Why Clear Text is Still a Bad Idea

What is clear text?  Basically it is sending information between machines (many times over the internet) with out using encryption.  Why is this still a bad idea?

Here is a sample packet capture from a test site I used that does not require encryption for a login for demonstration purposes.  Here is the URL as shown in Chrome.  It does not have the padlock and is running unsecured over port 80.

Here is the actual test login form.  This form alone does not mean the login is unsecured, however in this case it is.

I did attempt to login with a bogus username and password.  I recorded a packet capture when I did.  As you can see below unencrypted logins are not secure.  Pay special attention to:

userlogin=username
password=NotMyPassword%3F

As you can see my username and password is viewable by a simple packet capture.  The one thing to note is that NotMyPassWord%3F is actually NotMyPassWord?

You might wonder why ‘%3F’ is translated to ‘?’.  This is because characters like ‘?’ need to be translated to HEX before transmitting to the server.

To see a full ASCII to HEX table; http://www.asciitable.com/ 

Great!  So now you can see how easy it is to capture a packet and see usernames and passwords sent in clear text.  So now you might wonder, how hard is this to do?  I’ll tell you, it is very simple.  While the chances of someone intercepting might be low because someone actually has to be looking, if they are looking they have captured your password easily.  The most common way to do this is through a man in the middle attack where a ‘hacker’ tricks you into sending the data to them, then they route it to the intended machine, capture your password and never know the difference.  The less common way but still highly effective is to just be in the path of the communication.  Given you don’t know who owns the routers and communication channels between yourself and the server you are trying to login to the communication cannot be considered safe.

If that seems to far fetched to you consider this, your ISP can see the contents of ALL Clear Text transmissions if they wanted to.

Advertisement

Hacking Biological Computers Next?

I read an article today posted on Mercury News how researchers at Stanford have created a biological computer.  The claims this opens the doors for things such as checking for mercury levels up to and including shutting of cancer cells based on how fast they replicate.

While this all is good an promising, something I want to see, I do wonder how it will or could be abused in a similar fashion holes have been found in wireless pacemakers.  Think about it, if you could program cells to function a particular way, such as shutdown, wouldn’t you be able to make a computer that would just shutdown ANY cell after it replicates X number of times?  I see no reasons why not, the primary concern to address is transmission, if it is an easy thing (such as placing the biological computers in the drinking water supply) then it would be a high concern as you could create a biological computer that could sit dormant for a significant time then activate in a relatively short period of time in a large number of individuals.  If it is not (such as requires an injection and is short lived) then the concern is much less.

Something to think about eh?

How to Protect Yourself from Malware

There are plenty of sites out there to provide you details of WHY Malware is such a concern today so I am not going to repeat the message here.  I am assuming you already know what Malware is and are looking for a simple list of things you should do to protect yourself.  If I am assuming correctly then I expect you will like this list.

How to Protect Yourself from Malware

• Keep your system up to date.  Apply related security patches as soon as they are available.  This is for both your Operating System (including things like Linux, Windows, iPhone, iPad, Surface, Android, etc) and the applications that are on the system.
• Install a strong antivirus software solution and most importantly, KEEP IT UP TO DATE.  It is good to periodically run a full system scan.
• Remove applications you are no longer using and will not be using.
• Do not install applications from locations you do not trust.  This includes locations such as peer to peer sharing, pirated software, FREE songs that should not be free, companies you do not know or trust, emails from unknown senders, unexpected emails from senders with suspicious content, etc.
• Do not use USB or USB type devices from untrusted/unknown sources.
• Do not open files sent through Instant Messengers from untrusted/unknown sources.
• Use a proxy with Malware protection.  Ensure it is regularly updated and includes the ability to examine all content (including SSL traffic) and provides regular block list updates for known “bad” sites.
• Use additional browser plugins such as WOT (Web of Trust) or Bit Defender as a way to know site ratings from web searches prior to clicking links.  WOT is a great source for user feedback, you can even provide your own feedback for any site!
• Use your browsers built in phishing and Malware protection services.  If your browser does not offer this I suggest using a different browser.
• Do not run your browser as an “Administrator” or using elevated credentials.
• Do not use SSL (HTTPS) sites with untrusted certificates.

Any questions?

10 Tips to Protect Your Bank Card

Bank accounts are different from Credit Cards in that once you money is stolen you don’t get it back unless the Bank returns it to your account, so here are 10 tips to protect your bank account.

