Posts Tagged ‘Information Security’
Friday, November 18th, 2011
The security of your business’s website should be one of your highest priorities. A secure website is one of the best ways that you can establish trust with your customers. The security of your website will directly impact your number of visitors and has the potential to hinder or boost your sales. With the massive number of website intrusions this year alone, hacking has become a major concern for most online shoppers. Whether it is to protect your website or your customers personal or financial data, a secure website is a must have. The following are some tips for creating a strong and secure website environment for your consumers. 
Use a Strong Administrative and Database Password:
Creating a strong administrative and database password will prevent hackers from accessing the admin interface and from taking over your entire online business. If a hacker does gain entry to your website’s administration panel they can pretty much do whatever they please from defacing your website to committing fraud by pretending to be you or your company. To learn more about creating strong passwords visit Elements of a Strong Password.
Secure Admin Email Address
An admin email address is used to login to your web server, CMS, database. It should be kept private and different from the one that you have on your contact page.
Make sure you have Firewalls Implemented:
Configuring a firewall will help prevent unauthorized access to your site and acts as a filter for the information that is sent to and from your website. You should configure your firewall to the highest security preferences so that it will deter hackers from attempting to gain entry to your site.
Update Your Antivirus Program Regularly:
New malicious programs are created and discovered every day so it is important that you not only have Antivirus software but that you also keep it up to date. Antivirus programs scan, track, and remove any problems from your hard drive. Like Antivirus software a spyware program can detect and eliminate any spyware that has made a home on your hard drive.
Read the Latest Information on Tech Blogs:
Reading tech blogs regularly will keep you up to date on the most recent vulnerabilities and will help you stay one step ahead of hackers.
Use robots.txt to Keep Certain Things Hidden from Search Engines:
Add a robots.txt folder for the documents, images, and information that you do not want to be indexed by search engines.
Use a Secured FTP Access and Restrict Root Access
SFTP access prevents others from being able to view what you are uploading or downloading to & from the webserver. Restrict the access to certain non-system folders to prevent FTP uploads by people other than the system administrator.
Check Your Software and Third Party Scripts:
Ensure that any software you use is kept up to date with the latest security fixes. (Blogging software like WordPress, third party scripts, etc.) Also remove any scripts, services, or other software that you are no longer using.
Perform Security Testing:
It is important that once you have the previous security items in place that you perform security testing. Search your website and source code for any security flaws that may allow unauthorized access. You can check your source code for free with Source Code Analysis Tools. Using security plugins like WordPress Security Scan are also a great way to analyze the security of your site.
Keeping your website secure is a never ending job, there will always be new threats and hackers will continue to find new ways to gain unauthorized access. Implementing these suggestions in addition to doing your own research will help you to stay as far ahead of these types of individuals as possible
Thanks for Reading!
Dustin
ComputerFitness.com
Providing Tech Support for Businesses in Maryland
Tags: business website, Firewall, Information Security, protection, secure, secure website, website
Posted in Firewall, Information Security, Web Development | 1 Comment »
Friday, October 14th, 2011
Back in 2005 the FBI reported that the losses due to laptop theft were estimated around $3.5 million. They also identified that the average cost associated with a lost company laptop was around $32,000. Since 2005 the number of laptop users has dramatically increased and it has been assessed that one in ten laptops have or will be stolen. Laptop protection has become a major concern for many laptop users. The threat that laptop thieves pose is more than just concern for our expensive devices, it triggers our fear that someone could have access to our stolen and vital personal information.
 - From http://www.kensington.com/kensington/us/us/s/1386/clicksafe%c2%ae-laptop-locks.aspx , Oct 2011
Laptop theft is a significant and serious threat. Thieves will often target laptops because they are small, easy to grab, easy to conceal, there is a market for them, and they are a quick way to get cash. Most of these criminals target laptops because they know that a property theft charge is a better alternative to a personal robbery charge. Once stolen, a laptop can then be sold to a used computer store or pawn shops for as much as half the original retail costs.
What can you do to secure your laptop? There are two components to laptop security, the physical side and the virtual. Physical protection refers to instinctual protection like keeping your laptop with you, keeping it out of sight as well as purchasing protection devices such as cable locks, laptop safes, and motion detector alarms. Virtual security on the other hand implies defenses such as software protection programs, passwords, and tracking safeguards.
The following guide is intended to identify security techniques and tools to protect you from being a victim of a laptop theft. The tips will cover practical security methods, virtual defense techniques, and physical protection devices. For the best protection it is recommended that you use a combination of each.
Practical Security Tips:
- Never leave your laptop unattended or in plain sight.
- Keep your laptop in a secure, or hidden place
- Lock your doors and windows when you’re not in your room.
- Never leave your laptop in an unlocked vehicle.
