BuyLow.com Computers And Internet - Internet Security, Computers, Mobile Devices, Networks

BuyLow.com | Resources | Contact Us


 

Secure Your Wireless Network

Wireless networks are becoming increasingly popular, but they introduce additional security risks. If you have a wireless network, make sure to take appropriate precautions to protect your information.

How do wireless networks work?
As the name suggests, wireless networks, sometimes called WiFi, allow you to connect to the internet without relying on wires. If your home, office, airport, or even local coffee shop has a wireless connection, you can access the network from anywhere that is within that wireless area.

Wireless networks rely on radio waves rather than wires to connect computers to the internet. A transmitter, known as a wireless access point or gateway, is wired into an internet connection. This provides a “hotspot” that transmits the connectivity over radio waves. Hotspots have identifying information, including an item called an SSID (service set identifier), that allow computers to locate them. Computers that have a wireless card and have permission to access the wireless frequency can take advantage of the network connection. Some computers may automatically identify open wireless networks in a given area, while others may require that you locate and manually enter information such as the SSID.

What security threats are associated with wireless networks?
Because wireless networks do not require a wire between a computer and the internet connection, it is possible for attackers who are within range to hijack or intercept an unprotected connection. A practice known as wardriving involves individuals equipped with a computer, a wireless card, and a GPS device driving through areas in search of wireless networks and identifying the specific coordinates of a network location. This information is then usually posted online. Some individuals who participate in or take advantage of wardriving have malicious intent and could use this information to hijack your home wireless network or intercept the connection between your computer and a particular hotspot.

What can you do to minimize the risks to your wireless network?

•Change default passwords – Most network devices, including wireless access points, are pre-configured with default administrator passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Changing default passwords makes it harder for attackers to take control of the device (see Choosing and Protecting Passwords for more information).

•Restrict access – Only allow authorized users to access your network. Each piece of hardware connected to a network has a MAC (media access control) address. You can restrict or allow access to your network by filtering MAC addresses. Consult your user documentation to get specific information about enabling these features. There are also several technologies available that require wireless users to authenticate before accessing the network.

•Encrypt the data on your network – WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) both encrypt information on wireless devices. However, WEP has a number of security issues that make it less effective than WPA, so you should specifically look for gear that supports encryption via WPA. Encrypting the data would prevent anyone who might be able to access your network from viewing your data (see Understanding Encryption for more information).

•Protect your SSID – To avoid outsiders easily accessing your network, avoid publicizing your SSID. Consult your user documentation to see if you can change the default SSID to make it more difficult to guess.

•Install a firewall – While it is a good security practice to install a firewall on your network, you should also install a firewall directly on your wireless devices (a host-based firewall). Attackers who can directly tap into your wireless network may be able to circumvent your network firewall—a host-based firewall will add a layer of protection to the data on your computer (see Understanding Firewalls for more information).

•Maintain anti-virus software – You can reduce the damage attackers may be able to inflict on your network and wireless computer by installing anti-virus software and keeping your virus definitions up to date (see Understanding Anti-Virus Software for more information). Many of these programs also have additional features that may protect against or detect spyware and Trojan horses (see Recognizing and Avoiding Spyware and Why is Cyber Security a Problem? for more information).

Authors: Mindi McDowell, Allen Householder, Matt Lytle

Beware Of USB Flash drives

1.If you find a USB token in the wild, don’t plug it into your USB port as it could autoinstall software if your system is set to autoplay CDROMs.
2.Though many organizations’ standards call for disabling autoplay of CDROMs, you should check and set yours. To disable autoplay follow these instructions (for WinXP):
Open My Computer
Right click on your cdrom drive selecting “Properties”
Select Autoplay page and set each menu option to “Select an Action to Perform” = “Take no action”
Click Apply (you must apply each setting change one at a time!)
Repeat for each item in the list (alternatively ensure that all are set to “Prompt me for action”)

– SANS

LifeLock “ID Theft Protection” Claims

HARRISBURG – Pennsylvania, along with 34 other states, has reached a $12 million settlement with LifeLock Inc, an Arizona-based company accused of making confusing or misleading statements in the advertisement and promotion of its identity theft protection services.

