Friday 22 July 2011

Blog move

After much pain and effort, mainly from @TobyDBB, my blog has now moved to http://www.securityfornonit.co.uk/. Please jump along and have a look.

Monday 11 July 2011

Another Android Trojan, again!

http://threatpost.com/en_us/blogs/new-sms-trojan-targeting-android-users-071111

Android, I love it. It is my mobile platform of choice, and I have even converted the wife!
I have followed it from the beginning, and now it is taking off in a big way. Samsung, HTC, Motorola and Asus have all jumped on board, mobile phones, tablets, even photo frames, it really is everywhere. People may be using mobiles and not realise they are running Android, is that a sign of success? I think so, but I digress.
Unfortunately, the price of success today is increased focus from the bad guys. Look at Apple, for years Mac owners believed they didn't need antivirus as there wasn't any malware designed to target Macs. Now, this may have been true, but this was down to Apple having a tiny PC market share compared to Microsoft, so the bad guys targeted Microsoft. A bigger return on investment. Now Macs are more popular we are seeing more and more malware aimed Apples way. As shown in the following BBC article:

http://www.bbc.co.uk/news/technology-13453497

And Android is seeing the same, the fact it is open source and the Android Market rules are a lot more lenient than Apple's AppStore just compounds the problem. However, with a little research the risks can be reduced significantly. Here's a few pointers:

1. Before installing any app, Android informs you what permissions the app is asking for. These permissions are essentially what controls what the app can do. Ask yourself why the app needs to do this? Why would a wallpaper app need to SMS people? An excellent article on Android Central lists some of the scarier permissions and what they mean. Check it out, it could save you in future

http://www.androidcentral.com/look-application-permissions?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+androidcentral+%28Android+Central%29

2. Read the reviews! Unless you are like me (must have new toys now!), then wait a while and let the braver "testers" install the app and review it. Let the others take the risks (unless you are one of those risk takers, but then that's a whole new ball game).

3. Only install apps from trusted sources. Well, trusted is a bit of a loose term, as malicious apps have appeared in Google's official Android Marketplace, but Google are pretty swift to mop them up once alerted. But for the purpose of this post we'll call them trusted. So, try and stick to the Android Marketplace, Amazons app store (for the US readers), GetJar etc. Although the lines are going to become blurred even further with more  app stores on the horizon (Samsug and HTC are both looking to get in on the game).

4. Most of all, use some common sense. If it doesn't feel right, for whatever reason don't install it. This applies to all mobile platforms, not just Android.

Don't get me wrong, i love Android, and I wouldn't swap for another mobile platform. But everyone should apply the same thinking they do with their PCs. Downloading practices have been forced down everyone's throats for years now, carry them over to your mobile devices.

Saturday 9 July 2011

Google+, first thoughts.

Ever since Google+ started it's "limited field trial" I have been itching to give it a go. I mean, who doesn't want to play with the shiny new toys? Luckily a good friend @f1nux dropped me an invite last night. So the playing began.

I like it, whether it is a "Facebook killer" I'm unsure, but it is definitely the best social network offering from Google to date. But what about security? Google doesn't have the greatest past record when it comes to protecting personal information, and have no doubt anything posted on Google+ will be used to refine their ad serving technologies (just as Facebook do).
But I do like Google's Circles idea, which is grouping your friends into different Circles. When you post/share anything, you choose which Circles can see it. A mix of Facebook and Twitter almost.
This idea covers your profile as well. Every bit of your profile can be locked down to particular Circles, all Circles or anyone on the web, allowing you to refine who sees what. For example, my personal email address is available to my Family and Friends Circles, but my work email address is only available to my work Circle. This kind of granularity is what I have wanted in Facebook for a long time, real management of personal information.

Will it take off? Who knows, I can see it as an excellent way to run both personal and business social networking in one place. It seems the doors are closed again for now, but feel free to post your email address if you want an invite and I'll drop one across when they reopen.

Friday 8 July 2011

Get your phreak on. Well, don't actually.

So, the News of the World is shutting down, and as it should. The "hacking" scandal has lowered my opinion of the tabloid press to rock bottom, but whatever sells a story right?
Enough of the rant though, back to the point. Phones weren't really "hacked", it isn't some mystical voodoo skill only a handful of people know, and I think some individuals may find it funny to do the same to their "friends" over the next few weeks as it is the most recent "cool" thing. David Rogers from the Naked Security blog posted some helpful tips and explanations here, have a read and see what you think. Have a play with your own phone and number, can you get in?

I remember getting my first mobile and this kind of "hacking" (although it wasn't called that amongst my group of friends) was prevalent as practical jokes. The fact that every mobile on the same carrier used the same default PIN to have remote access to voicemail made it all the easier. But in todays privacy driven, ever connected world your voicemails may be worth something to someone. The bad guys are always finding more ways to make money from personal information, so don't make it easy. Follow the steps in David Rogers post and see if you are vulnerable. If you are, fix it. Even the minor annoyance of having your voicemail greeting changed should be enough to motivate you to check your settings.
Some may accuse me of scaremongering, but in my line of work I see the outcomes of what bad guys on the Interwebs do everyday, so isn't it better to have all the information available to you so YOU can make the informed decision?

Wednesday 22 June 2011

Updates, updates and, wait, more updates!

Java, Flash, Firefox/Internet Explorer/Chrome, Microsoft Office. Keeping everything up-to-date can be a pain, I know. I recently installed Secunia's Personal Software Inspector (PSI). Awesome is all I can say. It "inspects" everything installed on your machine and tells you if it requires an update. I have mine configured to run at boot time and it alerts if anything requires updating. There are some advanced options, but for home users just install and let it keep track of everything for you.

