Tag: Security

Firefox Tip: Keeping Things Private

Post date 5/3/2007
No Comments on Firefox Tip: Keeping Things Private

Using Firefox on a shared computer such as an office workstation, library, or school computer lab? Don’t want people seeing what you did/saw? That’s a very good idea. When your done browsing the web go to the “Tools” menu and select “Clear Private Data”. Check the data you want to delete and “Clear Private Data Now”. This will ensure the next person doesn’t see your browsing history, or have access to site you forgot to logout. Here’s a list of the options and what they mean in simple terms:

Browsing History – The list of sites web pages you visited.
Download History – The list of files you downloaded to your computer.
Saved Form and Search History – Every time you fill in a form your browser will store some info so that it’s easier to fill in next time (that’s why it can suggest your address when you signup for something). This data in addition to your history of searches.
Cache – Temporary files from the web pages you visited stored on your computer. Examples include images in the pages as well as the pages themselves.
Cookies – Data used by websites to store info, such as login information or preferences.
Saved Passwords – You’ll definitely want to delete these. 😉 Remember you can also disable the password manager.
Authenticated Sessions – Certain sites you are currently logged into that use a technique called HTTP Authentication. If in doubt, clear this.

Want to do this every time you close out of your browser? Go to “Tools” and select “Options”. Then click on the “Privacy” icon on the top. Check the “Always clear my private data when I close Firefox” checkbox.

Another option is to use Portable Firefox. This special download is designed to be installed and run from a USB drive. It saves all preferences/settings to your drive, so you take your data with you. This will only work in places where you are allowed to use a USB drive, and can open applications off of one (not every public computer may do so).

Tags cache, firefox, history, Mozilla, privacy, search, Security, Tip

Blog SafePasswd.com Security

SafePasswd Secure Edition + Blog

Post date 4/15/2007
No Comments on SafePasswd Secure Edition + Blog

As of yesterday SafePasswd.com is now suggesting passwords over SSL for better security. Seems like a good idea right?

In other news, there is now a SafePasswd.com blog. The focus is quite simple. Bring better security to the masses.

Check it out, add the feed to your favorite RSS reader, bookmark it.

Tags Blog, SafePasswd.com, Security, ssl

Mozilla Security

WebApp as Desktop App Security Model?

Post date 4/5/2007
7 Comments on WebApp as Desktop App Security Model?

Recently there has been a fair amount of talk about bringing web applications off of the web and onto your desktop, or to put it in really simple terms: providing a bare-browser that has no UI but the site you visit. It sounds good, but I’m not convinced it’s quite workable, at least at this point. A few example of these attempts are:

The first two are somewhat generic in purpose, while FullerScreen is intended more for the task of using a web page as a presentation medium. Making it a potential replacement for something like PowerPoint.

I’m not quite sure this is really a workable model for the “average user”. Take for example the following scenario:

Say you use this as a way to make your Gmail (or Yahoo) account feel more like a client-size application. You receive an email to visit a site. You click the link and visit the site. You think you are using Firefox. In reality you’re really viewing a spoofed window. Even if remote XUL is disabled you can still do a fair job with just a bunch of cut up GIF’s. Enough to fool a casual user. Firefox has some basic countermeasures to help prevent this, such as keeping some UI.

This could be prevented if a “windowless” browser always prompts or provides some other sort of notification before connecting to an unprivileged host. Or better yet: Simply launches the real browser rather than handling untrusted URL’s. That would be better and less Vista-like.

So that leaves me with the question: how should such an application behave? A true desktop application typically launches the default browser on the computer. Notable exceptions being things like Real Player, Google Earth, etc who embed a browser. How do you give a desktop like feel to an application, yet still provide the UI feedback to the user that a browser’s chrome provides?

My suggestion is simply limiting by a hostname. You have a Gmail app, you trust Gmail and nobody else. In my mind an application does 1 task and does it well. If it was intended to feel like a Gmail client, then it should do that, and that only. Want to visit that website with the monkey that sniffs his own butt? Cool, but do it in your own browser.

I’d be curious what others thought of this potential problem. I think with XULRunner looking more stable, WebKit being available to Mac developers and the merging of the web and OS, things like this are a potential problem. We are getting more and more ways to embed browsers into things (widgets, extensions, etc.). This is going to be more of an issue moving forward.