- If you leave it in your vehicle make sure that it the car is locked and the laptop is out of sight. The best place is in a locked trunk or covered in the back seat.
- Write down your laptop’s serial number.
- Don’t store sensitive content on your laptop.
- Don’t share your passwords and make sure that they are sufficient.
- Don’t store your passwords. A lot of programs now have the option to remember passwords. It may make it easier for you to access your information but if stolen it will also make it that much easier for criminals to gain access to your accounts.
- Personalize the look of your laptop with clear identifiable marks.
- Carry your laptop in a nondescript carrying case, briefcase, or bag. Placing it in a case designed for computers is an immediate alert to thieves that you have a laptop.
- Lock the laptop in your office during off-hours.
- Back up your information on disks and store the disks at home or the office.
- Pay attention to where you use your laptop. Be aware that someone behind or next to you can see your computer screen.
- At airport checkpoints, be observant. Don’t place the laptop on a conveyor belt until you are ready to walk through the checkpoint.
Physical Protection Tips:
- Sometimes just having some type of security device attached to your laptop is a good enough deterrent for thieves.
- When you have to leave your laptop unattended you can store it in a Laptop Locker. These safes secure your device whether it’s in your office, car, or home.
- When out in public or in a shared office you can use a laptop Cable Lock. Using a laptop security cable is one of the easiest methods of laptop security and protects against theft. Click on the link to see some cable lock options.
- Another option for securing your laptop is to have a secured bracket or a docking station. A security bracket or dock bolts your laptop in a stationary location either in its open or closed position.
- If there isn’t a structure to attach your cable lock then you could always use a Motion Sensor Alarm.
- A STOP Security Plate will also prevent criminals from stealing your device. These stickers have a unique barcode for each laptop and user. If the sticker is removed it reveals a permanent “Stolen Property” mark and provides a number to report the theft.
- Check out devices with Biometrics like finger print or retina scanners.
- You can also use a Privacy screen to ensure you are the only viewer able to see your information. Privacy screens limit the angle at which the computer screen is visible.
Virtual Defense Tips:
- Although user passwords are not nearly as effective as they once were, it doesn’t hurt to still use them.
- Encrypt your sensitive documents.
- Use Full or Whole Disk encryption. This is software that encrypts the data on the entire disk including the Bootable Operating System partitions. Disk encryption software does not encrypt the Master boot Record. However certain Disk encryption hardware will encrypt everything including the MBR.
- Purchase Remote Laptop Security software so that you can deny access rights to someone trying to access your stolen device.
- See if your device is eligible for laptop insurance from Safeware.com.
- Use a Theft Recovery Software.
- Set up a BIOS password. The BIOS software is built into the PC, and it is the first code that a computer runs when powered on. Establishing a password in the BIOS will ensure that a laptop thief will be unable to load the Operating System unless they acquire the correct credentials. This Pre-Boot Authentication guarantees a secure environment that is external to the operating system. Pre-Boot Authentication is confirmed with something you know (username or password), something you have (smart card or other token), or something you are (biometric data).
How to establish a password in BIOS:
1. Start or restart your computer. When the BIOS screen comes on, press the Delete key to enter BIOS setup. (Some computers used “F12? or “F2”, or other keys)
2. Use the arrow keys to choose “Security” and press Enter. You will then see “Supervisor Password” and “User Password” on your screen.
3. Use the arrow keys to move down and highlight “Set User Password”, Press Enter. Enter the password in the password field and enter the password again in the confirm password field when it appears. Press Enter to set the password.
4. Use the arrow key to move down and highlight “Set Password Check”, press Enter. The options to invoke the password during “Setup” or “Always” will then appear. Choosing “Setup” requires a password to enter the BIOS. Choosing “Always” requires a password every time you start your computer. Highlight your choice and press Enter.
5. Press Esc one time, use the arrow key to select “Exit”, press Enter. Save your changes and exit. Your computer will then exit the BIOS screen and reboot.
When a laptop is stolen the actual loss can be huge. The replacement cost of a stolen laptop includes the cost of the new laptop, any stolen peripheral devices (network cards, modems), replacement software, time to configure the new device, and time to install new software. Not to mention any work material, photos, purchased media, memories, and personal information are now history. Any stored information on your computer is vulnerable and even if laptop thieves can’t benefit from the sale of your computer they could potentially gain access to personal information or your online accounts. If you aren’t already utilizing some of these suggestions or devices we strongly urge you to do so immediately, overlooking the importance of laptop security could be huge mistake.
Check out companies like Kensington, Targus, and Lenovo for the latest in laptop security.
Have a Great Day!
