Posts belonging to Category How to



How to protect against Firesheep attacks

Experts suggest defensive measures to ward off Firefox add-on’s hijacking of Facebook, Twitter sessions via Wi-Fi
By Gregg Keizer – October 26, 2010 07:29 PM ET

Computerworld – Security experts today suggested ways users can protect themselves against Firesheep, the new Firefox browser add-on that lets amateurs hijack users’ access to Facebook, Twitter and other popular services.

Firesheep adds a sidebar to Mozilla’s Firefox browser that shows when anyone on an open network — such as a coffee shop’s Wi-Fi network — visits an insecure site.

A simple double-click gives a hacker instant access to logged-on sites ranging from Twitter and Facebook to bit.ly and Flickr.

Since researcher Eric Butler released Firesheep on Sunday, the add-on has been downloaded nearly 220,000 times.

“I was in a Peet’s Coffee today, and someone was using Firesheep,” said Andrew Storms, director of security operations at San Francisco-based nCircle Security. “There were only 10 people in there, and one was using it!”

But users aren’t defenseless, Storms and several other experts maintained.

One way they can protect themselves against rogue Firesheep users, experts said on Tuesday, is to avoid public Wi-Fi networks that aren’t encrypted and available only with a password.

However, Ian Gallagher, a senior security engineer with Security Innovation, argued that tosses out the baby with the bathwater. Gallagher is one of the two researchers who debuted Firesheep last weekend at a San Diego conference.

“While open Wi-Fi is the prime proving ground for Firesheep, it’s not the problem,” Gallagher said in a blog post earlier on Tuesday. “This isn’t a vulnerability in Wi-Fi, it’s the lack of security from the sites you’re using.”

Free, open Wi-Fi is not only taken for granted by many, but it’s not the problem. There are plenty of low-risk activities one can do on the Internet at a public hotspot, including reading news or looking up the address of a nearby eatery.

So if Wi-Fi stays, what’s a user to do?

The best defense, said Chet Wisniewski, a senior security adviser at antivirus vendor Sophos, is to use a VPN (virtual private network) when connecting to public Wi-Fi networks at an airport or coffee shop, for example.

While many business workers use a VPN to connect to their office network while they’re on the road, consumers typically lack that secure “tunnel” to the Internet.

“But there are some VPN services that you can subscribe to for $5 to $10 month that will prevent someone running Firesheep from ‘sidejacking’ your sessions,” Wisniewski said.

For more, visit Computerworld.com

Four New Ways to Customize Your LinkedIn Profile

Customization and variety are key to making your LinkedIn profile stand out and get you recognized by recruiters. Check out these four new profile sections that do just that.

By Kristin Burnham – Wed, October 20, 2010

CIO — With more than 80 million registered users worldwide, making your profile stand out among LinkedIn’s crowd can be difficult. That’s why the professional social network has rolled out a number of features to help you get noticed: LinkedIn Apps give hiring managers a better peek into your work life; reordering your profile sections gives you more control over what you deem is important; and Company Follow gives you an inside look at companies’ business opportunities and job leads.

Now, LinkedIn has added an element to its site with a handful of new profile sections you can selectively add to your profile. Among those in the “Add Sections” part of LinkedIn are Publications, Languages, Skills and Certifications.

“These are most valuable for job seekers, passive candidates open to new opportunities, and consultants,” says Nathan Kievman, owner of the LinkedIn group Linked Strategies and host of weekly LinkedIn webinars. “Variety in a profile provides you the opportunity to stand out and showcase your talents that otherwise may not come up in everyday conversations, business dealings or interviews.”

Kievman also notes that LinkedIn is possibly rolling out these features to benefit recruiters. “It will provide more search results for recruiters to enhance their search for qualified clients. This is LinkedIn’s number-one revenue stream, so it makes sense that they would push these tools out there,” he says.

[Want more LinkedIn tips, tricks and analysis? Check out CIO.com’sLinkedIn Bible.]

To find the new profile sections, choose Profile > Edit Profile. Below your main profile box will be the “Add sections” button. The new profile sections will appear after your work experience. [Click here to learn how to reorder your profile sections.] Read on for a look at four of the new profile sections.

1. Certifications

LinkedIn is including a new section specifically to highlight any certifications you might have earned—ITIL, Six Sigma or PMP certifications, for example. You’ll be required to include the name of the certification in the form; you can also add the certification authority, license number and expiration date, too, if you want.

For the rest of the list, visit CIO Online

When IT is asked to spy

IT managers are being put in the awkward position of monitoring fellow employees.