This isn’t to say I don’t like the above products (I actually really like them). I just haven’t figured out exactly how they fit into the current security model of local:safe, web:devils-playground. I don’t think they do. I think they potentially break the barrier between the web and desktop applications. We’ve all been hoping would be broken. The question is: are we ready?

The higher level question is: How do you distinguish between trusted and untrusted data when it all looks like it’s local?

Tags firefox, full-screen, Internet, Mozilla, Security, UI, web-applications, WebKit, webrunner

Security Tech (General)

Getting A Non-RFID Credit Card

Post date 4/2/2007
26 Comments on Getting A Non-RFID Credit Card

Chase Freedom Visa The Chase Freedom credit card isn’t bad (1% cash back, 3% on certain items). There is an unadvertised downside. While Chase doesn’t promote it very well, the card contains a tiny RFID chip. This allows you to pay for something using a contact-less terminal (no swiping). Just put your card near the reader and it registers. Is it really any quicker than swiping? Who knows, but likely not by much.

It looks like a regular credit card, same thickness, size, and shape. Just a tiny emblem exists on the upper right hand side to distinguish the onboard cargo. You can see it in the image above. A larger version of it is below:

Blink Logo (sm) Chase

For those wondering, the actual RFID chip seems to be on the left side, opposite the Blink logo.

Chase brands the technology Blink, American Express calls it ExpressPay, MasterCard calls it PayPass. They are all pretty much the same thing.

RFID doesn’t have a great reputation right now. There are some privacy and security concerns, such as an unauthorized party reading your credit card without you knowing. Think this is a tin-foil-hat mentality? It’s been done already. I haven’t found anything online to indicate criminal exploitation yet, but it’s possible and will happen.

Chase Flexible Rewards Visa Chase doesn’t advertise this, but if you contact them by phone or email, they will send you a replacement card, without the “Blink” capability. The actual plastic card is their “Rewards Visa” though the paper it’s attached to clearly says “Chase Freedom”. It’s just plastic, the credit plan is in the account not the card. So there you have it, you can get a secure credit card if your concerned about security.

Chase claims “Blink” it’s very secure, but I’m still not personally comfortable with the technology. According to their FAQ (in PDF format):

10. Are blink purchases secure?

Yes. As always, you are 100% protected against any unauthorized purchases. These transactions are safe because they are protected by an additional level of encrypted security. You must deliberately use the Chase card with blink at the point-of-sale to make a transaction. The Chase card with blink needs to be within an inch of the special reader and correctly oriented to be read. In addition, blink transactions use specific data that is protected by the highest level of security.

Judging from the speed in which it can be swiped (as demonstrated on the Chase blink website) one could technically walk by with a bag containing a reader and just brush by the victim to read the card in their pants pocket, sit next to you on the bus/train, etc. Easier than pickpocketing since no actual contact needed (such as digging a hand into someone’s pocket).

We already know they can clone RFID passports. What stops someone from reproducing the credit card, then using it? With regular cards, my wallet is an effective firewall. No way to read the magnetic strip or copy the numbers off of it without the actual card visible. And if my card is missing, I know I have a problem. I always keep it in my wallet so nobody can just look at it. This is a pretty secure way to handle a credit card. With this potential crime, I wouldn’t even know right away, and by the time I do realize I wouldn’t have any idea when/where it was compromised. It could potentially be months between the theft and usage of stolen data.

I’d like to see this tech a little more proven in the “real world” before I jump on board. For now it’s just good to know you don’t have to live with it, you can get a non-RFID card. I didn’t find this advertised anywhere on the Chase website. I guess they realized us tin-foil-hat people would ask for a blink-free card, so they made sure to have an alternative. I must give them credit for that (no pun intended).

Just call/email Chase and ask for a non-blink version of the card. They told me 5-7 days for delivery. No hassle. I was very pleased how painlessly they made it. It arrived in about 5 days.

Tags chase, credit-card, finance, rfid, Security

In The News Security Spam

Coming Soon: Bluejacking

Post date 1/28/2007
1 Comment on Coming Soon: Bluejacking

If you have bluetooth on your phone, there’s yet another reason to turn it off when you don’t use it. Besides saving battery life (which is always a good thing), and just general security you’ll be seeing more and more spam as time goes on if you keep it on. It’s already a problem in some places. Here’s an auto translated version of the linked article in English.