“Identity theft is a major subject of concern and consumers deserve clear and accurate information before they spend their hard-earned money on so-called protection services,” Attorney General Tom Corbett said. “There is no place for exaggerated claims, ambiguous statements or unsubstantiated claims when discussing this extremely serious consumer issue.”

Corbett noted that the settlement includes an $11 million national fund for consumer relief, along with $1 million to support future consumer protection investigations and education by the states. He explained that all eligible LifeLock customers will be contacted directly by the Attorney General’s Office and the Federal Trade Commission with instructions about how to file a claim.

According to the investigation, LifeLock was accused of making numerous misleading statements and claims, including:

•”Complete protection” against identity theft.
•”Constant monitoring” of consumers’ credit reports.
•Preventing unauthorized changes to consumer credit information.
•Protecting children from identity theft (despite the fact that most children don’t have a credit history to protect).
•Stopping pre-approved credit card offers (which consumers can do for free).
Corbett said the investigation also reviewed complaints that LifeLock allegedly exaggerated the risk of identity theft, inflated the likelihood that consumers would become future victims and made confusing statements about a “million dollar guarantee” which would not actually provide any compensation or reimbursement for victims.

“It is important for every consumer to understand that some of the most important steps toward preventing or quickly catching identity theft can be done at home, absolutely free of charge,” Corbett said. “Closely checking your monthly credit card bills for unauthorized charges, studying your bank statements for unusual activity and regularly reviewing your credit report for signs of suspicious new accounts will give you a clear and accurate picture of your credit activity – putting you in a strong position to respond to any problems.”

Corbett noted that every Pennsylvania consumer is entitled to one free credit report every year from each of the three major credit bureaus. By spreading out their requests, it is possible for consumers to retrieve their credit reports several times per year – minimizing the length of time that any problems could go unnoticed.

Consumers can request their free credit reports by using the national website, created specifically for this purpose: www.annualcreditreport.com

Corbett also urged concerned consumers to visit the “Identity Theft Toolkit” section of the Attorney General’s website for tips to help prevent ID theft, along with step-by-step instructions for responding to any problems you encounter.

The consumer protection settlement with LifeLock was filed today in Commonwealth Court by Deputy Attorney General Kathryn H. Silcox, of the Attorney General’s Bureau of Consumer Protection.

The multi-state investigation involving LifeLock included Pennsylvania, Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington and West Virginia.

Don’t Let Personnel Issues Become Security Issues

Terminate Computer Access Before You End a Contract or Tell People They Are Fired

Shortly before a labor union strike in August 2006, two Los Angeles transportation engineers allegedly disconnected traffic signals at four busy intersections. Subsequently, these disgruntled employees were accused of unauthorized access to a computer, identity theft and unauthorized disruption or denial of computer services. The danger imposed on the public based on these acts was significant even IF there were no accidents as a result of this action. Had the Department of Transportation revoked computer access as soon as it terminated the contracts of the two engineers, LA would have avoided the risk to the public. P.S. It took the city days to get the traffic control system back to normal.

Identifying Hoaxes and Urban Legends

Chain letters are familiar to anyone with an email account, whether they are sent by strangers or well-intentioned friends or family members. Try to verify the information before following any instructions or passing the message along.

Why are chain letters a problem?
The most serious problem is from chain letters that mask viruses or other malicious activity. But even the ones that seem harmless may have negative repercussions if you forward them:
•they consume bandwidth or space within the recipient’s inbox
•you force people you know to waste time sifting through the messages and possibly taking time to verify the information
•you are spreading hype and, often, unnecessary fear and paranoia
What are some types of chain letters?
There are two main types of chain letters:

•Hoaxes – Hoaxes attempt to trick or defraud users. A hoax could be malicious, instructing users to delete a file necessary to the operating system by claiming it is a virus. It could also be a scam that convinces users to send money or personal information. Phishing attacks could fall into this category (see Avoiding Social Engineering and Phishing Attacks for more information).