By Tam Harbert – October 11, 2010 06:00 AM ET

Computerworld – It’s 9:00 in the morning, or 3:00 in the afternoon, or even 10:00 at night. Do you know what your users are up to? More than ever, IT managers can answer, “Oh, yes.”

As corporate functions, including voice and video, converge onto IP-based networks, more employee infractions are happening online. Employees leak intellectual property or trade secrets, either on purpose or inadvertently; violate laws against sexual harassment or child pornography; and waste time while looking like they’re hard at work.

In response — spurred in part by the need to comply with stricter rules and regulations — organizations are not only filtering and blocking Web sites and scanning e-mail. Many are also watching what employees post on social networks and blogs.

They’re collecting and retaining mobile phone calls and text messages. They can even track employees’ physical locations using the GPS feature on smartphones.

More often that not, IT workers are the ones asked to do the digital dirty work, primarily because they’re the people with the technical know-how to get the job done, says Nancy Flynn, executive director of The ePolicy Institute, a Columbus, Ohio-based consultancy that helps companies establish Internet and computer usage policies.

Statistics are hard to come by, but Flynn and other industry observers agree that monitoring and surveillance are becoming a bigger part of IT’s job.

Michael Workman, an associate professor at the Florida Institute of Technology who studies corporate IT security and employee behavior, estimates that monitoring responsibilities take up at least 20% of the average IT manager’s time.

Yet most IT professionals never expected they’d be asked to police their colleagues and co-workers in quite this way. So, how do they feel about this growing responsibility?

For the rest of this article, visit Computerworld.com

6 useful Wi-Fi tools for Windows

Free or cheap apps can help troubleshoot your wireless network, turn your laptop into a hot spot and more

By Preston Gralla – September 1, 2010 06:00 AM ET

Computerworld – We live in a mobile world; if you have a laptop (and who doesn’t?), that means constantly connecting to the Internet via Wi-Fi. You most likely use Wi-Fi not just when you’re on the road at cafés, airports or hotels, but to connect to your home network too. You might even connect to a wireless network at the office.

Here’s the problem: Windows doesn’t do a particularly good job of providing Wi-Fi tools. Yes, it will let you search for and connect to nearby networks, but that’s about the extent of it. What if you want to get detailed information about every Wi-Fi network within range, troubleshoot your network, turn your laptop into a portable Wi-Fi hot spot or keep yourself safe at public hot spots? Windows is no help.

That’s why we’ve rounded up these six downloads. They’ll do all these things and more. Five out of the six are free; the other is inexpensive and lets you try it out first.

InSSIDer

MetaGeek’s InSSIDer is a great tool for finding Wi-Fi networks within range of your computer and gathering a great deal of information about each. It’s also useful for troubleshooting problems with your own Wi-Fi network.

For every Wi-Fi network InSSIDer finds, it shows you the MAC address of the router, the router manufacturer (if it can detect it — it usually does), the channel it’s using, the service set identifier (SSID) or public name of the network, what kind of security is in place, the speed of the network and more. In addition, it displays the current signal strength of the network, as well as its signal strength over time.

How would you use the software to troubleshoot your wireless network? If you see that your network uses the same channel as nearby networks with strong signals, you’ll know that you should change the channel your network transmits over and thereby cut down on potential conflicts. (Most routers have a settings screen that lets you do this.)

You can also use the software to detect “dead zones” that don’t get a strong Wi-Fi connection. Walk around your home or office with InSSIDer installed on your laptop to see where signal strength drops. You can either avoid using a computer in those spots or else try repositioning the wireless router to see if it helps with coverage.

Whether you need to troubleshoot a network or find Wi-Fi hot spots to which you want to connect — or you’re just plain curious — this is one app you’ll want to download and try.

Price: Free
Compatible with: Windows XP, Vista and 7 (32- and 64-bit)
Download InSSIDer

For the rest of the apps, visit Computerworld.com

Securely disposing data on hard drives and other storage media

Date: August 31st, 2010
Author: Chad Perrin

Debates sometimes arise, both within academic circles and outside of them, over the necessity of high-intensity secure deletion techniques. Find out the true state of affairs for secure data disposal.

—————————————————————————————————————————————-
The state of the art of secure data disposal is, like that in most technical spheres of knowledge, always subject to change as researchers do their work. One might imagine that this involves new techniques for more effective data recovery that employs magnetic force microscopes and similarly high-cost solutions, countered by new advice for how to defeat such efforts when disposing of hard drives and other storage media.