Dustin
ComputerFitness.com
Providing Tech Support for Businesses in Maryland
Tags: computer, Information Security, Laptop, laptop protection, laptop security, password, theft protection
Posted in Information Security | No Comments »
Thursday, August 25th, 2011
Tuesday August 23, 2011 Facebook made several announcements, the majority of which addressed the upcoming sharing and privacy improvements. In addition Facebook addressed smaller topics like the phasing out of the mobile only “Facebook Places” and the renaming of a long time Facebook attribute.
from http://blog.facebook.com/blog.php?post=10150251867797131, August 2011
Privacy and security have always been a major concern for Facebook users. In response to these worries Facebook has made multiple changes to the process for sharing posts, photos, tags, and other any other content. The new set up focuses on making the policies of concern more assessable and understandable to all users. The following Profile Control changes are expected to begin rolling out sometime this week, at that time users will encounter a prompt to tour the new Facebook Profile Features. (August 25, 2011)
The primary adjustment to the new profile is the new location for the privacy and sharing controls. The sharing controls are now available directly on a user’s profile page. These controls were previously only available on the settings pages. The aim for this redesign is to present users with a clearer and more consistent sharing experience. The new inline drop down menus that are now located next to the content posting area can enable a user to instantly adjust who has permission to view the content. Whether it be your thoughts, images, or videos each user will be able to see who can view their content and allow them to grant or deny access with one simple click. Additionally, since many of the settings options have been compiled into these smaller inline menus the previous settings page has also been simplified.
Also launching with the new profile sharing controls is the following sharing, tagging, and privacy policies.
- Control who can view your post while posting
With the old setup a user would have to access the settings page in order to change any privacy or sharing settings. The new adjustments make it easier for users to assign who can view their content at the time of posting.
- Restrictions Are Not Permanent
Sharing restrictions can be changed at any time for each individual post. After posting something to your co-workers that was supposed to be for your friends you can simply switch the posts authorizations and avoid any misunderstandings.
If you tag yourself on someone else’s pictures the tag will first need to be approved before it appears.
- Tagging People You Don’t Know
You can now tag anyone on Facebook not just people that you are friends with. When a user is tagged on Facebook a permission request form will be sent to that used.
- Tagging Pages You Don’t Like
You can now also tag pages on Facebook that you haven’t liked. Again the page will need to consent to the tag in order for it to appear.
When tagged by another user in their content the tagged person will be presented with an approval request form. This form will provide a user with the options to reject the tag, request that the picture be removed, or even block the user.
Users have requested that they want to see their profile the way that other users view them. In order to see how others view you on Facebook they have added a new “View Profile As” button in the top right corner.
The “Everyone” attribute is now being called “Public” to better describe the behavior of the post
- No More Mobile Only Facebook Places
Users will be able to add locations anywhere (posts, pictures….) and from any device which is why they are deciding to phase out Mobile only Facebook Places.
The recent overhaul is thought to be in response to Google+ which was just launched in July and is already becoming a major competitor. Facebook’s new updated features are an attempt to show their customers that they listen to their requests and always have a strong focus on user privacy and protection.
Check out the Google Blog where Chris Cox the Facebook VP of products, Explains the new features .
Thanks for Reading and Have a Great Day!
Dustin
ComputerFitness.com
Providing Tech Support for Businesses in Maryland
Tags: Facebook, Information Security, post, posting, privacy, social networking
Posted in Social Networking | No Comments »
Tuesday, June 21st, 2011
Earlier this month Apple held its annual Worldwide Developers Conference, during the event Apple unveiled the new features of iOS 5 which is set to arrive later this fall . Although the much anticipated release of the iPad2 had come and gone back in March, the news of the newest iOS has seemed to spur iPad2 sales. At a price range set from $499-$829, these devices are definitely an investment that is worth protecting. The following are ten tips to help ensure the safety and protection of iPad devices. The list covers both physical and virtual security so that customers can hopefully prolong the life of their device and be able to take full advantage of the upcoming iOS improvements.
from http://www.apple.com/ipad/features/, June 2011
The iPad Smart Cover isn’t a customer’s only choice however it seems to offer the most protection along with usability. In addition to providing protection, the Smart Cover can also be transformed into an iPad stand with various positions, activate the sleep mode when covered, wake the device when uncovered, grip the iPad using built in magnets, comes in a number of colors and is available in two different materials. Users can also choose to use full shell cases for heavy duty protection or portfolio and envelope cases for the professional environment.
A case or cover doesn’t necessarily mean the screen is fully protected. Screen or scratch protectors are well worth the purchase and not only do they prevent scratches but they have also been known to prevent the screen from shattering on impact. Prior to the release of the iPad2, Apple had stopped selling all anti-glare and screen protection film as what was thought to be a way to advertise the iPads screen durability. However screen protectors are still available through other companies, the trick is finding one that provides durability and is easily adhered to the iPad without causing damage.
