BuyLow.com Computers And Internet - Internet Security, Computers, Mobile Devices, Networks

BuyLow.com | Resources | Contact Us


 

E-mail Is Insecure by Default

E-mail is insecure because it is more like a postcard, not a sealed envelope.

A number of people are under the misconception that when they draft and send e-mail, two things occur. Their message gets sealed in an envelope (that’s why you have to open e-mail right?) and that it goes directly to the person it was sent to via internet magic. The truth is your e-mail is sent in plain text (i.e. readable by anyone who picks it up along the way) and is passed around the Internet with multiple stops until it reaches its destination. People with evil intentions can intercept your e-mail, read it or even alter it before it reaches your intended recipient.

Understanding Your Computer: Email Clients

How do email clients work?
Every email address has two basic parts: the user name and the domain name. When you are sending email to someone else, your domain’s server has to communicate with your recipient’s domain server.

For example, let’s assume that your email address is johndoe@example.com, and the person you are contacting is at janesmith@anotherexample.org. In very basic terms, after you hit send, the server hosting your domain (example.com) looks at the email address and then contacts the server hosting the recipient’s domain (anotherexample.org) to let it know that it has a message for someone at that domain. Once the connection has been established, the server hosting the recipient’s domain (anotherexample.org) then looks at the user name of the email address and routes the message to that account.

How many email clients are there?
There are many different email clients and services, each with its own interface. Some are web-based applications, some are stand-alone applications installed directly on your computer, and some are text-based applications. There are also variations of many of these email clients that have been designed specifically for mobile devices such as cell phones.

How do you choose an email client?
There is usually an email client included with the installation of your operating system, but many other alternatives are available. Be wary of “home-brewed” software, because it may not be as secure or reliable as software that is tested and actively maintained. Some of the factors to consider when deciding which email client best suits your needs include

•security – Do you feel that your email program offers you the level of security you want for sending, receiving, and reading email messages? How does it handle attachments (see Using Caution with Email Attachments for more information)? If you are dealing with sensitive information, do you have the option of sending and receiving signed and/or encrypted messages (see Understanding Digital Signatures and Understanding Encryption for more information)?

•privacy – If you are using a web-based service, have you read its privacy policy (see Protecting Your Privacy for more information)? Do you know what information is being collected and who has access to it? Are there options for filtering spam (see Reducing Spam for more information)?

•functionality – Does the software send, receive, and interpret email messages appropriately?

•reliability – For web-based services, is the server reliable, or is your email frequently unavailable due to maintenance, security problems, a high volume of users, or other reasons?

•availability – Do you need to be able to access your account from any computer?

•ease of use – Are the menus and options easy to understand and use?

•visual appeal – Do you find the interface appealing?

Each email client may have a different way of organizing drafted, sent, saved, and deleted mail. Familiarize yourself with the software so that you can find and store messages easily, and so that you don’t unintentionally lose messages. Once you have chosen the software you want to use for your email, protect yourself and your contacts by following good security practices (see US-CERT Cyber Security Tips for more information).

Can you have use more than one email client?
You can have more than one email client, although you may have issues with compatibility. Some email accounts, such as those issued through your internet service provider (ISP) or place of employment, are only accessible from a computer that has appropriate privileges and settings for you to access that account. You can use any stand-alone email client to read those messages, but if you have more than one client installed on your machine, you should choose one as your default. When you click an email link in a browser or email message, your computer will open that default email client that you chose.

Most vendors give you the option to download their email software directly from their websites. Make sure to verify the authenticity of the site before downloading any files, and follow other good security practices, like using a firewall and keeping anti-virus software up to date, to further minimize risk (see Understanding Firewalls, Understanding Anti-Virus Software, and other US-CERT Cyber Security Tips for more information).

You can also maintain free email accounts through browser-based email clients (e.g., Yahoo!, Hotmail, Gmail) that you can access from any computer. Because these accounts are maintained directly on the vendors’ servers, they don’t interfere with other email accounts.

Author: Mindi McDowell

Secure Your Wireless Network

Wireless networks are becoming increasingly popular, but they introduce additional security risks. If you have a wireless network, make sure to take appropriate precautions to protect your information.

How do wireless networks work?
As the name suggests, wireless networks, sometimes called WiFi, allow you to connect to the internet without relying on wires. If your home, office, airport, or even local coffee shop has a wireless connection, you can access the network from anywhere that is within that wireless area.

