Notable Reads

Posted: January 1, 2012 | Author: | Filed under: Uncategorized | Tags: , , , , | Leave a comment »

 

 

 

WNDR3700 meets DD-WRT

Posted: January 1, 2012 | Author: | Filed under: Uncategorized | Tags: , , , , | Leave a comment »

Many wireless access points have a “convenience” setup feature called WPS. Unfortunately WPS introduces a security weakness that allows an attacker to recover the WPA/WPA2 passphrase in a few hours[1, 2].

I have a Netgear WNDR3700 dual-band wireless access point, which includes the WPS feature. Prompted by the disclosures, mentioned above, I had a closer look at how WPS worked on the Netgear AP. WPS seems to be permanently enabled. The AP has an option to allow the router to disable WPS for a time, if there are too many connections attempts. This seemed like an unnecessary risk, so I decided to change the firmware to something without this vulnerability: dd-wrt.

The installation process has a reputation of being quite touchy and prone to bricking the router. Installation is set out on the WNDR3700 wiki page. Currently you need to install build r16785 on the router, then once the installation is complete and the NVRAM rebuilt, use the dd-wrt web admin interface to upgrade the firmware to a more recent version. I used webflash build r17201. I also tried a more recent build, r18024, but the 5GHz radio didn’t work properly. If you brick the router, use the recovery procedure here.

Finally, to ensure the clients can connect at the full 300Mbps, you need to configure the wireless settings from the advice in the Atheros wiki page.

SSL is not end-to-end security

Posted: January 15, 2011 | Author: | Filed under: Uncategorized | Tags: , , , | Leave a comment »

Peter Gutmann’s Engineering Security has more on the subject.

Facebook’s Eroding Privacy

Posted: April 29, 2010 | Author: | Filed under: Uncategorized | Tags: , , | Leave a comment »

EFF’s blog post sets out a timeline showing how Facebook privacy has evolved. It’s gone from this

No personal information that you submit to Thefacebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings

to this

When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting. … The default privacy setting for certain types of information you post on Facebook is set to “everyone.” … Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection.

And in another post they set out six things the new Facebook connections feature mean for the information in your profile. Matt McKeon visualises the chnages over time in a blog post The Evolution of Privacy on Facebook.

Adrian Perez sums it up like this

I joined Facebook under certain conceptions that it was a somewhat private place. [...] now it seems that there is something every month where they have started to sell or give more of my stuff to some company without my knowledge. Facebook, used to be fun and cool, but a large part of what I have to do on Facebook now is adapt to their changes on their terms….

Now I wouldn’t have posted about this [...] if I had not been personally affected by Facebook’s actions. I was with my girlfriend and we were listening to Pandora. I look at my Pandora player, and there is my girlfriend’s face (supplied by Facebook) staring back at me with some information about her tastes. This would not have been a problem, except she opted out of that program.

We quickly learned you had to also ban each of the groups Facebook was sharing this data with, as well as hitting the opt-out checkbox.

This immediately congealed a sense of loathing for Facebook. It was a combination of their confusing interfaces, reneging on their former commitments, lack of privacy, and spammy newsfeeds.

You can get an idea of how Facebook views your control of your information in this clip of an interview with their CEO.

So, feeling exploited yet?  Here’s how to delete your Facebook account

In all likelihood your data will remain on the Facebook servers for an indeterminate period after this, so you probably want to start by deleting all your profile information, applications, inbox/sent folders, networks and everything that you’ve posted.

Update1 : More Facebook privacy problems.  Techcrunch is reporting that for a period of time private chats weren’t actually entirely private.  Facebook say this has now been fixed.

Update2 : Think it can’t get any worse? MacWorld is reporting that if you visited certain sites while logged in to Facebook, an app for those sites was quietly added to your Facebook profile. Facebook say this was a bug and it’s now been fixed.

Update 3: Facebook leaks your internet connection’s IP address when you send a message or write on a wall.  The person tha you sent a message to will get an email notification from Facebook.  The header of that email has the IP address of your internet connection.  That information can be used to discover, for example, where you are.  The mail header looks like this (actual value obscured)

X-Facebook: from zuckmail ([xxxxxxxxxjM1LjE1OQ==])

“xxxxxxxxxjM1LjE1OQ==” is the base64 encoded IP address. Decode it to an IP address with Python

>>> import base64
>>> base64.b64decode("xxxxxxxxxjM1LjE1OQ==")
'xxx.xxx.xxx.159'

and use a GeoIP service to find the user’s location – in this case, Christchurch, New Zealand.

Update 3: The issue of Facebook leaking IP addresses has apparently now been fixed.  Including the IP was apprently a spam control feature.

Security on the Internets

Posted: December 13, 2008 | Author: | Filed under: Uncategorized | Tags: | Leave a comment »

Limit your trust and keep good backups…

Backups

The place to start is good backups. You can’t be sure the bad guys wont get through your defences, but you can take steps to make recovery easy. Good backups also protect you against a hard drive crash – the failure rate for hard drives is 100%!

External hard drives and backup software are cheap.

  • get several USB external hard drives (at least 3) and rotate your backups between them
  • do a full backup once in a while (weekly/bi-weekly/monthly) and do differential backups frequently. Ideally do backups daily, but it really comes back to how much you are prepared to lose.
  • keep one of your backup disks off-site to cover against theft or fire
  • keep backups going back several months.  If you get infected with badware and don’t notice for a while, recent backups may contain badware too.