It may seem like common sense but some people still leave their iPad unattended or believe it to be safe in their car. A car is not a safe place to leave expensive devices, leaving your device in sight and unattended will only entice someone to break in and steal it. In addition to passwords, iPad owners can also use security locks and security cables to provide extra protection when not in their possession.
At the very least all users should utilize the password option to protect their information and data. To configure the password settings go to Settings, General, and Passcode Lock. Once the password option is activated the passcode will be required when restarting the device, waking the device, and unlocking the screen. Users can also specify how many times the screen must be locked before activating the password prompt. A typical passcode has four digits however they can be changed to a longer alphanumeric code by disabling the simple passcode option.
- Auto-Lock, iPad tracking and other Security Preferences:
The iPad2 comes with a find my iPad app that lets the user locate a stolen or lost iPad as long as it’s still operational. Users can also determine how many password attempts are acceptable before disabling the device or remotely erasing the data from the device. Try to avoid using the common passcodes like 1234 or 0000. The auto – lock will activate the lock automatically after the iPad is inactive for the amount of time specified by the user. If someone does happen to acquire your device then these appropriate security settings along with an adequate password will at least protect your information.
When surfing the Internet from your mobile device there are several options that provide extra protection. For example turning off the Auto-Fill option in the Safari Browser settings will disable the iPad from remember passwords or other critical information. You should also check to make sure that your pop-up blocker is turned on as well as the fraud warning feature. When it comes to accessing websites and email attachments be sure to practice good judgment. Users can also clear browsing history, cookies, and cache so that no information is stored.
It is extremely important that you perform all available updates not only for the iOS but for your iPad applications as well. Updates are often released to resolve vulnerabilities and to protect users against newly discovered malware like viruses and spyware. Updates for Apps can be performed by accessing the app store and selecting update all under the update menu.
- Backup Information on iTunes:
Performing routine backups in iTunes can help protect your information and prevent data loss. In the event that your data or device is lost, corrupted, or stolen, users will still have access to it on their PC’s. The upcoming iCloud can also be used to store backup information.
- Disable Bluetooth when not in use:
While not using Bluetooth it is recommended that you turn off the feature. Allowing Bluetooth channel to remain open can potentially create a vulnerability that is susceptible to intrusion.
- Extra Apps For Extra Security:
Consider purchasing apps that provide enhanced security. Here’s a list of 50 Security Apps that perform functions like storing passwords, activating alarms, monitoring business transactions, and safe web browsing.
Hope these tips help keep your device safe and your information protected. For more details check out Apple.com and keep an eye out for Apple iOS 5 this fall!
These security tips are not limited to only the iPad2, many of them can also be applied to the iPad, iPhone and iPod touch devices.
Thanks for Reading and Have a Great Day!
Dustin
ComputerFitness.com
Providing Tech Support for Businesses in Maryland
Tags: Apple, device, Information Security, Ipad, iPad security, iPad2, password, protect, protection
Posted in Information Security, Mac, iPad | 1 Comment »
Wednesday, June 15th, 2011
It’s hard to miss all of the news headlines about hacker groups and security intrusions. These attacks now seem to be unavoidable even for Government agencies. For weeks now the public has been following the Sony Incident, which now appears to have been only the tip of the iceberg. Even the State Senate computers have fallen victim to a group of hackers known as Lulze Security.
Anonymous
In the past week both the Lulze Security group as well as the cyber group “Anonymous” have taken responsibility for several attacks. Lulze Security have claimed responsibility for the attacks on the Sony Picture’s website, PBS.com, Fox.com, and the DDoS attacks on game company Bethesda. According to thier LulzSec Twitter Page they are now apparently taking hacking request through a messaging hotline. As for Anonymous they have claimed to be responsible for the Bank of America attack, the Spanish Police Department attack, and are thought to be behind the Sony PSN disaster. To prove their infiltration on the Senate network Lulze Security has posted a list of files online along side their other postings. However, it was said that none of the data taken from the Senate’s network contained sensitive information. Although it’s not completely clear whether or not sensitive files were actually obtained, the intrusion itself displays the group’s capabilities and malicious intent.
Compared to last couple months, it seems that these types of attacks have changed direction moving from the acquisition of personal information to the infiltration of high powered and influential organizations. Besides gaining access to personal or financial information, perhaps these attacks are based on retaliation, display of power, or reputation. Speculation aside what’s truly concerning is the lack of security or the effectiveness of our current security.
Where is the security? Granted, these hackers are extremely clever and well versed when it comes to bypassing security measures but shouldn’t the current security for most organizations be able to slow them down at the very least?