Wireless networks rely on radio waves rather than wires to connect computers to the internet. A transmitter, known as a wireless access point or gateway, is wired into an internet connection. This provides a “hotspot” that transmits the connectivity over radio waves. Hotspots have identifying information, including an item called an SSID (service set identifier), that allow computers to locate them. Computers that have a wireless card and have permission to access the wireless frequency can take advantage of the network connection. Some computers may automatically identify open wireless networks in a given area, while others may require that you locate and manually enter information such as the SSID.

What security threats are associated with wireless networks?
Because wireless networks do not require a wire between a computer and the internet connection, it is possible for attackers who are within range to hijack or intercept an unprotected connection. A practice known as wardriving involves individuals equipped with a computer, a wireless card, and a GPS device driving through areas in search of wireless networks and identifying the specific coordinates of a network location. This information is then usually posted online. Some individuals who participate in or take advantage of wardriving have malicious intent and could use this information to hijack your home wireless network or intercept the connection between your computer and a particular hotspot.

What can you do to minimize the risks to your wireless network?

•Change default passwords – Most network devices, including wireless access points, are pre-configured with default administrator passwords to simplify setup. These default passwords are easily found online, so they don’t provide any protection. Changing default passwords makes it harder for attackers to take control of the device (see Choosing and Protecting Passwords for more information).

•Restrict access – Only allow authorized users to access your network. Each piece of hardware connected to a network has a MAC (media access control) address. You can restrict or allow access to your network by filtering MAC addresses. Consult your user documentation to get specific information about enabling these features. There are also several technologies available that require wireless users to authenticate before accessing the network.

•Encrypt the data on your network – WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) both encrypt information on wireless devices. However, WEP has a number of security issues that make it less effective than WPA, so you should specifically look for gear that supports encryption via WPA. Encrypting the data would prevent anyone who might be able to access your network from viewing your data (see Understanding Encryption for more information).

•Protect your SSID – To avoid outsiders easily accessing your network, avoid publicizing your SSID. Consult your user documentation to see if you can change the default SSID to make it more difficult to guess.

•Install a firewall – While it is a good security practice to install a firewall on your network, you should also install a firewall directly on your wireless devices (a host-based firewall). Attackers who can directly tap into your wireless network may be able to circumvent your network firewall—a host-based firewall will add a layer of protection to the data on your computer (see Understanding Firewalls for more information).

•Maintain anti-virus software – You can reduce the damage attackers may be able to inflict on your network and wireless computer by installing anti-virus software and keeping your virus definitions up to date (see Understanding Anti-Virus Software for more information). Many of these programs also have additional features that may protect against or detect spyware and Trojan horses (see Recognizing and Avoiding Spyware and Why is Cyber Security a Problem? for more information).

Authors: Mindi McDowell, Allen Householder, Matt Lytle

Beware Of USB Flash drives

1.If you find a USB token in the wild, don’t plug it into your USB port as it could autoinstall software if your system is set to autoplay CDROMs.
2.Though many organizations’ standards call for disabling autoplay of CDROMs, you should check and set yours. To disable autoplay follow these instructions (for WinXP):
Open My Computer
Right click on your cdrom drive selecting “Properties”
Select Autoplay page and set each menu option to “Select an Action to Perform” = “Take no action”
Click Apply (you must apply each setting change one at a time!)
Repeat for each item in the list (alternatively ensure that all are set to “Prompt me for action”)

– SANS

LifeLock “ID Theft Protection” Claims

HARRISBURG – Pennsylvania, along with 34 other states, has reached a $12 million settlement with LifeLock Inc, an Arizona-based company accused of making confusing or misleading statements in the advertisement and promotion of its identity theft protection services.

“Identity theft is a major subject of concern and consumers deserve clear and accurate information before they spend their hard-earned money on so-called protection services,” Attorney General Tom Corbett said. “There is no place for exaggerated claims, ambiguous statements or unsubstantiated claims when discussing this extremely serious consumer issue.”

Corbett noted that the settlement includes an $11 million national fund for consumer relief, along with $1 million to support future consumer protection investigations and education by the states. He explained that all eligible LifeLock customers will be contacted directly by the Attorney General’s Office and the Federal Trade Commission with instructions about how to file a claim.