•Urban legends – Urban legends are designed to be redistributed and usually warn users of a threat or claim to be notifying them of important or urgent information. Another common form are the emails that promise users monetary rewards for forwarding the message or suggest that they are signing something that will be submitted to a particular group. Urban legends usually have no negative effect aside from wasted bandwidth and time.
How can you tell if the email is a hoax or urban legend?
Some messages are more suspicious than others, but be especially cautious if the message has any of the characteristics listed below. These characteristics are just guidelines—not every hoax or urban legend has these attributes, and some legitimate messages may have some of these characteristics:

•it suggests tragic consequences for not performing some action
•it promises money or gift certificates for performing some action
•it offers instructions or attachments claiming to protect you from a virus that is undetected by anti-virus software
•it claims it’s not a hoax
•there are multiple spelling or grammatical errors, or the logic is contradictory
•there is a statement urging you to forward the message
•it has already been forwarded multiple times (evident from the trail of email headers in the body of the message)
If you want to check the validity of an email, there are some websites that provide information about hoaxes and urban legends:

•Urban Legends and Folklore – http://urbanlegends.about.com/
•Urban Legends Reference Pages – http://www.snopes.com/
•TruthOrFiction.com – http://www.truthorfiction.com/
•Symantec Security Response Hoaxes – http://www.symantec.com/avcenter/hoax.html
•McAfee Security Virus Hoaxes – http://vil.mcafee.com/hoax.asp

Authors: Mindi McDowell, Allen Householder

Widespread P2P Data Breaches

The Federal Trade Commission has notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared from the organizations’ computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud. The agency also has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks. To help businesses manage the security risks presented by file-sharing software, the FTC is releasing new education materials that present the risks and recommend ways to manage them.

Peer-to-peer technology can be used in many ways, such as to play games, make online telephone calls, and, through P2P file-sharing software, share music, video, and documents. But when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network.

“Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk. For example, we found health-related information, financial records, and drivers’ license and social security numbers–the kind of information that could lead to identity theft,” said FTC Chairman Jon Leibowitz. “Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure. Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

As the nation’s consumer protection agency, the FTC enforces laws that require companies in various industries to take reasonable and appropriate security measures to protect sensitive personal information, including the Gramm-Leach-Bliley Act and Section 5 of the FTC Act. Failure to prevent such information from being shared to a P2P network may violate such laws. Information about the FTC’s privacy and data security enforcement actions can be found at www.ftc.gov/privacy/privacyinitiatives/ promises_enf.html.

The notices went to both private and public entities, including schools and local governments, and the entities contacted ranged in size from businesses with as few as eight employees to publicly held corporations employing tens of thousands. In the notification letters, the FTC urged the entities to review their security practices and, if appropriate, the practices of contractors and vendors, to ensure that they are reasonable, appropriate, and in compliance with the law. The letters state, “It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers.”

The FTC also recommended that the entities identify affected customers and employees and consider whether to notify them that their information is available on P2P networks. Many states and federal regulatory agencies have laws or guidelines about businesses’ notification responsibilities in these circumstances.

Samples of the notification letters can be found at: http://www.ftc.gov/os/2010/02/100222sampleletter-a.pdf, http://www.ftc.gov/os/2010/02/100222sampleletter-b.pdf, http://www.ftc.gov/os/2010/02/100222sampleletter-c.pdf. The fact that a company received a letter does not mean that the company necessarily violated any law enforced by the Commission. Letters went to companies under FTC jurisdiction, as well as entities such as banks and public agencies over which the agency does not have jurisdiction.

The FTC appreciates the assistance of the Department of Health and Human Services, the Securities and Exchange Commission, the Federal Reserve Board, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the Office of Comptroller of the Currency.

The new business education brochure – titled Peer-to-Peer File Sharing: A Guide for Business – is designed to assist businesses and others as they consider whether to allow file-sharing technologies on their networks, and explain how to safeguard sensitive information on their systems, and other security recommendations. This information is available at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus46.shtm. Tips for consumers about computer security and P2P can be found at www.onguardonline.gov/topics/p2p-security.aspx.

The Federal Trade Commission works for the consumer to prevent fraudulent, deceptive,
and unfair business practices and to provide information to help spot, stop, and avoid
them. To file a complaint in English or Spanish, click http://www.ftccomplaintassistant.gov
or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other
fraud-related complaints into Consumer Sentinel, a secure, online database available to
more than 1,700 civil and criminal law enforcement agencies in the U.S. and abroad. For
free information on a variety of consumer topics, click http://www.ftc.gov/bcp/consumer.shtm.

