« Physical Security | Main | Query »

Saturday, April 12, 2014

Heartbleed woes

The Heartbleed programming bug has been (mostly) patched as of 07 April 2014. Now that the server end of the problem has been fixed it is up to you (the client) to examine the possibility that a number of sites may have exposed your passwords to evil doers.

A reasonably comprehensive list compiled by Mashable may be found here: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/. Check the list and change your passwords if required.

You may also want to take the time to change those passwords that you a) have not changed for over six months b) are duplicates of other sites since it is a very bad idea to use the same password on different sites c) are very weak (password1234 . . . hahahahahaha) or d) is composed of words or phrases found in dictionaries or books.

Posted by Matthew Carrick at 12:42.29 PM EDT | Permanent Link
Edited on: Saturday, April 12, 2014 1:16.37 PM EDT
Comment by Doug - Sunday 18th January 2015 03:43:44 PM

Hello Sir,

Did you get my email from yesterday?

Thanks

| Categories: Best Practices, Open Source, Privacy Issues, Security Alerts

Tuesday, March 04, 2014

Cellophane tape is your friend

When not using your webcam unplug it from your computer. You can also slap a small square of cellophane tape over the camera lense on your laptop. Use a physical cover to mask your smartphones camera lense.

Having the GCHQ spy on you is one thing, but ewwww.

Thursday, September 19, 2013

Internet Explorer Zero-day Exploit

Microsoft has released a "Fix-it" for a zero-day flaw in its Internet Explorer 8 browser. This flaw is being addressed by Microsoft but until the next security updates are released this is your best bet to avoid being a victim.

Go here: http://support.microsoft.com/kb/2847140 and scroll down to the Fix-it ENABLE icon - click on this icon, download and then double-click the the .msi file to install.

Although no reboot or other actions need be taken after the Fix-it is installed you should also download the Fix-it DISABLE file (right beside the original icon) and save the file - it is possible that before the next security update Microsoft will stongly suggest you remove the original Fix-it and this DISABLE file will do that.

You could also simply bookmark the page and download the file when needed.

Whatever.

Posted by Matthew Carrick at 10:42.01 AM EDT | Permanent Link
Comment by Matthew - Thursday 19th September 2013 11:49:43 AM

NOTE: This fix is only for 32-bit Internet Exploder.

| Categories: Best Practices, Internet Explorer, Privacy Issues, Security Alerts

Thursday, September 05, 2013

Don't Believe Everything You Read

A good overview by Brian Krebs on why Java continues to be a serious security risk:

https://krebsonsecurity.com/2013/09/researchers-oracles-java-security-fails/ 

Posted by Matthew Carrick at 9:29.30 AM EDT | Permanent Link

| Categories: Java, Privacy Issues, Security Alerts

Saturday, May 11, 2013

Internet Explorer 8 Zero-day Exploit

Microsoft has released a "Fix-it" (because calling it a "patch" sounds icky?) for a zero-day flaw in its Internet Explorer 8 browser. This flaw is being addressed by Microsoft but until the next security updates are released this is your best bet to avoid being a victim.

Go here: http://support.microsoft.com/kb/2847140 and scroll down to the Fix-it ENABLE icon - click on this icon, download and then double-click the the .msi file to install.

Although no reboot or other actions need be taken after the Fix-it is installed you should also download the Fix-it DISABLE file (right beside the original icon) and save the file - it is possible that before the next security update Microsoft will stongly suggest you remove the original Fix-it and this DISABLE file will do that.

You could also simply bookmark the page and download the file when needed.

Whatever.

Saturday, February 02, 2013

Twitter Hack and Java

The recent hack of Twitter appears to have been accomplished via some Java exploit. The insecure nature of Java is well known and unless you specifically require Java your best practice is to uninstall it via the Control Panel under Windows. If you do require Java you need to uninstall the Java plugin for browsers. Check out 'ole Krebs on Security for the details.

