Friday, 22 July 2011

Blog move

After much pain and effort, mainly from @TobyDBB, my blog has now moved to http://www.securityfornonit.co.uk/. Please jump along and have a look.

Monday, 11 July 2011

Another Android Trojan, again!

http://threatpost.com/en_us/blogs/new-sms-trojan-targeting-android-users-071111

Android, I love it. It is my mobile platform of choice, and I have even converted the wife!
I have followed it from the beginning, and now it is taking off in a big way. Samsung, HTC, Motorola and Asus have all jumped on board, mobile phones, tablets, even photo frames, it really is everywhere. People may be using mobiles and not realise they are running Android, is that a sign of success? I think so, but I digress.
Unfortunately, the price of success today is increased focus from the bad guys. Look at Apple, for years Mac owners believed they didn't need antivirus as there wasn't any malware designed to target Macs. Now, this may have been true, but this was down to Apple having a tiny PC market share compared to Microsoft, so the bad guys targeted Microsoft. A bigger return on investment. Now Macs are more popular we are seeing more and more malware aimed Apples way. As shown in the following BBC article:

http://www.bbc.co.uk/news/technology-13453497

And Android is seeing the same, the fact it is open source and the Android Market rules are a lot more lenient than Apple's AppStore just compounds the problem. However, with a little research the risks can be reduced significantly. Here's a few pointers:

1. Before installing any app, Android informs you what permissions the app is asking for. These permissions are essentially what controls what the app can do. Ask yourself why the app needs to do this? Why would a wallpaper app need to SMS people? An excellent article on Android Central lists some of the scarier permissions and what they mean. Check it out, it could save you in future

http://www.androidcentral.com/look-application-permissions?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+androidcentral+%28Android+Central%29

2. Read the reviews! Unless you are like me (must have new toys now!), then wait a while and let the braver "testers" install the app and review it. Let the others take the risks (unless you are one of those risk takers, but then that's a whole new ball game).

3. Only install apps from trusted sources. Well, trusted is a bit of a loose term, as malicious apps have appeared in Google's official Android Marketplace, but Google are pretty swift to mop them up once alerted. But for the purpose of this post we'll call them trusted. So, try and stick to the Android Marketplace, Amazons app store (for the US readers), GetJar etc. Although the lines are going to become blurred even further with more  app stores on the horizon (Samsug and HTC are both looking to get in on the game).

4. Most of all, use some common sense. If it doesn't feel right, for whatever reason don't install it. This applies to all mobile platforms, not just Android.

Don't get me wrong, i love Android, and I wouldn't swap for another mobile platform. But everyone should apply the same thinking they do with their PCs. Downloading practices have been forced down everyone's throats for years now, carry them over to your mobile devices.

Saturday, 9 July 2011

Google+, first thoughts.

Ever since Google+ started it's "limited field trial" I have been itching to give it a go. I mean, who doesn't want to play with the shiny new toys? Luckily a good friend @f1nux dropped me an invite last night. So the playing began.

I like it, whether it is a "Facebook killer" I'm unsure, but it is definitely the best social network offering from Google to date. But what about security? Google doesn't have the greatest past record when it comes to protecting personal information, and have no doubt anything posted on Google+ will be used to refine their ad serving technologies (just as Facebook do).
But I do like Google's Circles idea, which is grouping your friends into different Circles. When you post/share anything, you choose which Circles can see it. A mix of Facebook and Twitter almost.
This idea covers your profile as well. Every bit of your profile can be locked down to particular Circles, all Circles or anyone on the web, allowing you to refine who sees what. For example, my personal email address is available to my Family and Friends Circles, but my work email address is only available to my work Circle. This kind of granularity is what I have wanted in Facebook for a long time, real management of personal information.

Will it take off? Who knows, I can see it as an excellent way to run both personal and business social networking in one place. It seems the doors are closed again for now, but feel free to post your email address if you want an invite and I'll drop one across when they reopen.

Friday, 8 July 2011

Get your phreak on. Well, don't actually.

So, the News of the World is shutting down, and as it should. The "hacking" scandal has lowered my opinion of the tabloid press to rock bottom, but whatever sells a story right?
Enough of the rant though, back to the point. Phones weren't really "hacked", it isn't some mystical voodoo skill only a handful of people know, and I think some individuals may find it funny to do the same to their "friends" over the next few weeks as it is the most recent "cool" thing. David Rogers from the Naked Security blog posted some helpful tips and explanations here, have a read and see what you think. Have a play with your own phone and number, can you get in?

I remember getting my first mobile and this kind of "hacking" (although it wasn't called that amongst my group of friends) was prevalent as practical jokes. The fact that every mobile on the same carrier used the same default PIN to have remote access to voicemail made it all the easier. But in todays privacy driven, ever connected world your voicemails may be worth something to someone. The bad guys are always finding more ways to make money from personal information, so don't make it easy. Follow the steps in David Rogers post and see if you are vulnerable. If you are, fix it. Even the minor annoyance of having your voicemail greeting changed should be enough to motivate you to check your settings.
Some may accuse me of scaremongering, but in my line of work I see the outcomes of what bad guys on the Interwebs do everyday, so isn't it better to have all the information available to you so YOU can make the informed decision?

Wednesday, 22 June 2011

Updates, updates and, wait, more updates!

Java, Flash, Firefox/Internet Explorer/Chrome, Microsoft Office. Keeping everything up-to-date can be a pain, I know. I recently installed Secunia's Personal Software Inspector (PSI). Awesome is all I can say. It "inspects" everything installed on your machine and tells you if it requires an update. I have mine configured to run at boot time and it alerts if anything requires updating. There are some advanced options, but for home users just install and let it keep track of everything for you.

Here's a link:


Have fun!





Wednesday, 15 June 2011

Another hack? Oh well.....

Almost a year I have neglected this blog. Well no more! My promise to my millions of fans.....

Anywho, the media is full of high profile hacks from the likes of "Anonymous" and "Lulzsec". But does it matter to the average PC user at home? Well, in a word, yes.

Lulzsec have been pilfering website databases and releasing the information for anyone to download, including email addresses and passwords ( I won't link it, but it isn't all that hard to find....). One of the sites hit was a porn site. Now I'm not suggesting anyone visits or registers on these sites (ahem), but the principle remains. The site was hacked, email address and password information was released. The problem? Not only could anyone log into the porn site as any registered user, people also started trying email accounts/facebook/twitter etc with the revealed passwords. And guess what? It worked!

Whilst this may have been "for the lulz", there are some serious security issues. If someone can read your email, they can also see where else you are a member. Do you use the same password for your online shops? I'm guessing alot of people do. If not, as the bad guy has access to your email, resetting the password and retrieving it is trivial. Anything that is stored in your emails is fair game, a scary thought.

I talked about creating secure passwords here, and recent events should make people think more about their online security. The answer is simple, do not use the same password across multiple accounts. there are many password managers out there which can help create and securely store unique passwords. I use KeePass, but there are plenty of other options (Lastpass, Password Safe etc), just Google, there are many to choose from.

Please, don't let "lulz" end up costing you more than a websites password......