It’s to easy to just spam cell phones with phone book entries, video’s, text messages, pictures, etc. Even if you don’t accept them, your phone will still go off to let you know you have an incoming request. I would bet it won’t take long befor apps exist for PDA’s to automatically spam any bluetooth device in range. Then a spammer can just walk through the streets, malls or stores to send spam. Talk about discrete marketing.

What a mess, and I doubt it will be fixed anytime soon. We’re still getting email spam with no end in site.

Tags bluejacking, bluetooth, cell-phones, Security, Spam

Open Source Security Software

Using Norton AntiVirus With POP3 Over SSL

Post date 1/28/2007
1 Comment on Using Norton AntiVirus With POP3 Over SSL

I didn’t find this anywhere online, so I thought I’d post it. Norton AntiVirus up to and including 2007 doesn’t support POP3 over SSL. That’s a problem since sending mail without SSL is insecure, and sending mail over SSL with no virus scanning is also insecure. There is a fix.

Please note these directions, and intended to be a casual guide for experienced individuals. I’m not providing assistance or support.

Tags antivirus, email, norton, Security, ssl, stunnel, symantec

Around The Web In The News

40 Years For A Malware

Post date 1/16/2007
No Comments on 40 Years For A Malware

A teacher could get 40 years for Malware (which IMHO is nothing more than a variation of “Virus”). That sounds like a harsh sentence.

Even more reason to scan your computer regularly, and keep anti-virus and anti-spyware definitions up to date, but 40 years? Yikes.

For anyone interested, Sunbelt’s Blog is fantastic, and I’ve blogged about it a few times. It has a great approach to explaining and demonstrating IT security in an easy to read, non-pushy manner. Not many places you will see that. Most focus on general tech, and don’t touch security. Security is a fascinating field.

During a quick email exchange with Sunbelt’s Alex Eckelberry he pointed me to this comment which gives a little more info. Expect more from Sunbelt’s Blog tomorrow on this.

Blogging in IT and software development in general is really quite impressive. Only a few years ago the concept of transparency and open communication on this scale was virtually non-existent. Now Alex blogged, commented about Preston Gralla’s poor research behind his post and got a reply. I then emailed Alex about an unrelated topic (choosing passwords in the WeeklyTechTips post), happened to mentioned this topic, and he pointed me to a comment of his on Preston Gralla’s blog.

I have a book on my shelf “How The Internet Works” (Fourth Edition), which I got for a school project back in High School (great book by the way). Would I have imagined the above chain of events when I got that book? Not in a million years. A few years ago this would have been a small article on a tech news site, and nothing more. Two people whose writing I read, going back and forth, and having a chance to contact one of them and get a reply a minute later is really remarkable by those standards. By today’s standards it’s somewhat more normal (though still appreciated).

The blogging phenomenon definitely made IT more transparent. I become more convinced of this on a daily basis.

By the way it looks like Mr. Gralla’s now up to “How The Internet Works Eighth Edition“. I guess I wasn’t the only one who thought it was a cool book.

Tags malware, Preston-Gralla, Security, sunbelt-software

Around The Web Internet Security

PayPal Security Enhancement

Post date 1/15/2007
No Comments on PayPal Security Enhancement

For $5 you will be able to get a little better security with a PayPal SecurID. That’s not a bad idea. I very rarely use PayPal (mainly when some sort of discount/promotion is available), but I’d still get one, just for the added safety.

I wish banks would hurry up and make it standard across the board. A good password is still important, but two-factor authentication like this is a big step in defeating Phishing.

Tags keyfob, paypal, SafePasswd.com, securid, Security

Apple Security

QuickTime Security Flaw

Post date 12/7/2006
No Comments on QuickTime Security Flaw

Interesting turn of events regarding that MySpace security problem. Plugins add an interesting perspective to security on the web. Web site code, browser code, and (often forgotten) plugin code. That’s a lot of hands in the pot. One mistake is all it takes.

Tags Apple, quicktime, Security

SafePasswd.com

SafePasswd.com Update 11/19

Post date 11/19/2006
No Comments on SafePasswd.com Update 11/19

I updated SafePasswd.com tonight. Updates include better generation of memorable passwords, easier to handle length selector, and better quality bar. Most of the changes were to algorithms, rather than major features. Hopefully the quality of passwords generated is now slightly improved. It’s not always about the big things, sometimes it’s the smaller refinements that need to be done.

Tags SafePasswd.com, Security, Web Development