One example of an impressive data recovery effort is that of the remains of hard drives from the Columbia space shuttle disaster, which ultimately led to the recovery of experimental data. Six months after the shuttle came apart on atmospheric reentry, a damaged hard drive was found in a dry lakebed and delivered to data recovery specialists at Kroll Ontrack Inc. Some time in the next four years or so, 99% of the data stored on the drive was recovered. The drive was eight years old before the shuttle disaster; it was delivered to the people who recovered the data from it looking like a melted down piece of slag and then damaged further during the recovery process — but recovery was a success.

On the other hand, two other drives involved in the shuttle disaster were complete losses.

There is a persistent myth to the effect that to securely delete everything from a hard drive one must overwrite it thirty-five times with random data. This myth arises from a superficial read and misunderstanding of Peter Gutmann’s 1996 paper, Secure Deletion of Data from Magnetic and Solid-State Memory. The truth of the matter, as presented in his paper, is that 35 random overwrites serves only to apply the necessary means of securely deleting data for any of several different drive technologies. A specific data storage technology only requires some lesser technique applied to ensure secure deletion.

Perhaps more interesting is the fact that, for the most modern hard drive technologies, a single complete overwrite of a drive with zeros should be sufficient. Part of the reason for this is the fact that data density on a drive is much greater than it used to be. In layman’s terms, “the bits are smaller”, which means that when rewriting, there is less room for old data to be left behind in a recoverable manner. A fair amount of redundancy of stored data occurred on older, lower density drives because the reading and writing devices were not as precise, and small deviations would leave random small areas unaffected on a single overwrite.

In a recent epilogue to his paper, Gutmann quoted himself responding to a researcher who considered doing some data testing:

Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don’t see how MFM would even get a usable image, and then the use of EPRML will mean that even if you could magically transfer some sort of image into a file, the ability to decode that to recover the original data would be quite challenging. OTOH if you’re going to use the mid-90s technology that I talked about, low-density MFM or (1,7) RLL, you could do it with the right equipment, but why bother? Others have already done it, and even if you reproduced it, you’d just have done something with technology that hasn’t been used for ten years. This is why I’ve never updated my paper (I’ve had a number of requests), there doesn’t seem to be much more to be said about the topic.

Recent papers by other researchers may seem to contradict Gutmann’s results. He does address some of this in his epilogues. Judging by both his epilogues and an independent look at reporting on such papers, it seems that such papers are in some cases misguided, and in others not contradictory of Gutmann’s results so much as relating to a specific technology that falls within the range of Gutmann’s more general overview.

While no single storage technology requires Gutmann’s described technique for dealing with all technologies, few of us have the time or inclination to double-check the specific technologies and the approaches required for each of them before tackling the task of secure data disposal. If you want to run a secure data disposal service where you expect to need to deal with many, many different storage devices regularly, it pays to know the specific techniques for specific technologies, and to apply them, if only because the time and resource costs for secure deletion will add up quickly. If you are a more typical user who just needs to get rid of a hard drive every couple years or so, the time spent keeping track of drive technologies and data disposal techniques is probably worth more to you than the time it takes a computer to perform Gutmann’s thirty-five overwrite “scorched earth” technique.

For more, visit TechRepublic.com

Sticks and stones: Picking on users AND security pros

Nobody likes to get picked on. But is it sometimes necessary to snap people out of their apathetic approach to security?

By Bill Brenner, Senior Editor

August 25, 2010 — CSO

I took my share of name-calling as a kid. I did my share of name-calling, too. We’re taught that nothing good comes of such behavior. I’ve been thinking a lot about that since writing an article two weeks ago called “Security blunders ‘dumber than dog snot’” during the 2010 USENIX Security Symposium.

The story is based on a talk of the same title given by Roger G. Johnston, a member of the Vulnerability Assessment Team at Argonne National Laboratory. In the presentation, he gave examples of surprising (or not) examples of what he has seen as a vulnerability assessor: security devices, systems and programs with little or no security — or security thought — built in. There are the well-designed security products foolishly configured by those who buy them, thus causing more vulnerability than before the devices were installed.

Then there are the badly-thought-out security rules and security programs laden in security theater, lacking muscle and teeth. In fact, some policies only make some employees disgruntled because they are treated like fools. In turn, the company risks turning them into malicious insiders.

Also see “Ouch! Security pros’ worst mistakes

Johnston described three common problems: People forgetting to lock the door, people too stupid to be helped and — worst of all — intelligent people who don’t exploit their abilities for the betterment of security. Enter what he calls the dog snot model of security– where intelligence and common sense exist but are not used.

He came up with the term by watching his dogs, who often crash themselves against the picture window facing the yard when they want to go chase a squirrel. Hence, the windows are covered in dog snot. Executives and lower-level users are often like the dogs in that they bang their heads against the firewall (or their fingers against the keyboard) in an effort to get at a shiny object online. The security pros themselves can get caught up in this too, usually banging up against the glass by trying to prevent bad things from happening by repeating the same failed practices.

