Category Archives: - INFO SECURITY

INFORMATION SECURITY: Sidejacking Wi-Fi Hotspots – How a Hacker Can Access All of Your Online Accounts With a Free Program Part II: How to Recognize and Protect Yourself

Black Sheep will protect you from hackers at Wi-Fi hotspots

If you have not read Part I Please Read it Before you read below – Read Part 1 HERE >>>

In part one of this series I introduced you to the dangers of side jacking/man in the middle attacks using browser plugins such as Firesheep.

Part II will give you a few ways to see when someone is using Firesheep and how to protect yourself.

An easy way to determine if someone is using Firesheep is by using something called BlackSheep. BlackSheep is a simple plugin that will alert you whenever someone on the network you are on is using FireSheep. BlackSheep can be found here:

http://www.zscaler.com/blacksheep.html

From the site:

BlackSheep, also a Firefox plugin is designed to combat Firesheep. BlackSheep does this by dropping ‘fake’ session ID information on the wire and then monitors traffic to see if it has been hijacked.

While Firesheep is largely passive, once it identifies session information for a targeted domain, it then makes a subsequent request to that same domain, using the hijacked session information in order to obtain the name of the hijacked user along with an image of the person, if available. It is this request that BlackSheep identifies in order to detect the presence of Firesheep on the network. When identified, the user will receive a warning message.

I should note that if you want to try this for yourself and see results, you’ll have to have two separate computers running Firefox as both of the apps use a lot of the same code.

Continue reading

INFORMATION SECURITY: Sidejacking Wi-Fi Hotspots – How a Hacker Can Access All of Your Online Accounts With a Free Program

anyone Can Access All of Your Online Accounts at a wi-fi hotspot using this Free Program

I’m sitting here in Starbucks right now playing around with something called firesheep.  Some of you may have heard of it as it’s been in the web news a lot in the last few days.

Let me give you a bit of background on what exactly firesheep is.

Firesheep is a Firerfox add-in that demonstrates just exactly how insecure those ‘secure’ sites are.  The sites I’m talking about are:

Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facbook, Flickr, foursquare, GitHub, Google, Gowalla, Hacker News, Harvest, Windows Live, New York Times, Pivotal Tracker, ToorCon: San Diego, Slicehost SliceManager, tumblr.com, Twitter, WordPress, Yahoo and Yelp

What it does is monitor the wi-fi network and grab any of the cookies that are posted to those sites as people are logging in and authenticating to the sites with their accounts. The initial login may be encrypted, but the ensuing cookie used by the sites to keep a track of the sessions aren’t.

Continue reading

INFO SECURITY: Password Complexity – How to Keep Your Crap Safe

In today’s online connected world, there is a HIGH requirement for one to keep a user id and password for just about everything.

Back in the day, you were lucky to have to remember one or two user id’s and passwords.

Currently I’ve got at least 60-70 user id’s and passwords to remember between personal and work (and I’m sure I’m being conservative on the number there).

There’s a few different ways you can do this.  You can;

•    Use the same user id and password
•    Use the same user id and different password
•    Use the same password and different user id
•    Use different user id’s and passwords
•    Use easy user id’s and passwords
•    Use complex user id’s and passwords

Let’s take a look at a few of these.

Continue reading

INFO SECURITY: Nuking your Data

So you’ve got a hard drive, USB drive, etc and you don’t use it anymore and want to either give it to a friend, donate it to a school, etc, or just plain old ditch it.

Well, normally, you’d just either do a format, or hammer it into pieces.  With both options, you run the risk of opening yourself up and letting whomever is interested in gaining your information off of the drive you either ‘formatted’ or ‘destroyed’.  As a matter of fact, there was a case several years ago with the state of Pennsylvania.

They ‘donated’ computers to a school.  Wonderful idea, great way to save on spending, right?  Wrong.  Yes, they did save money for the school system, but a reporter got a hold of one of the hard drives and ended up recovering an untold amount of data off of the ‘wiped’ drive.

The only sure fire way to destroy data on a drive is to melt it down.  Just destroying the device into pieces won’t do unless you use a special shredder and end up turning it into dust.  Even broken into pieces, a DVD/CD can be recovered (at least parts of it anyhow).

Software such as EnCase will allow you to recover data on an amazing amount of destroyed data and I have both seen and heard of cases where criminals had thought they had ‘destroyed’ the hard drive by smashing it with a hammer, but ended up only pissing the investigators off and working harder to find something.