Traditionally hackers or crackers are people who illegally obtain access to computers or computer networks to gain a profit, to protest, to expose security flaws, to challenge themselves, or to become infamous through their actions. As the hacking community continues to outperform one another as well as the security protocols of major businesses it is often the innocent consumers that pay the price.
There are different types of hackers along with different level of hackers. Not all hackers have the same attributes, some are good, some are bad, and some operate in the shades of gray. The following are the categories and characteristics commonly used to classify hackers.
White Hat: Also known as an ethical hacker this type performs intrusions for non-malicious purposes either contractually or to test their own personal security. They perform penetration/vulnerability tests to access the level of security and to improve it.
Black Hat: Represents the complete extreme to white hat hackers, they use their knowledge and ability to illegally infiltrate systems with malicious intent or for personal gain. These computer criminals identify a target, research their target, find security gaps, and then access it illegally. They perform hacks to destroy data, collect data for monetary value, or to build their reputation amongst the hacking community.
Gray Hat: As the name implies, a gray hat hacker is a combination of black and white hat tactics. A gray hat hacker may use black hat techniques to infiltrate a network for the purpose of identifying security flaws. Once identified, some hackers will offer a service fee to fix the vulnerabilities. This type of hacker acts under white hat motives but operates with black hat methods. Although these attacks occur without malicious intent they are still violating the organizations and individual privacy which can cause a lot of problems.
Black, white, and gray hat hackers are only the most basic breakdown, hackers can also be further identified by skill level, reputation, and intent. The following are different terms associated with these hackers.
Blue hat: Like a white hat hacker the blue hat hacker typically works with security consulting firms and is contacted to perform operational and system security testing.
Neophyte: Neophyte is used to describe someone that is a beginner to hacking and possesses very little knowledge or skills required for hacking.
Script kiddie: This category is made up of hackers who are more experienced than Neophytes but is still unable to devise their own methods of gaining access. They often rely on pre-packaged automated tools that are created by other hackers.
Elite Hacker: Is a name reserved for the most skillful and recognized hackers. These individuals or groups have built a reputation among the community. They continue to gain credibility by gaining access to harder targets, causing devastation, and being publicized by the news following their attacks.
Hacktivist: Also known as a cyber terrorist, with these hackers there are clear and present goals in mind to express a social, ideological, religious, or political point of view.
A typical system or network hack occurs in three steps, network enumerating, vulnerability scanning, and exploitation. Network enumeration is where information and the vulnerabilities are obtained using network scanners or enumerators. These are programs that report back information like user names, networked services, and shared resources. White hat hackers will use these reports to resolve the discovered security gaps whereas a black hat hacker would use them to gain deeper access. Vulnerability Analysis is when an attacker seeks out system flaws. To be vulnerable a system has to meet three conditions, it must have a flaw, the hacker has to have access to that flaw, and the hacker must be skillful enough to exploit that flaw. Lastly exploitation occurs by attempting to compromise the system through the flaws found in the vulnerability scan.
Some of the techniques hackers frequently use to gain access to a computer system or network are vulnerability scanning tools, password cracking, packet sniffing, spoofing or phishing, rootkit, social engineering, intimidation, helpfulness, name-dropping, Trojan horses, viruses, worms and key loggers.
Although the recent attacks have caused a lot of disruption and concern, hopefully something good will come from them like stronger security. Companies and organizations should view these attacks as a warning and take the time to strengthen their protection and conduct their own vulnerability testing while they still can. Not only is it important for major companies and Government agencies to be prepared but the individual users should be prepared as well. Computer users should make sure that they have sufficient computer security and keep up to date with the latest security news.
Thanks for Reading and Have a Great Day!
Dustin
ComputerFitness.com
Providing Tech Support for Businesses in Maryland
Tags: anonymous, cyber attack, hack, hacker, Hackers, Information Security, lulze security, network access, system vulnerabilites
Posted in Information Security | No Comments »
Thursday, June 2nd, 2011
It has been over a month since Sony announced that the reason for the shutdown of their PlayStation Network service on April 20, 2011 was due to an external intrusion. On May 4, 2011 Sony had confirmed that the PSN Attack was able to obtain the personal information from over 100 million users. Following the hack, Sony remained confident and projected a short downtime for the network. Although Sony initially stated that they would fully restore their services by the end of the week, the recovery process experienced unforeseen problems.
from http://us.playstation.com/psn/, June 2011
After being disabled for approximately 23 days, on May 15, 2011 the Sony PlayStation Network began restoring parts of their service country by country. At this time the sign-in for the PSN/Qriocity services, online gameplay, rental content, third party services, friends list, and chat functionality were all restored. Missing from the services that were brought back online was the PlayStation Store. Once back online the network again faced an issue concerning the password reset page. It was discovered that the password reset process was enabling unauthorized users to change the passwords of other users provided that they had knowledge of their email address and date of birth. After the discovery of this exploit the network disabled the password reset pages and resumed working to restore the PlayStation Store.