If you keep Java set it to auto-update once a day. Handy, dandy screencaps illustrating the simple process are here.

Saturday, January 05, 2013

"Swear to God Snake, I thought you were dead..."

Snake Plissken might not be dead but You might be - at least according to Facebook.

Posted by Matthew Carrick at 12:23.16 PM EST | Permanent Link

| Categories: Privacy Issues

Saturday, September 01, 2012

Critical Java Update

Poor Oracle has again released an update for Java that stops a zero-day attack that threatened all Operating Sytems. Users with exploitable versions of Java could have malware installed on their systems by merely browsing to a cracked or evil Web site.

Unless you specifically require Java your best practice is to uninstall it via the Control Panel under Windows.

If you need Java then make sure you set it to auto-update at least once a week (the default is once a month . . . as if . . . ) or, better yet, once a day. Click the Java icon in the Settings, click the update tab and finally the advanced button to make the change.

Handy, dandy screencaps illustrating the process are here.

Posted by Matthew Carrick at 8:44.20 AM EDT | Permanent Link
Comment by Matthew - Saturday 01st September 2012 09:50:58 AM

If you still require Java on your system you should disable its integration with any and all browsers you use regardless of your Operating System. Here is How to Unplug Java from the Browser
Comment by better than ketchup - Thursday 27th September 2012 09:02:08 PM

How 'bout I unplug Java from my life?

cheese burger
Comment by Matthew - Friday 28th September 2012 05:59:55 PM

Recent studies seem to confirm one or two cups of Java a day is beneficial. Good day, Sir.

| Categories: Java, Privacy Issues, Security Alerts

Sunday, July 08, 2012

Last Chance DNSChanger Hotel

Come Monday, July 9, 2012, thousands of both Mac and Windows PC users will find their machines will be unable to connect to the Internet. The FBI plans to shut down the Internet servers set up as a temporary safety net to keep infected computers online for the past eight months since a piece of Malware called DNSChanger has been making the rounds.

If you practice safe computing you are probably unaffected. If you use Internet Explorer, don't know what a Firewall is, regularly download pirated software, use Peer-to-peer software to exchange illegal files, rarely if ever update your Operating System files, etc. then . . . umm . . . good luck!

To check your system for the DNSChanger Malware go here: http://www.dns-ok.ca/

If you're tagged as a victim go here: http://www.publicsafety.gc.ca/prg/em/ccirc/2011/in11-002-eng.aspx and follow the suggested ideas to clean your system.

Posted by Matthew Carrick at 9:26.59 AM EDT | Permanent Link

| Categories: Malware, Privacy Issues, Security Alerts

Wednesday, June 06, 2012

Linkedin Passwords Compromised

It seems a problem with Linkedin has caused a whole bunch of passwords to now reside in the hands of bad people. It is imperative that you sign in to your Linkedin account and change the password. That is all.

Posted by Matthew Carrick at 8:13.12 PM EDT | Permanent Link
Comment by Joe M Fellow - Thursday 27th September 2012 09:05:13 PM

The only thing I get from Linkdin is contact with a bunch of people I don't want to meet.
Comment by Matthew - Friday 28th September 2012 06:02:28 PM

Perhaps if your spelling was more accurate you would feel different. Your obedient servant, etc.
Comment by \" - Sunday 21st October 2012 04:38:44 PM

You mean, I would feel like meeting them? On Link-din?
Comment by Betty Wont - Friday 02nd November 2012 07:45:19 PM

Maybe upgrading the spelling will make him more amenable to meeting these Lincked-ihn geeks (read: habitués).
Comment by Ralph Bastard - Friday 02nd November 2012 07:52:18 PM

That's the thing about these sites: You spend a couple days on them,and suddenly you forget that your world of connections is only to other website diddlers like yourself and isn't worth a good goddamn to real service consumers. But, the interface is fun to play with and provides the impression that something is happening.. .

| Categories: Privacy Issues, Security Alerts

Saturday, March 17, 2012

Just for Russ ;)

Avast! anti-virus has dropped iYogi as its software support. Numerous instances of shady dealings with Avast! customers being told that their systems were compromised in order to sell pointless upgrades have come to light.

