists permitting “those authorized” to se the content of your communications.

Link to Article

Recently, I had a customer reach out to me with an infected WordPress site. The site had been compromised with changes that resulted in their legitimate ads being replaced with the typical Viagra and associated ads.

The normal proces consists of cleaning up the base WordPress files, updating any out of date plugins and ensuring that the theme was up to date. Sometimes a ful rebuild from the ground up is required.

I found a couple new tools that in my opinion do help in the process of repairing the site.

First, there was the website Sucuri.net. I was really impressed with the free scanner they offer to determine if your site is at risk or already compromised. Rather than spend a number of hours cleaning up the countless php files on the compromised site myself, I took advantage of their $89/year subscription service. Under this service, one of their engineers uses a pre-made tool to quickly clean the site up. This solution not only saved me time, but also saved my customer money.

Second, I stumbled upon the tools offered over at Pingdom.COM. These tools are self explanatory and simple to use.

Contact your members of Congress by clicking here: (LINK)

Stop the Internet Blacklist Legislation

The Internet Blacklist Legislation – known as PROTECT IP Act in the Senate and Stop Online Piracy Act (SOPA) in the House – is a threatening sequel to last year’s COICA Internet censorship bill. Like its predecessor, this legislation invites Internet security risks, threatens online speech, and hampers Internet innovation. Urge your members of Congress to reject this Internet blacklist campaign in both its forms!

Big media and its allies in Congress are billing the Internet Blacklist Legislation as a new way to prevent online infringement. But innovation and free speech advocates know that this initiative is nothing more than a dangerous wish list that will compromise Internet security while doing little or nothing to encourage creative expression.

As drafted, the legislation would grant the government and private parties unprecedented power to interfere with the Internet’s domain name system (DNS). The government would be able to force ISPs and search engines to redirect or dump users’ attempts to reach certain websites’ URLs. In response, third parties will woo average users to alternative servers that offer access to the entire Internet (not just the newly censored U.S. version), which will create new computer security vulnerabilities as the reliability and universality of the DNS evaporates.

It gets worse: Under SOPA’s provisions, service providers (including hosting services) would be under new pressure to monitor and police their users’ activities. While PROTECT-IP targeted sites “dedicated to infringing activities,” SOPA targets websites that simply don’t do enough to track and police infringement (and it is not at all clear what would be enough). And it creates new powers to shut down folks who provide tools to help users get access to the Internet the rest of the world sees (not just the “U.S. authorized version”).

Senator Ron Wyden (D-OR) has placed a hold on the Senate version of the bill, taking a principled stand against a very dangerous bill. But every Senator and Representative should be opposing the PROTECT IP Act and SOPA. Contact your members of Congress today to speak out!

An interesting aspect to an “ultra high security” password. Would not be good for userlevel passwords, but might be a great option for service accounts used on Windows servers.


Ultra High Security