It is that time of year. Holiday shopping, Black Friday, Cyber Monday (that still sounds like a XXX movie), and the like. Special offers abound, and the bad guys are ready to get you. Some simple steps to stay safer during the holidays.
This is the time of year that the criminal digital underground loves. People rushing to get the best deals they can, be it online or offline. The odds of someone clicking on a malicious link, increases with desperation, and of course making the deals looks good. Nothing will 100% guarantee that your going to be free of malware, or that your identity will not be swiped, but there are some simple things to remember to keep the risks at more of a minimum.
1) If it looks to be too good of a deal, it probably is, especially online. Deals are the easiest thing to snag someone online with. Pair that with fake URLs that look legit, and you have a recipe for disaster. The trick here is to find out what the real URL is. In Outlook and most browsers out can hover over links to see what they are sending you to. Doing a right click and copy hyperlink then pasting into notepad is a good way to see the full link itself for a quick check. If it shows something that bothers you, don’t go to it, don’t click on it.
2) Keep up to date with your purchases. This is easy enough to do with online banking. Check at minimum once a week online with your bank and credit card companies. Look for anything out of the ordinary. the faster you see something that looks fraudulent the faster things can be taken care of, and the less hassle there is overall.
3) Single Click on the web! I see this all too often. We as a society have gotten so use to double clicking to open programs that we forget it is a single click on a link. This is important because that second click could hit a hijacked ad on the site you were going to and at that point it is game over. You are pwnd and let the malware flood gates open.
4) Backup Backup Backup. Get an external drive that you only connect to backup your files, Use Mozy or Carbonite, do something to backup your files. Especially with Cryptolocker out there, the clean backup is important so you don’t have to pay to recover your files and take the risk that the bad guys are not going to keep their end of the bargain.
5) If you do not have to enter your pin on a pad, DON’T! Most bank cards can be used as “Credit Cards” (They have the Mastercard or Visa logo on them) meaning you do not have to punch in your security pin. Who knows if that pin pad is secure. Yes it only stops the pin from being gotten but that can be enough to stop someone from emptying your account.
Yes, these are basics, and yes milli0ns of people each year tend to not think about them. They are simple and pretty effective, but remember not perfect. If someone hacks the store or bank, you have no control over that. If the credit card or ATM machine has been tampered with, you don’t have control over that. Just do what you can to keep a little safer, and have a great holiday season!
The DMCA (Digital Millennium Copyright Act) is a powerful tool for copyright holders. Take down notices get served to many websites daily to remove infringing items, yet many are false positives. Will the DMCA harm cloud computing? I think its a good possibility.
I recently read an interesting article on SC Magazine about a security researcher who had her MediaFire account suspended for 36 hours because of a DCMA notification. The infringing files she had on the account for years, and were malware files that had been or were being researched by her and others. There is also the case of speeches from the recent political conventions been taken down off You Tube because of automated filters to prevent DMCA take down notices. The amount of false positives reported to the news outlets it a small portion of what actually is out there, but they tend to make big news.
So what does this all have to do with killing the cloud? The answer is quite a lot. If the filters and DMCA searches are conducted in a way that can breed a lot of false positives, such as just going by file names and sizes, then what is to prevent a DMCA notice and fight over a companies private files that have the same name as some other companies files? Better yet, what if something is named too similar to something from the entertainment industry? a presentation that uses music, hey there can be a DMCA takedown notice right there if a file scanner digs into it, or if you leave the name of the song in the filename.
The idea being that all these notices can help make people gun shy about moving or even using the cloud. Copyright is needed, yet has been blown way out of proportion in its longevity. Life of the artist plus 75 years is way to long, considering that copyrights were meant to foster innovation, not to allow someone to sit back on their laurels. Now we see that it can affect researchers which are reaching to the cloud to help analyze items in a file. This can affect not only the infosec area but other areas such as medicinal or other science research. All this because one is guilty until proven innocent. This can and will affect the future in more ways than we can see at this time.
Yesterday I said I was surprised by the lack of Windows 8 talk in the keynote. Today remedied that, plus some interesting security facts.
After everything that happened on the first day of TechEd, I was not sure what to expect from the keynote that kicked off day 2. I got a much closer seat to the stage when the room opened up and got ready for the speakers. Antoine Leblond was the main speaker and today was all about Windows 8. The information doled out was a lot of info that had been around for a bit along with a couple of nice nuggets. During the introduction of the keynote, Antoine made sure to point out that touchscreens were coming to laptops and PCs. Although he made it sound imminent, we all know that prices and the economy will really dictate how long until this technology was to be adapted.
When we got into the meat of the presentation, certain things jumped out at me. First was the swipe motions that Windows 8 accepted from a touch-pad on a laptop. Almost the exact same as what the Macbook uses at this time. It started me wondering about patent lawsuits, since the tech industry has gone sue happy. Then there was the performance enhancements and the addition of a hypervisor native to Windows 8. The did show Windows 7 running very smoothly in that hypervisor, which can be a nice point should you need to run both together. The did show a nice demo of Windows 7 open in the hypervisor with a windows 8 metro app running side by side so you could see and work with both at the same time.
They went on to talk about the performance improvements, how the convergence of home and work devices helped shaped what Windows 8 has become, and then into a beta app from SAP. We went over the Windows Store, which is organized very nicely by groups. Other points mentioned during the keynote (which should be available online to watch) included how your desktop will follow you across devices if you use a Windows Live ID to log into the machines, and my personal favorite, booting a machine off a Windows8PE image from a USB stick, which for troubleshooting and malware removal will be nice.
The next session I went to was 10 Administrator Security Mistakes, hosted by a MVP and PenTester from Poland named Paula. This woman knows her stuff and showed some things that can put the fear of security into you. How using the password rested on a DC stores the password in clear text in the memory and how easy it can be to get at it was one of the most eye opening demonstrations I have seen. So in order, the top ten we were given are:
Sin 10: Misunderstanding how passwords are used
Sin 9: Ignoring offline access
Sin 8: Incorrect access control (We were shown how Robocopy can be used to gain access to a folder which you have a deny access on)
Sin 7: Using old technology
Sin 6: Encryption, What is encryption (We were shown how HTTPS does not guarantee Encryption by a man in the middle hack which shows LinkedIn sends its passwords in clear text)
Sin 5: Installing Pirated software
Sin 4: Lack of Network Monitoring (Again shown an issue with the reset password feature in AD where is sends the password to the network broadcast address in clear text)
Sin 3: What you see is not what you get
Sin 2: Too much trust in people
Sin 1: Lack of documentation
The final session I went to was on using SysInternals software to fight malware. Mark Russinovich who created Sysinternals was the speaker. The seminar was a logical progression from the way to go about the removal process, to how to use different tools to discover different items. Again, this one was video taped, so it should be available soon for viewing. Needless to say even on Windows 8 there are gotchas, and some tools, such as msconfig, don’t have the information they used to. Between Process Explorer, Autoruns, Desktops and Process Monitor one should be able to find most if not all malware. Considering Mark said that 33% of web malware is not detectable because of time to get signatures out from the AV vendors, this seminar is a must for anyone dealing with malware removal.
Day 2 was a lot more intense and overall a lot better quality than day 1 for me. Tomorrow, there are more seminars to be had, and more things to do.