So, the next time you receive strange pop-ups or voice calls relating to even trusted software vendors take a second to run a search to see if it might be bull-cookies. Or, contact you favorite tech wizard and see if they have any inside info that may help you avoid the evil-doers.

Got it Russ?

Posted by Matthew Carrick at 8:50.21 AM EDT | Permanent Link

| Categories: Best Practices, Privacy Issues

Thursday, September 08, 2011

You're all a bunch of thieving crooks.

A report from the Business Software Alliance (BSA) appears to show that most people have illegal or pirated software on their PC's. A Google news search gives you a good overview.

Tsk-tsk-tsk - you people should be ashamed.

Be aware that you will eventually be plagued with a piece of software containing a virus, spyware, malware, trojan or some other evil bit.

Try using open source software or look into searching for well written applications whose cost is rarely above $50.00 and generally provide years of free updates. Sweet.

Posted by Matthew Carrick at 2:24.16 PM EDT | Permanent Link
Comment by The Penguin - Saturday 26th November 2011 12:44:35 PM

Thieving crooks? Thieving crooks?! THIEVING CROOKS?!?!?!

| Categories: Adware/Spyware, Alternative Apps, Best Practices, Headlines, Openoffice.org, Open Source, Privacy Issues, Security Alerts, Viruses-Trojans-Worms

You're all a bunch of thieving crooks.

A report from the Business Software Alliance (BSA) appears to show that most people have illegal or pirated on their PC's. A Google news search gives you a good overview.

Tsk-tsk-tsk - you people should be ashamed.

Be aware that you will eventually be plagued with a piece of software containing a virus, spyware, malware, trojan or some...

Sunday, September 04, 2011

What's on Your PC?

Do you know what software is on your PC? A woman in Vancouver now knows. A software application meant to allow a PC to be tracked via its IP address was also taking pics via its built-in webcam. This at the same time she was ingaging in, ahem, risque conduct with a 'special friend' if-you-get-my-drift. The Mothercorps has the story here.

Posted by Matthew Carrick at 12:52.12 PM EDT | Permanent Link

| Categories: Best Practices, Privacy Issues, Security Alerts

What's on Your PC?

Do you know what software is on your PC? A woman in Vancouver now knows. A software application meant to allow a PC to be tracked via its IP address was also taking pics via its built-in webcam. This at the same time she was ingaging in, ahem, risque conduct with a 'special friend' if-you-get-my-drift. The Mothercorps has the story here.

Posted by at 12:52.12 PM EDT | Permanent Link

| Categories: Best Practices, Privacy Issues, Security Alerts

Tuesday, June 21, 2011

Barn. Door. Open. Horses. Gone

Dropbox, the handy cloud storage people, seem to have left their system open to the public for some four hours. Oops. The tally of accessed accounts is said to be only 1% of the users - or 40,000+ accounts :( If you're now on the lookout for a more secure cloud try http://www.sugarsync.com or https://spideroak.com
Posted by Matthew Carrick at 1:52.47 PM EDT | Permanent Link
Edited on: Tuesday, June 21, 2011 1:53.35 PM EDT

| Categories: Privacy Issues

Barn. Door. Open. Horses. Gone

Dropbox, the handy cloud storage people, seem to have left their system open to the public for some four hours. Oops. The tally of accessed accounts is said to be only 1% of the users - or 40,000+ accounts :( If you're now on the lookout for a more secure cloud try http://www.sugarsync.com or
Posted by at 1:52.47 PM EDT | Permanent Link

| Categories: Privacy Issues

Sunday, June 19, 2011

Different Passwords for Each Site

LulzSec hacker collective has likely compromised various sites (Facebook, PayPal, Xbox Live, Twitter, etc.) where they harvested user login info.