Here's a link:


Have fun!





Wednesday 15 June 2011

Another hack? Oh well.....

Almost a year I have neglected this blog. Well no more! My promise to my millions of fans.....

Anywho, the media is full of high profile hacks from the likes of "Anonymous" and "Lulzsec". But does it matter to the average PC user at home? Well, in a word, yes.

Lulzsec have been pilfering website databases and releasing the information for anyone to download, including email addresses and passwords ( I won't link it, but it isn't all that hard to find....). One of the sites hit was a porn site. Now I'm not suggesting anyone visits or registers on these sites (ahem), but the principle remains. The site was hacked, email address and password information was released. The problem? Not only could anyone log into the porn site as any registered user, people also started trying email accounts/facebook/twitter etc with the revealed passwords. And guess what? It worked!

Whilst this may have been "for the lulz", there are some serious security issues. If someone can read your email, they can also see where else you are a member. Do you use the same password for your online shops? I'm guessing alot of people do. If not, as the bad guy has access to your email, resetting the password and retrieving it is trivial. Anything that is stored in your emails is fair game, a scary thought.

I talked about creating secure passwords here, and recent events should make people think more about their online security. The answer is simple, do not use the same password across multiple accounts. there are many password managers out there which can help create and securely store unique passwords. I use KeePass, but there are plenty of other options (Lastpass, Password Safe etc), just Google, there are many to choose from.

Please, don't let "lulz" end up costing you more than a websites password......





Wednesday 18 August 2010

The WiFi, it works!


How busy is life? Babies, work, pets and the occasional bit of social life seem to be keeping me occupied, and the blog slips from my mind. I am back however! If any readers have specific questions you would like me to talk about please feel free to leave a comment or drop me a line on Twitter.

Anyway, on with the blog...

Inspired by: Me! Having configured many home routers for others I thought I'd share some of the pitfalls of the free WiFi router your ISP supplies in order to gain your custom.


WiFi. The box arrives from your ISP, you plug in your new router, follow the instructions to put in your account details for your Internet connection,turn on your PC and you have WiFi. Your PC connects automatically, your phone connects, your laptop, games console, fridge, freezer, etc, etc. It works, out of the box, excellent! Wrong, it is not excellent, if all your devices connect automatically then what about next doors laptop?

I have helped set up (and fix when not involved in the set up ;) ) enough home routers to know how many of them work. Infact, alot are exactly the same underneath, especially the free ones supplied by the ISP. So, can you secure these devices? Yes, you can certainly make your home WiFi more secure. First thing first though, get a pen and some paper. If you are going to change anything always write it down, and only change one thing at a time. This will help with fault finding should anything go wrong.

Administrative account
The first step is always to change the default administrative account's password on the router. There are usually written instructions on how to login into the router (I would recommend using a wired connection to begin with) using the default password.
It is trivially easy to find a default password for a router. Try yourself, Google for "default password for {insert make and model of router}". Scary huh? As I described in this post, good passphrases are easy to make and remember. Choose a strong one for the admin account.

Remote assistance
Does the router support remote assistance? Probably yes. Search through every menu, make sure this is turned off. Why would you want anyone, at any time, attempting to log into your router? 
If it is required you can turn it on as and when it is needed. If you do turn this on for someone to gain access, set a strong passphrase, and remember to disable it once it is no longer required. Remote assistance can be the foothold the bad guys need.

SSID Broadcast
An SSID is basically the name of your wireless network. If this is set to broadcast, your router is basically shouting from the rooftops "If you want to join my network talk to me". Do you want anyone to join your wireless network? Didn't think so. Write down the SSID so you can manually configure devices with it and turn off broadcasting.

Note: If you can, configure the router with a different SSID than the one that is pre-configured.

Encryption
If your wireless network does not enforce encryption all the data you send can easily be read by a third party. This includes passwords to non-encrypted sites, such as Facebook. Even for encrypted web sites, encrypting the wireless network adds another layer of security to your data transfer.
Modern WiFi routers support WPA or WPA2, which is more than adequate for a home network. WEP may be supported, however this is considered weak encryption now and there are tools freely available which can break WEP based encryption.
WPA/WPA2 can encrypt using a pre-shared key, which is perfect for home users. Create a long password/phrase, and keep it in a safe place. I personally keep all my WiFi details in an encrypted file away from my computer ;)

Before turning on the encryption, ensure any device you want on the network supports WPA/WPA2. Most modern devices should, but there is no harm in checking.

DHCP
Dynamic Host Configuration Protocol (DHCP) is a way of automatically configuring devices with the correct address information to "talk" on the network. This is an excellent protocol, making the chore of connecting new devices to the network seamless (usually). However, it could also make life easier for a bad guy to connect to your network. If you are extra paranoid (as I am), then turn off DHCP on the router and manually configure each device you want on the network. Here is a guide to configuring static addresses on some of the most common devices...


Firewall
If your router has a firewall inbuilt, turn it on. It may not be the greatest in the world, but it is another layer of defense none the less. The firewalls that come preinstalled on these types of routers generally have three settings, deny all, allow all, and allow outbound but deny inbound. I recommend "allow outbound but deny inbound" as a general rule. This will stop connections from the Internet coming in, but not you browsing the web, emails etc.
If you require connections to come in from the Internet (for remote access) I recommend researching the router in order to just allow the type of connections you require.

The above is only a brief overview of the settings you can encounter in the typical home router, and they can vary from model to model. Before changing anything, have a look through the settings, make sure you know what they do before you change them.

As always, comments and/or questions are more than welcome.