Sony announced that they will be offering customers free content as a part of a “Welcome Back Program”. The free customer appreciation content will be available sometime shortly after full restoration. Sony has also stated that the cost of the network outages and restoration was $171 million which includes the costs of security enhancements, customer reimbursements, and loss of content sales.
Yesterday afternoon (June 1, 2011) the PlayStation Network posted on the PSN Blog that that the PlayStation Store was once again up and running. The PS Store is now offering new updates, downloadable games, demos, add-ons, themes, avatars, and videos. For now, Sony is still in the testing process for the welcome back program download and expects it to be available for users shortly. Another PSN update is currently scheduled for Friday June 3, 2011.
Sony executives have stated “no system is 100 percent secure”, having learned from this occurrence Sony has made several security improvements and created a new Chief Information Security Officer position. The PlayStation Network is not the only Sony service to suffer intrusion, in a separate incident Sony Ericsson was also hit. The Sony Ericsson Hack was said to have affected over 2,000 customers. According to The Huffington Post the servers at SonyPictures.com were also attacked on Thursday June 1, 2011. This hack obtain the the information of 1 million users which was later posted on a website by hacker group LulzSecurity. Other recent security breaches include the Lockheed Martin Cyber Attack, Google Gmail hack and the PBS hack, these hacks present a clear picture of how technology can be used to do harm and provide an even greater reason for companies to implement as many proactive security measures as possible.
Although Sony projected an $860 million profit in a February report the company is now projecting a $3.2 billion net loss for the year. The loss is a combined result of several network hacks, security upgrades, customer remuneration, tax credit write offs from the previous quarter, and disruption in production caused by the earthquake and tsunami in Japan.
Taking into consideration the hard times faced by Sony recently, will you continue to be a customer or have you lost all faith in them? Share your thoughts below.
Thanks for Reading and Have a Great Day!
Dustin
ComputerFitness.com
Providing Tech Support for Businesses in Maryland
Tags: hack, Information Security, PlayStation, PlayStation Network, PlayStation Store, PSN, Sony, Sony PlayStation, Sony PSN
Posted in Information Security | No Comments »
Friday, May 27th, 2011
Recently the MacDefender Malware has created a lot of concerns for Mac users all around the world. Quickly spreading, the MacDefender Malware is a phishing scheme that presents a message that informs users that their system has been corrupted. The ploy goes on to tell Mac user that the only way to remove the viruses is to utilize the MacDefender app. The MacDefender malware can also appear as MacProtector and MacSecurity. The malware does not infect a user’s machines with viruses or monitor keystrokes. Their sole purpose is to frighten and persuade users to purchase the MacDefender application thus gaining access to the customer’s credit card information.
from http://www.Apple.com, May 2011
Mac has estimated that between 60,000 and 125,000 Mac users have already been exposed to this malware. Most users have encountered this problem through poisoned Google images. When users access a poisoned link, a page will launch and display a virus scan. After being transferred to the infected webpage the software begins to download and informs users of an infection. Previously the malware required permission to install but despite the efforts made by Mac a newer version of the malware has been created, which no longer needs the user’s permission. This MacDefender version automatically installs on a machine during the fake scan process.
Mac has yet to take action against the initial malware but has stated they will have a resolution with their next OS X Update. Mac states that they will “deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. Mac however has not addressed the new version of the malware and has also informed their support staff Not to assist users with MacDefender removal. Although the support staff has been instructed not to assist with its removal, Mac has provided the following on how to prevent the malware from installing and how to remove once installed.
Avoiding Installation:
- If users experience any notification concerning the mentioned security software, immediately exit the browser.
- If the browser fails to quit, perform a Forced Quit. To perform a force quit go to the Apple menu and choose force quit. Alternatively you can Force Quit by pressing Command+Option+Esc, and then choose unresponsive program followed by clicking force quit.
Removing the Application:
- In the event that the malware was automatically downloaded and launched, do not enter your administrator password.
- Do not provide your credit card information.
- Access your download folder and delete the application.
- Once the application is deleted make sure that you also permanently delete is in your trash folder.
- Close the Scan Window.
- Go to the Utilities folder in the Applications folder and launch Activity Monitor.
- Choose All Processes from the popup menu in the upper right corner of the window.
- Under the Process Name column, look for the name of the app and click to select it.
- Click the Quit Process button in the upper left corner of the window and select Quit.
- Quit the Activity Monitor application.
- Open the Applications folder, locate the app again, drag it to the trash, and permanently empty the Trash
In addition to the MacDefender app a login item is also placed in the user’s system preferences which can be removed by opening system preferences, selecting accounts, clicking login items, selecting remove and then clicking the minus button. Although it is not necessary it is advised that users to remove this login item.
