Safari on Windows has been out for a little over 24 hours now and people have already found six rather large holes in it. According to the researchers these issues exist in all versions of Safari, both on Windows as well as OS X. Continue Reading »
FTP is NOT Secure
Most network admins know that telnet is insecure because it sends the username and password in clear text. For this reason you do not find telnet being used anymore, SSH is used instead.
What most people do not realize is that FTP has the same exact issues. If a malicious person wanted to break into a server all they have to do is sniff for a FTP transaction and you will get the username and password when a user logs in. Continue Reading »
OS X is not More Secure than Windows
I’ve been using OS X for a little while now and I have found that many users have a false sense of security. They believe that just because there are not many bugs found and fixed in it that means there are not many holes that need to be fixed. This is not true.
Apple is known in the security industry as being hostel to bug finders. They down play the bug that has been found and do not admit it even existed. Apple does not even acknowledge the person(s) who found the problem.
When the month of Apple bugs was first released it seemed that users did not want the security holes found. They wanted to continue in their own little world of if you don’t see it, then it doesn’t exist. This is a false sense of security. I would rather see Apple take steps to secure their systems quickly as possible. Then once the bug has been fixed state what the bug was and acknowledge the people who found it.
Microsoft has really picked up the ball when it comes to security today, mainly because they had no other choice. With the virii going around in 2001 they had to fix something. They have spent the last six years improving their security. Today Apple is in about the same spot Microsoft was in 2000; something huge is going to happen if they do not step forward to mediate it.
I really like OS X and would hate to see something like code red or Nimda on this Operating System.
Backup Backup Backup!
This past Friday I decided to dual boot my laptop with gentoo. I had been running xubuntu and I wanted to move over to Gentoo eventually. After running gparted overnight to repartition my hard drive I started the Gentoo livecd.
The installer in Gentoo was quite easier than what I had read in the past. I believe the GTK installer is fairly new and not many people recommend using it, which I found out after the fact. Anyways, after I got done doing the configuration script I hit the install button. After a few seconds I see it trying to partition the hard drive, even though I did not change any of the partitioning schemes. This was the point that I saw the end all of errors, “Install Failed”.
The installer had failed partitioning the hard drive and corrupted all of the partition data. This means that the computer does not know how to read what partition is where on the hard drive. Thinking back there are ways to fix this, but I was not thinking that clearly at that moment so I acted hastfully and just restarted the Gentoo installer and let it take over the entire drive.
Moral of this horror story, back everything up! I back everything important up to two seperate places. One copy goes to my local file server and another copy to my remote server. This can be a pain if you forget to move a file to all locations, but you will always have a backup copy somewhere if your drive fails (or you screw it up yourself).
Surfing with Javascript Disabled
Most security experts agree that javascript should be disabled in your browser as well as any other client side scripting languages. These languages have many security flaws in them and you should not allow sites you do not trust to run code on your computer. Something good about Internet explorer is that it has different internet zones and you can add sites you trust to allow them to have javascript while all others do not. Firefox does not have this nativly built into the program, but there is a great extension to do this, noscript.
I have been using noscript for about a week now and have to admit it
is not all that bad. At first glance it is quite nice, around 95% of
the ads blocked because they use javascript to display them. On the
other hand, there are quite a few sites that totally depend on
javascript, especially for menus. One site that I found recently that
totally dies without it is the Seattle Seahawks
site. The page just does not load any content, its just a white page.
The reason is that the site uses javascript to redirect to their actual
index page rather than a server side language. It is just bad
programming.
Another issue with turning off javascript is all of
these new ajax sites. To get these sites working you have to whitelist
them. The add-on allows for permanent or temporary whitelisting. If you
trust a web site and visit it often you can add it to the permanent
list. This will allow you to visit the site without any restrictions.
It will still block any external javascript files that are loaded from
sites different than the one you are on. These files are usually ads
and can be safely blocked. You can also whitelist on a temporarily
basis. This works great if you only want to give a site access for one
visit.
All-in-all surfing without javascript enabled by default
can be done and it is easy to work with for a technically advanced
person. The issue is that most people who should be running without
javascript do not know how to setup the whitelisting. They will just
whitelist everything similar to software firewalls. If everything is
whitelisted then the whole point of the software is null.
Wifi Security
One of my hobbies is wardriving, the main reason for this is to see how many people have enabled security on their networks. On my normal drives through Vegas I average 40-50% with WEP or WPA enabled. The group of people without any protection just do not realize how at risk they are. With a packet sniffer and a little bit of time a malicious person can gain access to anything sent over the insecure connection.
You see an normal wireless connection sends all data unencrypted and
a can easily be seen by anyone with the knowledge. The reason a
wireless connection needs to be encrypted is the fact that the data is
sent out for anyone and everyone in the area to look at it. That is
what war driving is, searching for wireless access points.
To
fix this you need to enable some security on your access point. There
are two main standards for wifi security, WEP and WPA. Both standards
will secure you from the casual attacker, but WEP has been broken since
about day one. It is very easy to break a WEP password if someone
really wants to. For this reason it is suggested that you use WPA
instead. It is a much more secure encryption method that takes much
more work to crack. It can still be broken if the password is not
strong enough, I would recommend using a very long password that is not
based on a dictionary word nor multiple dictionary words. To get a
really good password you can use Steve Gibson’s password generator.
How
to setup security on your access point will be determined by the type
of device it is. The easiest way to set this up is to look in the
manual. If you do not have the manual you can always find it online.