According to the investigation, LifeLock was accused of making numerous misleading statements and claims, including:

•”Complete protection” against identity theft.
•”Constant monitoring” of consumers’ credit reports.
•Preventing unauthorized changes to consumer credit information.
•Protecting children from identity theft (despite the fact that most children don’t have a credit history to protect).
•Stopping pre-approved credit card offers (which consumers can do for free).
Corbett said the investigation also reviewed complaints that LifeLock allegedly exaggerated the risk of identity theft, inflated the likelihood that consumers would become future victims and made confusing statements about a “million dollar guarantee” which would not actually provide any compensation or reimbursement for victims.

“It is important for every consumer to understand that some of the most important steps toward preventing or quickly catching identity theft can be done at home, absolutely free of charge,” Corbett said. “Closely checking your monthly credit card bills for unauthorized charges, studying your bank statements for unusual activity and regularly reviewing your credit report for signs of suspicious new accounts will give you a clear and accurate picture of your credit activity – putting you in a strong position to respond to any problems.”

Corbett noted that every Pennsylvania consumer is entitled to one free credit report every year from each of the three major credit bureaus. By spreading out their requests, it is possible for consumers to retrieve their credit reports several times per year – minimizing the length of time that any problems could go unnoticed.

Consumers can request their free credit reports by using the national website, created specifically for this purpose: www.annualcreditreport.com

Corbett also urged concerned consumers to visit the “Identity Theft Toolkit” section of the Attorney General’s website for tips to help prevent ID theft, along with step-by-step instructions for responding to any problems you encounter.

The consumer protection settlement with LifeLock was filed today in Commonwealth Court by Deputy Attorney General Kathryn H. Silcox, of the Attorney General’s Bureau of Consumer Protection.

The multi-state investigation involving LifeLock included Pennsylvania, Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington and West Virginia.

Don’t Let Personnel Issues Become Security Issues

Terminate Computer Access Before You End a Contract or Tell People They Are Fired

Shortly before a labor union strike in August 2006, two Los Angeles transportation engineers allegedly disconnected traffic signals at four busy intersections. Subsequently, these disgruntled employees were accused of unauthorized access to a computer, identity theft and unauthorized disruption or denial of computer services. The danger imposed on the public based on these acts was significant even IF there were no accidents as a result of this action. Had the Department of Transportation revoked computer access as soon as it terminated the contracts of the two engineers, LA would have avoided the risk to the public. P.S. It took the city days to get the traffic control system back to normal.

Identifying Hoaxes and Urban Legends

Chain letters are familiar to anyone with an email account, whether they are sent by strangers or well-intentioned friends or family members. Try to verify the information before following any instructions or passing the message along.

Why are chain letters a problem?
The most serious problem is from chain letters that mask viruses or other malicious activity. But even the ones that seem harmless may have negative repercussions if you forward them:
•they consume bandwidth or space within the recipient’s inbox
•you force people you know to waste time sifting through the messages and possibly taking time to verify the information
•you are spreading hype and, often, unnecessary fear and paranoia
What are some types of chain letters?
There are two main types of chain letters:

•Hoaxes – Hoaxes attempt to trick or defraud users. A hoax could be malicious, instructing users to delete a file necessary to the operating system by claiming it is a virus. It could also be a scam that convinces users to send money or personal information. Phishing attacks could fall into this category (see Avoiding Social Engineering and Phishing Attacks for more information).

•Urban legends – Urban legends are designed to be redistributed and usually warn users of a threat or claim to be notifying them of important or urgent information. Another common form are the emails that promise users monetary rewards for forwarding the message or suggest that they are signing something that will be submitted to a particular group. Urban legends usually have no negative effect aside from wasted bandwidth and time.
How can you tell if the email is a hoax or urban legend?
Some messages are more suspicious than others, but be especially cautious if the message has any of the characteristics listed below. These characteristics are just guidelines—not every hoax or urban legend has these attributes, and some legitimate messages may have some of these characteristics:

•it suggests tragic consequences for not performing some action
•it promises money or gift certificates for performing some action
•it offers instructions or attachments claiming to protect you from a virus that is undetected by anti-virus software
•it claims it’s not a hoax
•there are multiple spelling or grammatical errors, or the logic is contradictory
•there is a statement urging you to forward the message
•it has already been forwarded multiple times (evident from the trail of email headers in the body of the message)
If you want to check the validity of an email, there are some websites that provide information about hoaxes and urban legends:

•Urban Legends and Folklore – http://urbanlegends.about.com/
•Urban Legends Reference Pages – http://www.snopes.com/
•TruthOrFiction.com – http://www.truthorfiction.com/
•Symantec Security Response Hoaxes – http://www.symantec.com/avcenter/hoax.html
•McAfee Security Virus Hoaxes – http://vil.mcafee.com/hoax.asp

Authors: Mindi McDowell, Allen Householder

Widespread P2P Data Breaches

The Federal Trade Commission has notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared from the organizations’ computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud. The agency also has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks. To help businesses manage the security risks presented by file-sharing software, the FTC is releasing new education materials that present the risks and recommend ways to manage them.

Peer-to-peer technology can be used in many ways, such as to play games, make online telephone calls, and, through P2P file-sharing software, share music, video, and documents. But when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network.

“Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk. For example, we found health-related information, financial records, and drivers’ license and social security numbers–the kind of information that could lead to identity theft,” said FTC Chairman Jon Leibowitz. “Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure. Just as important, companies that distribute P2P programs, for their part, should ensure that their software design does not contribute to inadvertent file sharing.”

As the nation’s consumer protection agency, the FTC enforces laws that require companies in various industries to take reasonable and appropriate security measures to protect sensitive personal information, including the Gramm-Leach-Bliley Act and Section 5 of the FTC Act. Failure to prevent such information from being shared to a P2P network may violate such laws. Information about the FTC’s privacy and data security enforcement actions can be found at www.ftc.gov/privacy/privacyinitiatives/ promises_enf.html.

The notices went to both private and public entities, including schools and local governments, and the entities contacted ranged in size from businesses with as few as eight employees to publicly held corporations employing tens of thousands. In the notification letters, the FTC urged the entities to review their security practices and, if appropriate, the practices of contractors and vendors, to ensure that they are reasonable, appropriate, and in compliance with the law. The letters state, “It is your responsibility to protect such information from unauthorized access, including taking steps to control the use of P2P software on your own networks and those of your service providers.”

The FTC also recommended that the entities identify affected customers and employees and consider whether to notify them that their information is available on P2P networks. Many states and federal regulatory agencies have laws or guidelines about businesses’ notification responsibilities in these circumstances.

Samples of the notification letters can be found at: http://www.ftc.gov/os/2010/02/100222sampleletter-a.pdf, http://www.ftc.gov/os/2010/02/100222sampleletter-b.pdf, http://www.ftc.gov/os/2010/02/100222sampleletter-c.pdf. The fact that a company received a letter does not mean that the company necessarily violated any law enforced by the Commission. Letters went to companies under FTC jurisdiction, as well as entities such as banks and public agencies over which the agency does not have jurisdiction.

The FTC appreciates the assistance of the Department of Health and Human Services, the Securities and Exchange Commission, the Federal Reserve Board, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the Office of Comptroller of the Currency.

The new business education brochure – titled Peer-to-Peer File Sharing: A Guide for Business – is designed to assist businesses and others as they consider whether to allow file-sharing technologies on their networks, and explain how to safeguard sensitive information on their systems, and other security recommendations. This information is available at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus46.shtm. Tips for consumers about computer security and P2P can be found at www.onguardonline.gov/topics/p2p-security.aspx.

The Federal Trade Commission works for the consumer to prevent fraudulent, deceptive,
and unfair business practices and to provide information to help spot, stop, and avoid
them. To file a complaint in English or Spanish, click http://www.ftccomplaintassistant.gov
or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other
fraud-related complaints into Consumer Sentinel, a secure, online database available to
more than 1,700 civil and criminal law enforcement agencies in the U.S. and abroad. For
free information on a variety of consumer topics, click http://www.ftc.gov/bcp/consumer.shtm.

Internet Access For Visually Impaired

For more information visit: “100% access to information and communication with 0% human rights violations”

Nearly 200 cyber experts and other stakeholders seeking access to the Web for scores of millions of people with visual and other disabilities wrapped up a four-day United Nations workshop in Geneva today, stressing the need for universal access despite handicaps.
“The key to the information society is universal access and no one should be denied the potential benefits of ICTs [information and communication technologies], not least because they are hampered by their disabilities,” UN International Telecommunication Union (ITU) Secretary-General Hamadoun Touré said, noting that an estimated 650 million people live with disabilities worldwide.