Continue reading

INFO SECURITY: Google’ing your way into trouble

Google is wonderful.  They allow you to have access to a myriad of free things that make your life simpler.  It makes it easy to share data to your contacts, set up appointments, chat with them online, get the daily news, make money with adds, purchase items through web sites, and a metric crap ton of other things.

But, did you know that Google will track you like a malicious stalker?

Oh yes, it does.

Let’s take a look at what all it does and tracks…

Continue reading

INFO SECURITY: Cell Phone Security – The spy in your pocket…

Be wary of using your cell phone for anything but casual conversation

Who reading this article has a cell phone.  I’d probably be pretty close in saying that at least 95-98% of the people reading this article have a cell phone of some sort. It may not be a smart phone (iPhone, blackberry, ms mobile, etc), but I’m willing to lay money that you’ve got one.

These are one of the most destructive pieces of personal privacy ever invented.

How you ask? – Well, let’s take a look.

There are applications out on the public market (and ones in the government sector that we’re not going into) that can track you, listen to your phone calls, read your e-mail and text messages, get your calendar items and MUCH more.  it can even turn on your video camera and take photos through your phones camera.

Any and all of these items can be done without your knowledge and/or consent. Spyware can be installed either through a text message, e-mail, physical or remote connection to the phone via Bluetooth, wireless or Wi-Fi. Some services online will allow tracking of someone based on their phone number and what cell towers they are connecting to.

Continue reading

INFO SECURITY: Facebook Privacy 101

My self-worth is based on how many FB farm friends I have

When you sign up for Facebook, they tend to want you to fill in as much information about yourself as possible.  They will then take that information and make it available basically to anyone who wants it.

There are 2 ways around letting Facebook just give your information away.

•    Don’t sign up for FB
•    Control your account

The first way is obviously the easiest and best, but then how would you be able to stay in touch with all of those high school plebes that used to pick on you and now want to be your friends?

After you set up your FB account, you’ll want to head on over to the account section.

Once there, you will have a number of options to choose from as far as privacy is concerned.  Someone did a chart of all of the privacy options and I am presenting it here for your review.  It was published by The New York Times and it’s a pretty decent representation of their privacy issues.  It also includes some eye opening statistics on their policy.

Continue reading

INFO SECURITY: Social Engineering 101, or how to get ANYTHING you want…

Hi, This Is Bob From IT

To help demonstrate what exactly Social Engineering is, let me play out a scenario for you…

Mr Jones works for a large corporation.  He’s not very tech savvy and out of the blue one day, he gets a phone call.

‘Mr Jones’
Hello, Mr Jones, Acquisitions…

‘Helpdesk Bob’
Hey, Mr Jones, it’s Bob from the Help Desk. We’re having an issue with your account, it seems as though someone’s been calling down trying to get your password changed. We need to verify that you are the one who wants to change it. Have you tried calling us to change it?

‘Mr Jones’
Hey Bob, no, it’s not me; I’m in my account fine right now. They were trying to get my password changed?

‘Helpdesk Bob’
Yeah, they had your company ID and everything. At least I think it was your company ID.

‘Mr Jones’
Well, here, let me verify my ID for you.  It’s 1234567.

‘HDB’
Yup, that’s what we have; I wonder how they got that.

Continue reading

INFO SECURITY: Thumb Drive Security

Protect your thumb drive and the data on it like it is made of solid gold and diamonds

A few days ago, over lunch, I ran to a gas station, grabbed a diet Dew and headed to the car. On the way back, I found a flash drive laying on the ground. It was laying in an empty parking space and there were no other vehicles or customers around so I grabbed it. Thought, hey, my lucky day.

It sat in my car while I finished my day at work and the whole day was wondering if this was someones attempt at a ‘social engineering’ attack or just someone that lost their drive. I won’t compromise my organizations network in any way shape or form, so it had to wait.

I know what kind of data is stored on a lot of drives and it ranges from purely innocent filled with someone’s kids photos right on up to deviant sexual and criminal acts. So all the while I was chomping at the bit to see what was on it. If it was something of the more seedy nature, I’d keep the drive, and wipe it for future personal use. If it was of a criminal nature, I’d hand it over to the proper authorities. If it was something else, I’d see if I could track the owner down.

I started to look through the drive and what was MOST disturbing is that there were several files on there with financials for both the person (who happens to own a computer support business) as well as an organizations financials. This really alarmed me and I started to wonder what would have happened if someone else of the ‘less than ethical nature’ would have picked this up.

Continue reading