Folks still using identical credentials for multiple sites may find all of them compromised.

Posted by Matthew Carrick at 9:52.02 PM EDT | Permanent Link
Edited on: Tuesday, June 21, 2011 10:36.23 AM EDT
Comment by Matthew - Tuesday 21st June 2011 10:40:41 AM

Check for your cracked credentials at: http://dazzlepod.com/lulzsec/ So, at least use strong passwords (eight characters minimum including upper and lower case letters, symbols, numbers and never any word that can be found in a dictionary) even if your username is the same (and good luck with that).

But, never ever use the same username and password on more than one site.

| Categories: Best Practices, Privacy Issues

Thursday, June 09, 2011

Disabling Facebook facial recognition

Recent changes by Facebook have enabled facial recognition - very nice - Google Picassa also has a great facial recognition component. That Facebook would turn it on by default, however, is a bad idea. Should you wish to disable this feature do this:

Login to Facebook and click "Account" in the upper right-hand corner of the page.

Click on "Privacy Settings."

Click on "Customize Settings."

Go to "Things others share."

Next to the option "Suggest photos of me to friends. When photos look like me, suggest my name," click "Edit Settings."

Click on "Edit Settings."

Change it to "Disabled."

Click "Okay."

Or go here http://www.sophos.com for more details and screencaps.

Posted by Matthew Carrick at 10:27.40 PM EDT | Permanent Link

| Categories: Online Apps, Privacy Issues

Wednesday, May 18, 2011

Encrypt Your Dropbox Files

If you were mightily annoyed or even downright peeved with the recent Dropbox fiasco wherein the company all but admitted that data stored on its site can be accessed by employees then check out SecretSync. Files residing in the SecretSync folder within Dropbox are, of course, synced like any others even amongst numerous computers and are always encrypted when online. So, unless they are in your physical control they're encrypted and no one can access them. Neat, heh? Here is the FAQ for further clarification.

Posted by Matthew Carrick at 10:45.57 PM EDT | Permanent Link

| Categories: Physical Security, Privacy Issues, Software Tools

Wednesday, April 20, 2011

iPhone Tracker Revealed

A story from the Guardian reveals Apple keeps a file on the iPhone and iPad that contains the latitude and longitude of the phone's recorded positions coupled with a time stamp. When synchronised with the owners computer this file is copied over resulting in two copies. The file data can be accessed with mimimal effort by anyone with possession of the device(s). You can access this file with this handy application called IphoneTracker. The only saving grace is that the file is apparently not uploaded to Apple. Stay tuned for the fallout from this.

Posted by Matthew Carrick at 11:39.27 AM EDT | Permanent Link
Edited on: Wednesday, April 20, 2011 11:48.09 AM EDT
Comment by Matthew - Saturday 23rd April 2011 04:48:26 AM

Google's Android phones also track you but only for the last 50 locations or 100 locations when using WiFi. It is also more difficult to access the file as you would need to 'root' the phone first. Still, unencrypted files do not make for secure phones.

| Categories: All Things Mac, Physical Security, Privacy Issues, Security Alerts

Thursday, December 23, 2010

IE Exploit for Xmas!

Microsoft's Internet Explorer is the target of a new zero day attack.
Best Practice? If you're using IE, stop.
If you must use IE then perhaps Sandbox it with Sandboxie.
Why not try Firefox (with the awesome No-Script Add-on) or Opera instead?
Safer, Better and hip . . . like the kids say.
Posted by Matthew Carrick at 10:26.44 PM EST | Permanent Link
Comment by Matthew - Wednesday 05th January 2011 08:29:54 PM

Bill has posted a 'Fix it' for this annoyance here: http://support.microsoft.com/kb/2490606

| Categories: Adware/Spyware, Best Practices, Internet Explorer, Mozilla Firefox, Opera, Privacy Issues, Security Alerts, Viruses-Trojans-Worms

Monday, November 08, 2010

Firefox BlackSheep: Anti-Networking Sniffing Tool

Not too long ago a Firefox extension called Firesheep designed to (according to the writeup at Lifehacker.com) ". . . sniff out weak security and/or hijack web site credentials on open Wi-Fi networks." was released. While useful for legitimate tasks it also gave crackers a tool that could allow them obvious access to PC's at your local coffee shop.