Check back later as more details develop to learn more about the MacDefender malware and possible solutions.
Thanks for Reading and Have a Great Day!
Dustin
ComputerFitness.com
Providing Tech Support for Businesses in Maryland
Tags: Information Security, mac, MacDefender, MacDefender Malware, malicious software, Malware, malware removal, phishing, virus removal
Posted in Information Security, Internet, Mac | No Comments »
Friday, May 13th, 2011
Online security threats and system vulnerabilities will always be an issue on the Internet regardless of the amount of security we implement. As the security for major online companies gets smarter the hackers and computer viruses get more inventive as well. This balance is unlikely to disappear because there will always some kind of benefit for people who perform these destructive actions. Whether it is for notoriety, money, or information the effects of these actions require companies to be forward thinking and remain focused on the protection of their users.
Following the largely publicized PlayStation Network Hack a couple weeks ago, two other major websites experienced their own misfortune. For Google it was discovered that their images were replaced with malware and Facebook was also notified that their applications were unintentionally leaking information to third parties. Although these two incidents are completely different with one being pure mischief and the other being an oversight the two cases highlight severe vulnerabilities for major websites.
After weeks of user complaints Google identified that some of their Google Images search results were pointing users to webpages that forced misleading anti-virus scans and security alerts. The attackers apparently infiltrated high trending Google Image search results and planted their own PHP scripts to generate their own malicious content. Once their own PHP scripts were implemented the Google bots crawled and eventually displayed thumbnails for their bogus web pages. When clicked on, the image redirected users to a bad page. Google is currently working hard to remove all of the bad links. For more specific details on how and what was affected visit More on Google Image Poisoning.
Shortly after Google realized their security flaw, Facebook was notified by Symantec regarding their security issue. On Tuesday May 10, 2011 Symantec published that Facebook applications have been unintentionally leaking user information to third parties. Although it is impossible to pinpoint the exact number of affected users it is estimated that the information of hundreds of thousands of users could have been exposed. However Symantec and Facebook state that it is also possible that most of the third parties didn’t even realize the leaks.
The leaks occurred through access tokens which are basically authorization codes that are assigned once a user accepts or grants permission to a Facebook application. Once Facebook was notified of the leaks they implemented the necessary changes which are described in the Facebook Developers Blog. Concerned users can take their own actions to nullify any current access tokens by changing their account password. As mentioned although these leaks were accidental this incident provides a perfect example for the vulnerabilities that websites like Facebook still have even with good security.
Sometimes the bigger the company, the bigger the target. Security should always be a crucial aspect and top priority for any business. It is not only up to the major websites to try to stay head of the relentless security threats and system vulnerabilities, the individual users should do their part as well by being educated about online risks and by taking the appropriate precautions to remain safe.
Thanks for Reading and Have a Great Day!
Dustin
ComputerFitness.com
Providing Tech Support for Businesses in Maryland
Tags: Facebook, google, google images, Information Security, Malware, security threats, users, vulnerabilities, website
Posted in Information Security | No Comments »
Thursday, April 28th, 2011
On Friday April 22, 2011 the Sony PlayStation Network stated that as of April 19 th they had become aware that PlayStation and Qriocity user accounts had been hacked. Prior to this notification they have made several announcements, none of which providing the exact details for the disruption in network services.
During the time leading up to the official  public disclosure Sony had disabled their system which left many PlayStation Network users in the dark about the true circumstances surrounding the event. It wasn’t until April 26, 2011 that Sony offered the full explanation that user account information and potentially their financial information had been unlawfully acquired during an intrusion. The unauthorized intrusion of the network accounts left over 70 million users as well as their personal and financial information at risk. For a full timeline visit PlayStation Network Hack Timeline.
Because Sony had waited a full 6 days after the time of discovery to present a fully detailed announcement most people are wondering why the delay with informing the public. Typically when a breach does occur it is not uncommon for some amount of time to pass before the public is fully informed, this is usually to confirm the facts, consider solutions and prevent public panic. However during this time users could have been taking their own preventative measures by informing their credit card companies, monitoring credit reports, and avoiding phishing scams. For a great article concerning the legality of informing the public in the event of a security breach visit PlayStation Network hacked, data stolen: how badly is Sony hurt?
The PlayStation Networks Official Website released a statement detailing what efforts are being made to rectify this unfortunate situation and promises that it is a temporary issue that will be cleared up as soon as possible. Currently the network connection is still deactivated. An outside security investigation company has also been contracted to investigate the security breach and Sony is currently developing new security features. With these new features they hope resolve the system’s vulnerability and provide more safety precautions to protect a user’s personal information in the event of future occurrences.
