Tag: Security

Posted on

Apple Attacks On The Rise?

We here at Geekamongus are by no means partial to one operating system over another.  We love Macs, we love Linux, we love Solaris, and we love those other guys.  Seriously, in no way do we ever intend on taking sides, and articles such as this one are not to be mistaken as an attack upon a particular vendor, nor should they be misconstrued as a statement proclaiming that we prefer other platforms.

That said, some news items of late have raised a few eyebrows upon the foreheads of the security-minded regarding Apple and their operating system, OS X.  For example, there seems to be a new variant of an OS X trojan out there, according to the folks at macnn.com.

Judging by the responses from the opinionated users at the bottom of that article, the Mac fan base may be smart enough to avoid such malicious software.  Cynicism aside, it is clear there is an entirely untapped user base upon which Phishing attacks may be starting to prey.  One must consider the fact that people who have used Macs their whole lives may not be as familiar with such vulnerabilities, where web sites attempt to trick you into downloading a plugin with ulterior motives in mind, and that they could be more easily fooled into taking the bait.  Heck, it would seem the folks at Apple could use some tutelage about Microsoft viruses too.

Seeing as Apple still considers themselves to be rather impervious to viruses, trojans, worms, and their ilk, I don’t forsee this getting better any time soon, even though they did briefly post a note about using antivirus software on their website.  One thing Microsoft users have going for them is that they are by-and-large more aware of common Internet vulnerabilities because they run into them more often, and they must take steps to avoid them.  Some may even have received training in the workplace or from a geeky neice or nephew.

Granted, OS X is based upon a relatively secure Unix kernel and the Apple marketshare is much smaller than that of Microsoft.  That can certainly help when talking about the prevention of spreading traditional viruses, trojans, and worms.  However, when a user is unaware and clicks “OK” to download and install seemingly legitimate plugin, all bets are off.  And who know what evil is brewing in the basements of evildoing jerkfaces to target OS X itself in ways which Windows users are unfamiliar with.

Posted on

PCI Compliance

The other day I had an old client forward me an email from their credit card processing company, saying that the server upon which their website was hosted failed their PCI Compliance security check.  I had never heard of this and was wary that it might be a service they were being tricked into adding on, but upon further investigation, I learned that many credit card processing companies are now instituting this new security policy, which is designed to tighten up security on web servers in order to decrease the chances of credit card theft.

This sounded all well and good, and I figured that with my background in securing servers to meet Department of Defense standards it ought to be a breeze.  Little did I know that the server in question would put up quite a battle for the lone reason that it was running Plesk, the web host management tool.  I had written off Plesk long ago, having ditched the server I had it running on after many issues with it, and I thought I would never have to work with it again, but alas…

I started Googling, of course, and found some great resources out there which cover the tightening up of Plesk in order to meet PCI compliance.

One of the best articles I found was at linux-advocay.org, which explains how to fix issues with Courier, Qmail, Apache, SSL, and iptables in case you don’t have Plesk’s Firewall add-on.

Also, a fellow by the name of DrJermy writes of his solutions about dealing with Plesk and PCI Compliance.

For some general information about what PCI compliance is all about, check out pcicomplianceguide.org.

My Take

As I worked through the PCI issues with the client who contacted me, I started realizing that the standards by which the server was being scanned were presumptuous in that they didn’t take into account back porting, as implemented by RedHat, and that they were making me fix issues which seemed rather trivial in regards to credit card processing security.

If they really wanted to do something that mattered, they should have a look at the NSA’s hardening guides.

Posted on

Google Responds to GMail Vulnerability Allegations

Google says the recent GMail account breeches were due to typical phishing scams, not a vulnerability in GMail itself.

With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as “google-hosts.com” that they set up purely to harvest usernames and passwords.

They don’t say exactly how the usernames and passwords were harvested, however.  Were people just dumb/gullible enough to type their Google usernames and passwords into some other web site?  Or was there a way for these phishing sites to grab the authentication info from the user’s browser?  Is this the fault of the web browser or a faulty plugin?

While the fingers continue to be pointed, the specific methodology for adding malicious filters to a GMail account by way of a phishing attack remains a threat.

Posted on

GMail Vulnerability? Watch Your Back.