Moments after the story went live and appeared on Twitter, I got a message from Adam Shotack, co-author of “The New School of Information Security” and a security specialist at Microsoft.

“Is that attitude helpful? Does anyone respond better when you call them ‘dumber than dog snot?'” he asked.

For the rest, visit CSO Online.

5 ways to use bootable Linux live discs

Live CDs, DVDs or USB drives let you run Linux without actually installing it. Here are five reasons why you should.

By Logan Kugler – July 20, 2010 06:00 AM ET

Computerworld – In the almost 20 years since Linux was first released into the world, free for anyone to use and modify however they like, the operating system has been put to a lot of uses. Today, a vast number of servers run Linux to serve up Web pages and applications, while user-friendly versions of Linux run PCs, netbooks, and even Android and WebOS phones.

One incredibly useful way that Linux has been adapted to the needs of modern computer users is as a “live CD,” a version of the operating system that can be booted from a CD (or a DVD or, in some cases, a USB drive) without actually being installed on the computer’s hard drive. Given the massive RAM and fast CPUs available on even the lowest-end computers today, along with Linux’s generally lower system requirements compared to Windows and Mac OS X, you can run Linux quite comfortably from a CD drive.

Live discs allow you to radically transform the nature of the machine you’re working on — without modifying the installed operating system and software at all. There are a number of reasons you might want to do this. The most obvious is to test a new version or different distribution of Linux before deploying it, saving yourself the surprise of incompatible software or nonfunctional hardware after installation. But even if your business does not plan to deploy Linux as a desktop or server operating system, there are still good reasons to have a live Linux CD or two on hand.

Live CDs are great for system diagnosis and recovery when disaster strikes; they’re also useful for securing and testing your network. And for road warriors, the ability to boot up a familiar, customized operating system on any machine, anywhere in the world, has an obvious attraction — as do specialized live distributions designed to provide security and anonymity for workers with sensitive data or communications to protect.

Live discs are read-only, which means they’re quite secure, since malware can’t make any changes to the core system. If you do get an infection, it disappears as soon as you reboot.

Here are five ways to use live Linux in your business, as well as pointers to distributions best suited to each particular task.

1. Test-drive Linux

Over the years, Linux has developed from a usability nightmare into a fairly straightforward desktop operating system. With professional-quality productivity tools like OpenOffice.org for creating documents, spreadsheets and presentations and GIMP for image editing, as well as versions of familiar applications such as Firefox, Thunderbird, Adobe Reader and Flash, most common business tasks can be done pretty easily on a Linux system.

You can see how well adapted Linux is to your business by running several of the most popular desktop distributions from a live CD. Perhaps the most refined and user-friendly desktop system available right now is Ubuntu, which includes just about every application you could ever ask for, from business productivity apps to programs for multimedia editing, Web design, running databases, serving up Web pages and chatting online.

Ubuntu, one of the most popular desktop Linux distros available, comes preloaded with the open-source office suite OpenOffice.org.

Ubuntu’s installation disk is itself a live CD, so if you decide to install the system later you can just run the installer from the Ubuntu desktop.

2. Recover aging hardware

Linux in general has lower system requirements than other contemporary operating systems, but there are a few distributions that are specially designed to take advantage of old, even ancient, computer hardware, letting you squeeze a few more years of life out of systems you wouldn’t even think of running Windows on — including machines with broken hard drives.

Both Damn Small Linux (DSL) and Puppy Linux are designed for older systems, requiring only a Pentium 486 or equivalent CPU and 128MB of RAM to run well. DSL can even run with just 64MB of RAM. Both launch a usable, if somewhat stripped down, user interface that’s perfect for tasks like sending and receiving e-mail, creating documents and surfing the Web — in other words, basic administrative tasks.

Puppy Linux (upper left) and Damn Small Linux are optimized for older hardware, turning ancient machines into functional workstations.

For the rest of Mr. Kugler’s excellent post, visit Computerworld.com

Create a 3-D Hologram With Your iPad

N-3D DEMO from aircord on Vimeo.

Screw video conferencing. Toss out those 3-D glasses. We just got one step closer to making portable holographic videos a reality (something we’ve all been waiting for ever since the first Star Wars flick came out back in 1977). This new demo from Japan-based creative team Aircord labo uses nothing more than a glass prism (with “special film”), a projector, and an iPad to create a 3-D display that runs on OpenFrameworks and MaxMSP (you can download the program files here). Think that’s pretty badass? So do we. But wait, there’s more! With an installed application, the program can also respond to sound, making the 3-D holovid display interactive.