“ICTs have the great merit of serving as a powerful equalizer of abilities, empowering persons with disabilities to fulfil their potential, realize their own dreams and ambitions, and take their place as active members of society.”

ITU, which co-organized the workshop with the UN World Intellectual Property Organization (WIPO), focuses on a series of strategic issues ranging from the rights of the disabled to making technical design standards accessible to providing education and training on accessible ICTs.

WIPO Director General Francis Gurry underlined the importance of accessibility in general and reaffirmed his agency’s commitment to establishing an accessible web environment that promotes easy access to intellectual property information in line with its visually impaired persons (VIP) initiative launched in 2008 to explore ways to facilitate and enhance access to literary, artistic and scientific works for the VIP community.

Mr. Gurry, noting that only 5 per cent of all published works are currently available in formats accessible to the VIP community, said WIPO and its member states are actively seeking to improve this situation. WIPO’s copyright committee is currently considering a draft treaty that would create an enabling legal environment to address exceptions and limitations to international copyright law.

A first workshop was hosted by WIPO last May, and the forums are in line with the UN Convention on the Rights of People with Disabilities which entered into force in 2008, which requires that accessibility be taken into account in the design of new information technologies and systems.

This week’s meeting brought together experts from the World Wide Web consortium, Mobile web initiative, Yahoo!, Adobe Systems Incorporated and the British Royal National Institute for Blind People. Participants agreed on the need for an annual workshop to keep abreast of technological developments and to share knowledge and experience of the issue within the UN system.

Virtualized Operating System For Supercomputer

The Department Of Energy National Laboratories — New work on the Red Storm supercomputer at DOE’s Sandia National Laboratories is helping to make supercomputers more flexible and accessible, in effect removing them from the constraints of their specialized operating systems. Sandia researchers, working with researchers from Northwestern University and the University of New Mexico, socialized 4,096 of Red Storm’s total 12,960 computer nodes into accepting a virtual external operating system — a leap of at least two orders of magnitude over previous efforts.

“The goal is to create a more flexible environment for all users,” said Sandia researcher Kevin Pedretti. If supercomputers can be virtualized without sacrificing performance it will increase the utility of these significant national infrastructure investments, he said.

RSS BugTraq

  • Re: [oss-security] [oCERT-2010-001] multiple http client unexpected download filename vulnerability
    Posted by Solar Designer on Jun 11Hi, Here's a summary of relevant postings to oss-security and bug-wget. Unofficial patch for wget, by Florian Weimer: http://www.openwall.com/lists/oss-security/2010/05/17/2 PoC attack on a wget cron job resulting in a .bash_profile overwrite: http://www.openwall.com/lists/oss-security/2010/05/18/13 Brief description of […]
  • [ MDVSA-2010:114 ] dhcp
    Posted by security on Jun 11 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:114 http://www.mandriva.com/security/ _______________________________________________________________________ Package : dhcp Date : June 11, 2010 Affected: 2009.1, 2010.0 ____________________________________________ […]
  • Secunia Research: Creative Software AutoUpdate Engine 2 ActiveX Control Buffer Overflow
    Posted by Secunia Research on Jun 11====================================================================== Secunia Research 11/06/2010 - Creative Software - - AutoUpdate Engine 2 ActiveX Control Buffer Overflow - ====================================================================== Table of Contents Affected Software......................................... […]
  • iDefense Security Advisory 06.10.10: Adobe Flash Player Use-After-Free Vulnerability
    Posted by iDefense Labs on Jun 11iDefense Security Advisory 06.10.10 http://labs.idefense.com/intelligence/vulnerabilities/ Jun 10, 2010 I. BACKGROUND Adobe Flash Player is a very popular Web browser plugin. It is available for multiple Web browsers and platforms, including Windows, Linux and MacOS. Flash Player enables Web browsers to display rich multimedi […]
  • iDefense Security Advisory 06.10.10: Adobe Flash Player Out Of Bounds Memory Indexing Vulnerability
    Posted by iDefense Labs on Jun 11iDefense Security Advisory 06.10.10 http://labs.idefense.com/intelligence/vulnerabilities/ Jun 10, 2010 I. BACKGROUND Adobe Flash Player is a very popular Web browser plugin. It is available for multiple Web browsers and platforms, including Windows, Linux and MacOS. Flash Player enables Web browsers to display rich multimedi […]