I’ve been following the story about the domain name hijacking of MakeUseOf.com the last few weeks with interest.  All signs are pointing to the domain thief having cracked the MakeUseOf.com Gmail account in order to retrieve their GoDaddy.com password and transfer the owenership of the domain.

This is not good for any GMail user, let alone domain name owners who have registered their domains through GMail.

Apparently, this one hacker has stolen over 850 domains this way, and holds them for ransom at $2000 a piece.

The latest part of the saga details how the MakeUseOf.com folks think this happened, right down to the hacking of the GMail account.  If there is indeed a security flaw in GMail, which there appears to be, MakeUSeOf.com offers prudent steps to take in order to secure yourself (emphasis added by me):

(1) Well, my very first advice would be to check your email settings and make sure your email is not compromised. Check fowarding options and filters. Also make sure to disable IMAP if you don’t use it. This also applies to Google Apps accounts.

(2) Change contact email in your sensitive web accounts (paypal, domain registrar etc.) from your primary Gmail account to something else. If you own the website then change the contact email for your host and registrar accounts to some other email. Preferably to something that you aren’t logged in to when browsing web.

(3) Make sure to upgrade your domain to private registration so that your contact details don’t show up on WhoIS searches. If you’re on GoDaddy I’d recommend going with Protected Registration.

(4) Don’t open links in your email if you don’t know the person they are coming from. And if you decide to open the link make sure to log out first.

I would add to that list:

(5) Always use secure, encrypted GMail.  There is an option at the bottom of the main Settings page in GMail for “Always use https” under the “Browser Connection” heading.  Select this and leave it selected!  Otherwise, anything you do in GMail is sent unencrypted over the Internet.  Not good!

Keep in mind that this security flaw not only matters to domain name owners, but to anyone who has any sensitive email in their GMail account, whether it be online banking info, love letters, or whatever.

This will be interesting to watch, and I hope Google takes notice of this.

UPDATE:  This fellow here has posted a proof-of-concept on creating malicious filters in someone’s GMail account.

Posted on

Practical Security: Wireless Network Security & WPA

In light of the latest wireless vulnerability found, which can break “WPA” using “TKIP” for encryption, I thought I would advise everyone to review your home wireless setup.

The subject of securing your wireless (or wired) networks at home could be talked about for hours on end, and depending on what hardware (model/brand) you have, your set-up and configurations may vary. Please see the documentation that came with your device or the company’s website for more information on the specific model you have. Also, don’t hesitate to call or email the vendor for help if needed.

Basically it comes down to these few things:

  1. Don’t broadcast your SSID if possible. (See your manual, and see this link)
  2. Use Wireless MAC filtering if possible. (See your manual, and see this link)
  3. Don’t use WEP for encryption.
  4. Don’t use WPA w/TKIP (this is now breakable).
  5. Change your WPA from TKIP to AES for encryption. (See your manual)
  6. If your hardware (computer and wireless router) supports it, move to WPA2. (See your manual)

General Home Computer Security Info:

  1. Make sure your Anti-virus application is updating/updated and enabled.
  2. At a minimum, make sure the Windows Firewall is enabled (unless you are on a Mac, in which case you should turn yours on too).
  3. Use strong passwords comprised of alpha/numeric/special characters on all your “Admin” level computer accounts.
  4. If you have any files or folders shared over your home network, make sure they are password protected.

There are a million resources for articles on computers and security online, but here are a few good ones if you are new or inexperienced with the subject (or just need a refresher).

Microsoft Security Resource for Home Users:
http://www.microsoft.com/protect/default.mspx

US-CERT.GOV – Home Users:
http://www.us-cert.gov/nav/nt01/
http://www.us-cert.gov/reading_room/home-network-security/

CERT.ORG – Home Users:
http://www.cert.org/homeusers/
http://www.cert.org/homeusers/HomeComputerSecurity/
http://www.cert.org/tech_tips/home_networks.html

With all that said, have a safe, secure, and happy computing day.

Posted on

Apple Doesn’t Understand This “Secure” Thing

For years, people have loved Apples and Macs because of their relative security when compared to the likes of Microsoft, who are the target of tens of thousands of viruses, worms, trojans, and other types of malicious programming.