The simplicity and accessibility of this design is what makes it most exciting to us. We can’t wait to see what happens when the OpenFrameworks community takes hold of this thing and takes it for a joy ride. How long do you think it’ll be before holovids are on the iPhone? We give it 5 years.

[via CreativeApplications.net]

Wired How-To: Software Licensing Audit

The following steps describe how to:

1. Identify what software is installed on every node in your network;

2. Match all that software to licenses;

3. Get the audit reports.

  1. You need to download the trial version of Network Inventory Advisor: http://clearapps.com/download/network_inventory_advisor.exe (please copy-paste this link into your browser and start the download).  Trial version of NIA is available 15 days and allows to scan up to 25 nodes in your network. (You can use the coupon code to get a full version of NIA with 20% OFF, it is still valid: TWNBH-PIA9 🙂
  2. Install the latest build of Network Inventory Advisor and launch the application. Follow a Scanning Wizard and after several minutes you will discover all software installed in your network.
  3. To view network software licensing audit data go to “Network Summary” at the left tree menu. After, click “All software” tab and you will get clear report about installed software licenses on each PC in your network.

Now you can easily identify what is installed where, control software installations & lower the costs of licensing by finding gaps between software on your nodes and the licenses possessed; or re-using unused software licenses.

This page was last modified 11:48, 17 July 2010 by kellyroberts.

A Patch Management Strategy for Your Network

Ed Fisher

Author Profile – Ed Fisher writes for GFI Software

In Ed’s own words, “I’m that guy. You know the one. When things are broken, I fix them. When they don’t make sense, I explain them. When nothing is getting done, I do it. When a void occurs, I fill it. When there is silence on the call, I state the necessary. An InfoTech professional, aficionado of capsaicin, and Coffea canephora (but not together,) I’ve been getting my geek on full-time since 1993, and have worked with information technology in some capacity since 1986. I’ve worked on global scale environments for Doosan, Ingersoll Rand, Microsoft(blue,) EDS/Bank of America, an international financial services firm, and as a consultant for numerous companies and various city, state, and federal government agencies.”

Intro The care and feeding of your network includes the regular patching of all your servers and workstations. Whether Microsoft, Unix, Linux, or Mac, all computers need patches. Patches address bugs, fix compatibility or usability issues, and help defend against attacks and malware. Patch management is an ongoing responsibility for all systems administrators, and is easy to do with just a few guidelines.

Keeping up with patches The biggest challenge of patching is keeping up with the patches themselves. Vendor mailing lists including Microsoft Security bulletins, the SANS Institute mailings, and security bulletins from your vendors are all designed to keep you informed of security issues and new patch releases. Subscribe your IT Team’s distribution list to these, and review them each week during the team meeting to keep everyone informed and ensure that nothing is missed. See the end of this article for links to other security mailing lists.

Don’t forget applications Everyone thinks about operating systems, but just as important are patches for applications. Many applications interact with websites directly or through downloaded content, and are frequently exploited. Media players, antivirus software, document readers, and all others must be kept up to date. Maintaining and enforcing a list of approved software in your network, and subscribing to the vendors’ mailing lists will help you keep track of what patches need to be deployed and to which systems.

Testing patches While patches are intended to fix issues, occasionally they may introduce new ones through incompatibilities or other problems. Before deploying patches to production, it is critical that you test them on a representative group of workstations and servers in the environment. Enlist members of the helpdesk and personnel from other business units to help test with early deployments. Should a problem exist with a patch, you will detect it before it can affect the entire business.

Deploying patches The goals for patching should include 100% compliance, timely patching of all systems, and verification. Ensure management understands the importance of patching and supports it fully. Establish maintenance windows to deploy patches and reboot systems when necessary. Many patches are released to address publicly disclosed vulnerabilities; others may point to the existence of vulnerable code. Delays in applying patches increase your risks from malware and attacks, and also the chance that bugs in the unpatched code could lead to system instabilities and downtime. When choosing a patch management system, choose one that can push to systems on a timed basis, verify that the patch installed correctly, and generate reports across all systems. This provides great metrics for management, and helps ensure that no system was missed.

Reverting patches Even with testing, it may be necessary to uninstall a patch. Reporting on all patches deployed to a system, and all systems that received a particular patch are both critical, and having a system that can uninstall patches as well install them is a good safeguard against problems.

Wrap up Patching both operating systems and applications is a regular part of network maintenance. Having the right tools and procedures in place, and support from management, contribute towards making patch management a success.

For more, visit Ed’s post at Stumbleupon