1. Have two bank accounts.  Keep enough money in the second bank account to give you at least enough to get you through to your next paycheck.
2. Use a bank that allows up to 8 numbers for your pin.
3. Keep only enough money in your checking account as you need.
4. Disable automatic transferring of money from your savings account to your checking account.
5. Set up and use your Banks automated notifications.  Set the notification thresh hold to the amount of money you would be concerned about losing, but not low enough that the alerts are worthless.
6. Pay for an online service that locks your Credit and requires you to open it before you can be approved for Credit.  This is a monthly cost and while it may cost around $200 year, it is much less of a cost to your time and credit score if your identity is stolen.
7. Don’t use your ATM card as a debit card.  Instead use a Credit Card or better yet, use a Prepaid Credit Card especially for online transactions.
8. If you must use your ATM card as a debit card make sure to cover the keypad completely when typing your pin.  Although it may feel awkward and you may type the pin incorrectly at first, most people find it becomes easy with a few tries.
9. Don’t sign your debit card, but instead write “PLEASE SEE ID” in bold caps.  While this does not insure the cashier will check, if one does the thief would not be expected to produce a valid ID (or fake) with your name on the ID.  At least not easily.
10. Check your account balances daily and be familiar with what you spend.  Thief’s will usually try to pull out as much money as once they can in one day.  Catching this on the first day can save you from it happening over and over.  Some of the smarter ones will try to make a small purchase or multiple small purchases to test if the card is active before making more largely purchases so it is important to review your transactions daily as well as your balance.

Secure your Wireless Network (Home)

Most people now know how important it is to secure your home wireless, however many still don’t know all the steps available to protect your wireless beyond setting a password.  Here some tips to provide advanced security to your home wireless network.

1. Change the administrative password.  Use a strong password.
2. Set your wireless name to something that would not be easily associated with you.  Do not use your address, name, car make, etc.
3. Turn off broadcasting of your SSID (name of the wireless connection setup in step number two above).  Some devices require broadcasting to setup and connect the first time, if this is the case turn on broadcasting of your SSID, connect the device, then disable it again.
4. Use WPA2 Encryption.  Again, use a strong password as you did to setup your administrative password.  Do not use the same passwords.
5. Use MAC Security.  What is MAC security?  Each system (network card) has a virtually unique MAC address.  Much like an IP address, however it is an address provided by the maker of the network card and not dynamic.  Setting up your wireless to only allow specific MAC Addresses (your MAC Addresses) further reduces the chances an unauthorized individual could use your wireless.  You can find your MAC address for any device generally fairly easily by Goggling “how do i find the MAC address for”…
6. Turn off DHCP.  DHCP is a service provided by your wireless router that provides an IP address to each machine that is allowed on the wireless network.  Turning off DHCP and setting the IP addresses manually for each device is the safest, however I find it to be quite a pain so instead I limit the DHCP scope (range) to only the number of IP addresses of devices I will have connecting and then assign each one to a device.  This then associates an IP address with a MAC address and eliminates  the need to manually set IP addresses on each device.
7. If you have the option and do not need your wireless devices (such as a laptop) talking to other devices (such as a wireless printer) then disable communication between devices.  Many home wireless routers do not support this option, so you may not be able to enable it.
8. If you have options to limit the range (strength) of your wireless signal set it to the level that ensures it works for you but not higher.  Setting it higher than is needed makes your wireless network available in ranges you would not need it, thus increasing the chances that someone else might try to use it.

Free Antivirus – Windows (2013)

This is a list of free antivirus solutions.  Each one has their strengths and weaknesses and you will have to do a little research to know what is best for you.  Personally I use Microsoft’s Security Essentials because it works well for me, however I am not recommending it as there are a number of options some of which might be better given your needs.  The three below I have used and had reasonably good experiences are Avast, AVG and Microsoft Security Essentials.  While I have not used Bitdefender for Windows (it does have generally good reviews and my experience with using their Linux Freeware version is good.

• Avast Free Antivirus
• AVG Free Antivirus
• Avira Free Antivirus 2013
• Bitdefender Antivirus Free Edition
• Malwarebytes Anti-Malware Free
• Microsoft Security Essentials
• Panda Cloud Antivirus Free

One note of caution.  Read the licensing agreement.  Most are free for personal use (home), only some are free for business or corporate use.  It is highly recommended to choose an antivirus solution that provides real time protection.

Got some news…

It has been an interesting month to say the least. Just when I think everything