A large part of this has been because of the prevalence of Microsoft Windows, and the fact that Macs make up a tiny little percentage of the home or office computer realm.  However, ever since Apple released the iPhone, it would seem as if they have taken a step out into the world of the unknown, venturing into new territories where no one has gone before.

The problem is, many people have already been in these territories for many years, and Apple obviously has not been paying attention.  It’s like they never considered the thought that once they started venturing outside of the obscure marketshare into the eye of the general public, they too would become targeted by script kiddies, spammers, and all-around evildoers.

The fact of the matter is, Apple, Macs, iThings, and everything else they are doing IS being targeted more now than ever before, and unfortunately, Apple is sitting around wondering why instead of doing anything about it.

Take, for example, this new TechCrunch article explaining a simple way for spammers to harvest all the email addresses of MobileMe users.

From the article:

Apple knows about the problem but insists it isn’t an issue because no one has complained publicly. An Apple representative said to one of our readers: “We’ve never had a complaint from a customer about people spamming them because of their iDisk public folder name. There is no way to remove your account name from the iDisk folders. I’m very sorry.”

Um…ok.  So if I use MobileMe, I can expect a lot of spam.  Maybe they think I’ll get used to it.

TechCrunch goes as far as suggesting that Apple is falling apart at the seams.  They suggest failures with customer service and security exploits as warning signs.  The sad part is, Apple seems to either not care about fixing things, or just not get it, both of which are starting to come off as being arrogant.

Look at the recent ‘patching’ Apple did with the widely-publicized DNS spoofing vulnerability last month.  While every other vendor quickly tackled the problem, Apple released a patch that fixed only their server products, leaving their entire desktop user base still vulnerable.  It took them two more weeks, but on August 15 they finally patched it for everyone.

The nature of being secure, in my opinion, relies upon being open, recognizing vulnerabilities, and taking them head-on.  That’s why there is such a large, active community of security-aware researchers, vendors, and system administrators out there.  Apple seems to be shying away from all of this, perhaps out of naivity, perhaps out of conceit.

Whatever the case, I sincerely hope they come to their senses before it is too late.

Posted on

Practical Security: Secure Email on Public Wifi Spots

In my revised capacity at my current job, I’ve been handling a lot of
security issues: hardening of systems, software, and processes. I’ve
also been studying for the Security+ certification, so needless to say,
security has been at the top of my mind the last 5 months, and I wish it
would be at least a little closer to the tops of the general public’s
mind.

I’m going to start a new series of blog posts here called Practical
Security in which I will pass on some of the more relevant best
practices relating to the typical internet user, in hopes of helping to
raise awareness amongst anyone who happens to read this blog. (Yes, all
4 of you).

Using Email on Public Wifi
(and the high level of risks therein)

Question:
How often do you stop at a coffee shop to check your email with your
laptop, or leech that open ‘linksys’ network while sitting at a traffic
light with your PDA to shoot off a quick note to your boss? OK, maybe
I’m the only one who does that at traffic lights, but you get my point.

If you have a portable device that can access the Internet, my guess is
that your answer is “quite often”.

Question:
How many of you have configured your email to use some sort of
encryption? (Cue the crickets chirping).

As this excellent StopDesign article explains:

What you may not realize is how easy these low security settings
allow someone else on the same network to spy on the data passing around
on that network. Just because you’re the only person who can see your
laptop screen, doesn’t necessarily mean you’re the only one who can see
the email message you just got from a friend. Just as easily as someone
could sit near you in a quiet cafe or library and overhear your entire
verbal conversation with another person, so could they “listen in” on
all the usernames, passwords, and messages passing to and from your
computer. (And everyone else’s computer for that matter.)

Kinda scary, huh? If you think about it, once they have your email
account password, it’s not too hard to go to your bank and generate a
“lost password” request, which will get sent to your email address,
which they now have control of. Or they might simply decide to send a
breakup letter to your boyfriend on your behalf if they are not feeling
so malicious. Or maybe they thought it would be funny to email your
boss and tell him how good he looks when he gets out of the shower.

By default, email is not secure!

Yes, this includes you, Mac user. Yes, this includes you, Gmail/Yahoo/Hotmail/AOL user.

Make sure your email is on a secure connection!

The Lowdown
If you use a webmail service such as Hotmail, Yahoo Mail, Gmail, or the
like, make sure your web browser (Internet Explorer, Safari, Firefox,
etc) is in “secure” mode by looking for the lock icon. Alternately (or
additionally), look at the address bar of your web browser to make sure
the address showing starts with https and not just http.