Internet Access For Visually Impaired

For more information visit: “100% access to information and communication with 0% human rights violations”

Nearly 200 cyber experts and other stakeholders seeking access to the Web for scores of millions of people with visual and other disabilities wrapped up a four-day United Nations workshop in Geneva today, stressing the need for universal access despite handicaps.
“The key to the information society is universal access and no one should be denied the potential benefits of ICTs [information and communication technologies], not least because they are hampered by their disabilities,” UN International Telecommunication Union (ITU) Secretary-General Hamadoun Touré said, noting that an estimated 650 million people live with disabilities worldwide.

“ICTs have the great merit of serving as a powerful equalizer of abilities, empowering persons with disabilities to fulfil their potential, realize their own dreams and ambitions, and take their place as active members of society.”

ITU, which co-organized the workshop with the UN World Intellectual Property Organization (WIPO), focuses on a series of strategic issues ranging from the rights of the disabled to making technical design standards accessible to providing education and training on accessible ICTs.

WIPO Director General Francis Gurry underlined the importance of accessibility in general and reaffirmed his agency’s commitment to establishing an accessible web environment that promotes easy access to intellectual property information in line with its visually impaired persons (VIP) initiative launched in 2008 to explore ways to facilitate and enhance access to literary, artistic and scientific works for the VIP community.

Mr. Gurry, noting that only 5 per cent of all published works are currently available in formats accessible to the VIP community, said WIPO and its member states are actively seeking to improve this situation. WIPO’s copyright committee is currently considering a draft treaty that would create an enabling legal environment to address exceptions and limitations to international copyright law.

A first workshop was hosted by WIPO last May, and the forums are in line with the UN Convention on the Rights of People with Disabilities which entered into force in 2008, which requires that accessibility be taken into account in the design of new information technologies and systems.

This week’s meeting brought together experts from the World Wide Web consortium, Mobile web initiative, Yahoo!, Adobe Systems Incorporated and the British Royal National Institute for Blind People. Participants agreed on the need for an annual workshop to keep abreast of technological developments and to share knowledge and experience of the issue within the UN system.

Virtualized Operating System For Supercomputer

The Department Of Energy National Laboratories — New work on the Red Storm supercomputer at DOE’s Sandia National Laboratories is helping to make supercomputers more flexible and accessible, in effect removing them from the constraints of their specialized operating systems. Sandia researchers, working with researchers from Northwestern University and the University of New Mexico, socialized 4,096 of Red Storm’s total 12,960 computer nodes into accepting a virtual external operating system — a leap of at least two orders of magnitude over previous efforts.

“The goal is to create a more flexible environment for all users,” said Sandia researcher Kevin Pedretti. If supercomputers can be virtualized without sacrificing performance it will increase the utility of these significant national infrastructure investments, he said.

ComputerTraining.com Hit With Consumer Protection Lawsuit

HARRISBURG – A Maryland-based computer training school that suddenly closed in mid-December, after taking nearly $2 million dollars in tuition payments from Pennsylvania students, is the subject of a lawsuit filed by the Attorney General’s Bureau of Consumer Protection.

Attorney General Tom Corbett said the suit was filed against ComputerTraining.com, Inc., (ComputerTraining) which offered computer training and certification programs through four Pennsylvania companies operating at locations at Bensalem, King of Prussia, Lancaster and Pittsburgh. The school also operated in 14 other states.

“Pennsylvania students paid anywhere from $13,000 to $25,000 for various computer training programs, only to be left out in the cold when ComputerTraining suddenly locked its doors in December,” Corbett said. “These students were trying to improve their skills and build careers – only to be abandoned to face substantial loans or debts, incomplete training and a long list of unanswered questions about their educational futures.”

According to the lawsuit, the schools knew, or should have known, about mounting financial difficulties, the threat of closure and the strong likelihood that they would be unable to provide training services for students.

Corbett said that students were required to pay all, or nearly all, of their educational costs and fees up-front, before beginning their courses.

“Despite growing financial problems, ComputerTraining continued to enroll new students and collect advance payments from consumers without disclosing any potential problems,” Corbett said. “Additionally, the school continued to advertise classes and services on its website even after halting operations in December.”

According to the lawsuit, ComputerTraining also provided deceptive or misleading information about possible refunds.