It is PlayStations fear that the unlawful invasion into user information exposed user names, addresses, email address, birthdays, passwords, logins, purchase history, and even billing information. The official statement goes on to state that even though there is no evidence that credit card information was obtained they are not ruling out the possibility. Although many Sony officials believe that the hack was to gain notoriety as opposed to financial information they cannot be certain. As Sony continues to work around the clock to regain the confidence of its customer’s users should be taking the following actions to ensure the security and protection of their information.
What you should do!
- It is advised that if you have provided any credit card information that you contact the card company and inform them that your information may have been obtained during this event.
- It is also urged that users be mindful of email, phone, and postal scams. Sony has said that they will never contact a user to acquire credit card numbers, social security numbers, or any personal identifiable information. Often hackers will take the portions of useless information and contact you pretending to be the organization in order to obtain the rest of the information that they require.
- Monitor financial activities and credit reports. Sony has provided several links on their customer notice page that can be used to check your credit report and place alerts on your accounts. Placing alerts on your account is a great security precaution and will help protect you from other users accessing your accounts.
- Sony also advises that once the network is secure and user connection is reestablished that a user should change their login information immediately.
It’s important to remember that these kinds of incidents happen all the time and unfortunately they are the reason why we need implement more and more secure practices every day. Any fraudulent charges that do result from this incident will of course be handled by Sony. One issue left un-answered is why Sony chose to wait so long to inform its users about the potential security threat?
What do you think? Should Sony have disclosed the full details and given customers the opportunity to protect themselves sooner, or were they right to gather all the information before causing panic?
Thanks for Reading and Have a Great Day!
Dustin
ComputerFitness.com
Providing Tech Support for Businesses in Maryland
Tags: Information Security, network attack, PlayStation, PlayStation Network, Sony, user, user accounts, user protection
Posted in Information Security, Web Tips | No Comments »
Friday, December 24th, 2010
Hello, Dustin back with some useful tips to assist you in creating a strong password. How confident are you with the strength of your current passwords?
Some of the elements of a strong password may appear to be common sense but be often overlooked. Most applications, resources or tools at your disposal require password protections that should not be taken for granted regardless of the level of importance that the information offers.
Passwords are for your safety and even if the information that is being protected is not detrimental, in the hands of criminals this resource could be utilized in an effective manner. It is more than likely that if a password is required the information is important and for your eyes only. Exercise the following steps to ensure that your information is safe and sheltered from outside users with a strong password.
- The longer the better: A strong password should utilize 10 or more characters.
- Variation Matters: Mix it up! Don’t use repetitive characters or common sequences.
- Add Complexity: By adding numbers, symbols, and various upper and lower case styles will greatly increase the protection of your password.
- Take advantage of the full keyboard: Avoid using familiar character groupings or letters and numbers found in the same row (example: qwerty123). Branch out using the full keyboard and select characters that have some distance between them.
Here is a Helpful method for creating a password:
- Create or think of a saying that is familiar to you,
- Select a letter position of each word, for example the first, second or last letter in each word, use this to create a row of letters,
- Add a couple numbers that you can easily remember,
- Add a symbol if allowed,
- Select 1 or more letters and capitalize it,
Example:
| When Life Hands You Lemons Make Lemonade.
wlhylml
wlhylml491
wlhylml491!
WlHyLmL491!
Check to see how this password checks out in the Password Meter! |
Additional Tips regarding your password:
- Keeping a hard copy of your password is o.k. but make sure that it is also secure. Make sure you don’t leave a hard copy of your password out or think your being clever by keeping it under your computer keyboard or taped inside you desk drawer. The best place is locked in a safe. Also avoid giving out your password or let others see it when being typed.
- Avoid using personal information such as your birth date, your pet’s name or email account.
- Number sequences may be easy to remember, but 1234 is also easy for unwanted users to figure out as well.
- Avoid misspellings, slang, backwards or transposed spellings.
- Don’t use all the same passwords for multiple applications.
Still not sure if your password is strong enough?
Employ a password checker! When creating a password some applications visually show you how strong your password is and won’t let you proceed until it meets their specifications. However for those programs that don’t present this resource users can venture out and use secure public password checkers. Try this Password checker with your current passwords! Secure Password Checker. Also available online and as browser add-ons are password generators, but these can be hard to remember since they don’t use data that is significant to you.
For addition methods for creating a strong password check out these sites:
How to choose a good password
Passwords and Pass phrases
Did your passwords meet these standards? Hope these tips and resources will be able to assist you when creating or recreating your first line of defense.
Have a Great Day!
Dustin
ComputerFitness.com
Providing Tech Support to Businesses in Maryland (more…)
Tags: Information Security, password, passwords, strong
Posted in Desktop - Workstation, Information Security | No Comments »
|