If you use Outlook, Outlook Express, Thunderbird, Mac Mail, or any other
‘program’ on your computer to manage your email, there are ways to set
up these applications to run only on secure connections using SSL, TLS,
SSH, and other methods. You may need to consult your local IT guru or
read the rest of the StopDesign article, or this well-written article entitled “5 Steps to Make Your Email Secure“.

Whatever you do, stop checking your email at Starbucks unless you know
it is secure!

Posted on

Practical Security : Using Email on Public Wifi

In my revised capacity at my current job, I’ve been handling a lot of
security issues: hardening of systems, software, and processes. I’ve
also been studying for the Security+ certification, so needless to say,
security has been at the top of my mind the last 5 months, and I wish it
would be at least a little closer to the tops of the general public’s
mind.

I’m going to start a new series of blog posts here called Practical
Security in which I will pass on some of the more relevant best
practices relating to the typical internet user, in hopes of helping to
raise awareness amongst anyone who happens to read this blog. (Yes, all
4 of you).

Using Email on Public Wifi (and the high level of risks
therein)

Question:
How often do you stop at a coffee shop to check your email with your
laptop, or leech that open ‘linksys’ network while sitting at a traffic
light with your PDA to shoot off a quick note to your boss? OK, maybe
I’m the only one who does that at traffic lights, but you get my point.

If you have a portable device that can access the Internet, my guess is
that your answer is “quite often”.

Question:
How many of you have configured your email to use some sort of
encryption? (Cue the crickets chirping).

As this excellent StopDesign
 article explains:

What you may not realize is how easy these low security settings
allow someone else on the same network to spy on the data passing around
on that network. Just because you’re the only person who can see your
laptop screen, doesn’t necessarily mean you’re the only one who can see
the email message you just got from a friend. Just as easily as someone
could sit near you in a quiet cafe or library and overhear your entire
verbal conversation with another person, so could they “listen in” on
all the usernames, passwords, and messages passing to and from your
computer. (And everyone else’s computer for that matter.)

Kinda scary, huh? If you think about it, once they have your email
account password, it’s not too hard to go to your bank and generate a
“lost password” request, which will get sent to your email address,
which they now have control of. Or they might simply decide to send a
breakup letter to your boyfriend on your behalf if they are not feeling
so malicious. Or maybe they thought it would be funny to email your
boss and tell him how good he looks when he gets out of the shower.

By default, email is not secure!

Yes, this includes you, Mac user. Yes, this includes you,
Gmail/Yahoo/Hotmail/AOL user.

Make sure your email is on a secure connection!

The Lowdown
If you use a webmail service such as Hotmail, Yahoo Mail, Gmail, or the
like, make sure your web browser (Internet Explorer, Safari, Firefox,
etc) is in “secure” mode by looking for the lock icon. Alternately (or
additionally), look at the address bar of your web browser to make sure
the address showing starts with https and not just http.

If you use Outlook, Outlook Express, Thunderbird, Mac Mail, or any other
‘program’ on your computer to manage your email, there are ways to set
up these applications to run only on secure connections using SSL, TLS,
SSH, and other methods. You may need to consult your local IT guru or
read the rest of the StopDesign
 article, or this well-written article entitled “5 Steps to Make Your Email Secure“.

Whatever you do, stop checking your email at Starbucks unless you know
it is secure!

Posted on

Internet Explorer

Still using Microsoft’s Internet Explorer browser on your Windows machine? Stop already!

With the most recent critical, unpatched security exploits running wild, reports are coming in regarding otherwise innocent web sites silently installing malicious programs that steal your passwords and other sensitive information.

Do yourself a favor and install Firefox or Opera, both free browsers that provide a much better, safer Internet experience. There is no reason not to do this now, unless you like other people having access to your computer and everything you do on it.

If you are still using Microsoft’s Internet Explorer on your Macintosh computer, well, you are missing out on the Internet as it is today. This browser is not subject to the same exploits that the Windows version is, but it is no longer updated or supported by Microsoft, and doesn’t take advantage of many of the newer features of the World Wide Web as we know it. You too can upgrade to Firefox for free.

clicky