Users not knowing what is even on there own computers.

December 31st, 2008

It has come to my realization that common computer users, even normally intelligent people seem to be easily confused by such pop ups that look mostly like they are coming from there task bar when in reality its coming from the web-page they are currently visiting.  There are a large amount of users that have mis-mistakingly installed such things as “Antivirus 2009″ just because “there computer told them they had to”.  I struggled somewhat at the thought that people would click on this and let it install (there is a lot of user interaction needed for it to install completely) just because they thought that Windows told them it was needed to get rid of a virus.  It might be how paranoid I am in general that I can’t imagine someone would put so much trust in a product they know nothing about, or it could be that I know I don’t run any programs that are called that and I know it.  The trouble is though that I have run into to many people that will follow the directions of the install for this even including turning off there anti-virus that they have running.  So while I could just sit back and laugh at them or ridicule them for doing something that I could not imagine doing I instead tried to put myself in there seat and head to figure out how to prevent this kind of attack.

Running anti-virus and anti-spyware is not enough because they are to slow to block the pop-ups often and then the user just turns them off while trying to install this bad software that tells them they have to turn them off while installing.

Running a program that blocks bad IP addresses doesn’t work 100% either because many of these pop-ups are from ok sites except the sites are either hacked quickly or often times its code embedded in the advertisements.

Refusing to give users the permissions to install would be nice but not always is realistic either.

The real problem seems to be that these pop-ups scare the user into installing the bad software using similar psychology that hackers have used for years over the phone or email.

Posted in philosophy | No Comments »

WPA security exploit

November 8th, 2008

Just the other day a professor showed how to exploit a weakness in the WPA protocol to gain access into your wireless network.  The easiest way to fix this is to change your network not to use WPA-TKIP protocol and just use WPA-AES. As it turns out only the WPA-TKIP is affected in the exploit. The AES protocol is just a bit slower then TKIP but it should be unnoticble to most users.  As is always true keep your passwords random and long as well.

Posted in Uncategorized | No Comments »

Online Anonymity

July 2nd, 2008

Originally when the internet was in its infancy one of the drawing features was the anonymity that the internet gave users, for the first time for many people they could write articles, ask questions, complain about there governments all without fear that it was going to be traced back to them. Today a lot of that has been taken away from us, we no longer can browse the internet, post articles, or let others know of the atrocities our government has done with out fear that the government or others will track it back to us (using our IP address and ISP logs).

Some of this Anonymity can be regained though and the best solution (easy & free) that I’ve found is using the tor network, although not perfect its been around a while and the network seems proven.

https://www.torproject.org/

Tags:
Posted in Uncategorized | No Comments »

Update to TrueCrypt

March 14th, 2008

TrueCrypt version 5.1 is out now, it now has full support for hibernation with full disk encryption as well as some performance tweaks.

Posted in Uncategorized | No Comments »

TrueCrypt (ver 5.0a)

March 2nd, 2008

This new version of TrueCrypt is excellent. It is now truly cross-platform (ver 5.0 added support for mac) and has added whole system disk encryption. If you are not familiar with TrueCrypt let me brief you on it.

  1. TrueCrypt creates storage areas that are very secure and with an excellent graphical interface that is easy to use for the novice while not being annoying to the experienced. You do not need to know or understand encryption to be able to use it effectively.
  2. There are different ways you can create the secure storage areas that TrueCrypt uses.
    • File storage: Create a file on an existing drive, anywhere you want on the filesystem. (recommended for 1st time users)
    • Create a secure drive partition: This is faster then the file option but slightly more complicated for some people to do.
    • System drive encryption: Encrypts a whole system disk, including the operating system and everything under it, you just supply a password when your computer boots up and truecrypt takes care of the rest. TrueCrypt even takes the extra step of burning a recovery CD in case something goes wrong with your boot partition.
  3. For all but the system drive encryption, you simply use TrueCrypt to mount the file or partition as a new drive (for example drive z:) this makes it easy for all programs to interact with the data that is encrypted inside just as if it was a normal drive.

TrueCrypt’s speed even with thier excellent encryption is top notch, I have never seen another program come close to TrueCrypt’s speed to deal with large amounts of data quickly.

Tags: , ,
Posted in programs | No Comments »

Managing passwords

February 27th, 2008

Today it is impossible to remember all the passwords that you need to use to access e-mails, computers, servers, and other services. This is only a further problem if you use secure passwords that are different for each service that you login to. This flood of needed passwords mean that many people either write them down or even worse, use the same password for all sites. This is not secure because often times people sign-up for a new service without really knowing that service (its security etc). This site might not keep the user passwords as safe as they should, or even worse the service, or someone managing the site, might be dishonest and use that password to try and gain entry into your e-mail, bank account, etc. There thankfully are a few things you can do though that don’t decrease your security.

  • Use an encrypted file to store all your passwords. (You never want your password files to be stored unencrypted)
  • Simple.
  • You can easily create long passwords that are cryptographically secure and do not have to worry about remembering them.
  • You have to remember a password for the encrypted file still.
  • requires you to use some other program to create the encrypted file.
  • Disadvantage: programs that create encrypted files often do not securely erase the plain unencrypted file.
  • Use a program that securely manages your passwords.
  • You can easily create long passwords that are cryptographically secure and do not have to worry about remembering them.
  • You do have to remember a password for the program.
  • Two programs I recommend for this are Password safe, and KeePass. Both are open source.
  • Use a master password and mix in some aspect of each service/site that you use into it.
  • For example if master password was “9876543″ then your password for gmail might be “987-g-5643-mail”, or what ever was easy for you to remember.
  • This has the disadvantage that if one of your passwords were seen in the clear that the attacker might be able to easily see what you are doing and guess your other passwords; however most of the time your passwords are not what are being stored by a system, normally only the hash of your password is stored and then re-calculated and compared, meaning that even if the database of passwords from some site was stolen the attacker would not be able to see your actual password used, and thus not access other sites easily. Also it avoids the password being easily guessed by dictionary attacks while remaining easy to remember.

Tags: ,
Posted in Uncategorized | No Comments »