Acronis True Image backup software has saved my bacon on a number of occasions. It can do “bare-metal’ restores.  All you need to get going again is the True Image CD and your backup disk to do a complete restore.

Your Computer

  • Use the latest operating system software for your PC. Windows Vista or Windows 7 for a PC, or the latest versions of Mac OSX or Linux.
  • Keep your patches up to date. Turn on automatic updates.  Don’t forget to update other software like Microsoft Office, Adobe Flash and Adobe PDF Reader etc.
  • Use anti-virus software. AV software is far from perfect, but it’s a lot  better than nothing.
  • Use a better browser. Don’t use Internet Explorer. Firefox, Google Chrome, Opera and Apple Safari are alternatives.
  • If you’re using FireFox, use the NoScript add-on. NoScript maintains a ‘whitelist’ of websites that are allowed to use Javascript. Using NoScript greatly reduces your exposure to web-delivered badware. You have to add the sites you use and trust to run Javascript. But the effort is well worth it.
  • If you use Firefox, use ad-blocking software like AdBlock Plus. Many webites that you visit display third-party ads. These ads have been known to deliver badware to users via well-known and trusted websites. AdBlock Plus also makes the Internet much nicer by removing all the flashing, pulsing ads.
  • Remove Administrator rights from your Windows login. Keep a separate admin login and use it only when needed.  If your account doesn’t have admin rights it’s a tougher target for badware.
  • Don’t recycle passwords across web sites – see the password section below.
  • Use a personal firewall that controls outgoing as well as incoming connections.
  • Only install software on your PC when you trust its source. Never use cracked software. It’s often infected with badware.
  • Put your computer in standby mode or turn it off when you’re not using it.
  • Laptops, cellphones and PDA’s all contain private information. Treat them like a wallet or purse.
  • When you do business on a website, check it’s a reputable company. Don’t give out unnecessary personal information.

Email

  • Your email software probably will have options to allow Javascript and HTML in emails. Turn both off. Javascript and HTML make it easier for scammers to deceive you or exploit flaws in your software.
  • Use anti-virus software that automatically scans your incoming email and attachments.
  • Don’t open attachments from untrusted sources. Doubly so for spam.
  • Don’t open attachments from trusted sources unless you know the person who sent it was also the author.  i.e. the ha-ha look at this type of stuff can spread badware.
  • Protect your email account – access to your email account gives access to many other areas of your life. If you use web-based email, like GMail, treat it like your online-banking.
  • Banks etc shouldn’t send you email relating to your accounts. Ignore anything from them that isn’t just general advertising.  Ignore any email that asks you to click on a link and login to one of your accounts.
  • Never click on links in emails.
  • You can’t trust the “From” address in any email.  Emails are easily forged.
  • Delete spam, don’t read it. Never open attachments.
  • If you use GMail, there is an option called “Browser connection”. Set it to “Always use https”.  Other web-based email services probably have a similar encryption option.
  • Delete any emails that contain paswords.  Move passwords, account information, domain registration details, etc into secure storage – see PasswordSafe, below. If your computer is lost or cracked, doing this will greatly reduce your exposure.

Banking

  • Always type the url into your browser.  Never click on a link in an email or on another website. Don’t use your browser’s bookmarks – malware can rewrite these.
  • Logout as soon as you are finished.
  • Use a separate web browser for banking.  I use Google Chrome for internet banking and a few other secure sites and Firefox for all other browsing. Safari and Opera are other choices.
  • Don’t use internet banking unless you need to.  Set up long term savings or trust accounts that have large deposits in separate accounts without internet or phone banking access.
  • If your bank offers two-factor authentication, like a code sent via SMS, or a code card, use it.  It wont protect you from if your PC is infected with malware, or from phishing, but it will stop password sniffing software giving access to your bank account.
  • Never do Internet banking from a computer you don’t trust, e.g. from an Internet cafe

Credit & EFTPOS Cards

  • Read the terms and conditions for your credit card.  If you follow the rules, you’re probably well protected from fraud. My experience is that if there’s a problem with an internet transaction it is pretty easy to get your money back.
  • Stick to reputable e-commerce websites.  Check out other customer’s experiences by using Google.
  • Only use EFTPOS cards in places you can trust, e.g. banks and ATM’s. Hotwired EFTPOS terminals are not unheard of and it’s probably going to be a lot harder to get your money back compared to using a credit card.

Wireless

  • Your wireless access-point has built-in security. Turn it on.
  • Use a long password – at least 15 characters and not a dictionary word.
  • Use the WPA or WPA2 Personal (aka PSK) security option. Select the AES encryption option. Do not use WEP or TKIP options.
  • When using a public access-point (e.g. at a cafe), it may be possible for other users of the access-point to snoop on what you are doing.  If you use public access-points, it’s vital you have a firewall installed on your laptop.

Passwords

  • Make them long – 6 letters is inadequate for anything you care about.
  • Don’t use cat’s names, birth dates or anything someone could guess if they know something about you. Same goes for the security questions websites use to let you recover your password – remember Sarah Palin.
  • Don’t use dictionary words. Substituting number for letters (e.g. l3tt3rs) or miXiNg up the case on dictionary words doesn’t help much, as passwords crackers will do the substitutions as well.
  • Use random letters or a long passphrase.
  • Don’t re-use passwords or security questions on different websites.
  • Bruce Schneier’s PasswordSafe software is a great way to create and manage passwords securely. Use 1Password on a Mac.
Follow

Get every new post delivered to your Inbox.