“In a December email message announcing the closing, students were instructed to contact the Pennsylvania Department of Education in order to request refunds, even though the surety bonds that had been posted with the department would cover only a very small percentage of the outstanding tuition,” Corbett said. “Knowing that the surety bonds amounted to only pennies, compared to the thousands of dollars that students had paid, the instructions to contact the Department of Education about refunds were not only deceptive but also insulting to all the victims.”

Corbett said the lawsuit filed by the Attorney General’s Bureau of Consumer Protection seeks full restitution for all victims who suffered losses, along with fines and civil penalties of up to $1,000 for each violation of the Consumer Protection Law (up to $3,000 for each victim over the age of 60). The lawsuit also asks the court to prohibit the school from operating in Pennsylvania.

Corbett said the Attorney General’s Office has also filed a request for a special preliminary injunction against ComputerTraining – asking the court to freeze all bank accounts and financial assets; prohibit the sale, transfer or distribution of any other assets; safeguard all student records and personal information; and preserve all financial and business records.

Students who enrolled at ComputerTraining and paid tuition for classes that were not provided should file formal complaints with the Attorney General’s Bureau of Consumer Protection. Complaint forms can be obtained by calling the Attorney General’s Consumer Protection Hotline at 1-800-441-2555 or online at www.attorneygeneral.gov (Click on the “Complaints” button on the front page of the website and select “Consumer Complaint Form” from the menu).

Corbett also urged students to contact their bank to halt any automatic payments to the school. If they obtained student loans, they should contact their financing company to stop any additional transfer of funds to the school.

Additionally, students should contact the Pennsylvania Department of Education, Division of Private Licensed Schools, at 717-783-8228, for more information about possible assistance being provided to displaced students.

The consumer protection lawsuit was filed in Commonwealth Court by Senior Deputy Attorney General Henry Hart and Deputy Attorney General Michael C. Gerdes, of the Attorney General’s Bureau of Consumer Protection.

Court Bans Sale of Microsoft Word

A federal appeals court has ordered Microsoft to stop selling Word. In addition, Microsoft is to pay the Canadian company i4i Inc. $290 million for patent infringement.

Michel Vulpe i4i said it is “an important step in protecting the property rights of small inventors.”

RSS BugTraq

  • Vulnerabilities in TooFAST
    Posted by MustLive on Mar 26Hello Bugtraq! I want to warn you about security vulnerabilities in TooFAST. ----------------------------- Advisory: Vulnerabilities in TooFAST ----------------------------- URL: http://websecurity.com.ua/4053/ ----------------------------- Timeline: 17.03.2010 - found vulnerabilities. 20.03.2010 - disclosed at my site. 22.03.2010 […]
  • [ MDVSA-2010:067 ] kernel
    Posted by security on Mar 26 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:067 http://www.mandriva.com/security/ _______________________________________________________________________ Package : kernel Date : March 25, 2010 Affected: 2010.0 _________________________________________________ […]
  • [security bulletin] HPSBUX02509 SSRT100032 rev.1 - HP-UX Running NFS/ONCplus, NFS Inadvertently Enabled
    Posted by security-alert on Mar 26SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02026642 Version: 1 HPSBUX02509 SSRT100032 rev.1 - HP-UX Running NFS/ONCplus, NFS Inadvertently Enabled NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-03-25 Last Updated: 2010-03-25 ------------------------ […]
  • Hackito Ergo Sum Conference (Paris 8-10 April 2010) : Schedule
    Posted by Jonathan Brossard on Mar 25 [ We apologize in case you get double postage. Please Spread ;) ] We are please to annouce the schedule of the first Hackito Ergo Sum Conference, to be held in Paris, France, from April 8th to 10th. --[ Conference details * Location: Mains d'oeuvre (http://www.mainsdoeuvres.org/) : near the metro Porte de Clichy (di […]
  • [security bulletin] HPSBUX02508 SSRT100007 rev.1 - HP-UX Running sendmail with STARTTLS Enabled, Remote Unauthorized Access
    Posted by security-alert on Mar 25SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c02009860 Version: 1 HPSBUX02508 SSRT100007 rev.1 - HP-UX Running sendmail with STARTTLS Enabled, Remote Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2010-03-24 Last Updated: 2010-03-24 Pote […]