Now BlackSheep, an anti-Firesheep tool has been released. It is designed to alert you whenever Firesheep is active on your local network.

If you frequent establishments where you use Wi-Fi you might consider using this Firefox extension. The download page is here: http://www.zscaler.com/blacksheep.html

You should also look into grabbing the HTTPS Everywhere Firefox extension which encrypts your entire session not just the login portion.

Monday, October 18, 2010

Facebook coughing up UID's

The online platform for farming, organized crime and poker . . . known in these here parts as Facebook, again finds itself on the wrong end of user privacy. It appears certain online apps (Farmville, etc) have been providing info that could allow evil-doers to reveal names, phone numbers, email addresses, photos and other personal bits.

I use Facebook but never play any games and check the privacy settings religiously to try and stay ahead of the inevitable security breach.

An excellent write up is here: http://mashable.com/2010/10/18/facebook-apps-leak-user-info/

Posted by Matthew Carrick at 9:21.41 PM EDT | Permanent Link

| Categories: Online Apps, Privacy Issues, Security Alerts

Thursday, October 07, 2010

Gmail Security Checklist

The safety conscious folks at Google have a new page that explains how to check your account to ensure your privacy level is adequate.

It is here: http://mail.google.com/support/bin/static.py?page=checklist.cs&tab=29488

Even if you think you are covered give this checklist a glance - you may well be surprised.

Posted by Matthew Carrick at 10:21.40 AM EDT | Permanent Link

| Categories: Online Apps, Privacy Issues

Tuesday, September 28, 2010

New Hotmail Account Recovery Tools

Microsoft has introduced two new features for use when you need to regain control of your Hotmail account(s). Good job, Bill!

First, “Trusted PC” links your Hotmail account with one or more of your physical PC's. Should you need to recover your cracked account it can be done by using one of these machines.

Second, Hotmail will send a secret code via SMS to your cell phone that can be used to reset the password of your cracked account.

So, if you still use Hotmail login to your account(s) and ensure it has all the details required to allow you to recover your account in the future because you know it wil happen.

Posted by Matthew Carrick at 12:30.25 PM EDT | Permanent Link

| Categories: Headlines, Mobile, Online Apps, Privacy Issues

Monday, July 05, 2010

Critical Microsoft Fixit

Bill has announced that an unpatched critical security hole in Windows XP operating systems is a genuine threat. A temporary patch using Microsoft Fix it is available here - after the .msi file downloads double-click it and the install is self-explanatory. Users who apply this patch will not need to uninstall it before applying the official patch when it becomes available towards the middle of July.

Sunday, May 23, 2010

Facebook Privacy Widget

This is a lovely Firefox Add-on that attempts to check and then offer to fix all your rogue Facebook settings. Krebs on Security reports on a study that found most of the Firefox crashes were do to crappy Facebook applications :(
Posted by Matthew Carrick at 10:35.59 PM EDT | Permanent Link

| Categories: Firefox Extensions, Online Apps, Privacy Issues

Friday, May 07, 2010

Facebook IP Leak

It appears emails sent from facebook contain enough info that it is possible to geo-locate a sender The details are here.
Posted by Matthew Carrick at 9:01.44 PM EDT | Permanent Link

| Categories: Online Apps, Privacy Issues

Thursday, May 06, 2010

Facebook f**k up

Oops. Facebook's new Open Graph API is leaking sez PC World. It's security breaches such as these that will cause problems because of the interrelationship between so many disparate applications and the general mass of users who never check settings. If people don't start taking security seriously before a problem develops the cost and effort to fix the problem could be very high indeed.