Tag: Security

The Weak Link in Computer Security

People often talk about the inherit lack of security in Microsoft Windows and Internet Explorer. Very seldom does anybody talk about the weakest link in computer security, the users. In the latest Pwn2Own contest, a contest where participants attempt to break into various computers to win them, 64-bit Windows 7, Mac OS X, and even the iPhone all fell. But there was a common theme running here, none of the systems feel to a direct attack.

All the hacked systems were broken into via exploits in their web browsers. Internet Explorer 8 and Firefox 3.6.2 were used to break into the 64-bit Windows 7 systems while Safari was used to break into both Mac OS X and the iPhone. Each browser was broken into by crafting a malicious web page and have the users of the system navigate to it.

But once again none of the systems at this contest were broken into without the need for human interaction. This brings up the fact that human beings are now the main component being attacked (Granted it’s been like this since the dawn of computers). The only way to protect yourself is through education. Do not click on random links that people send you regardless if you known them or not. It’s a simple thing to learn really but the motto in security is trust no one and you should follow that slogan when on a computer.

Nice VPN Service

Since I travel once in a while for my job I find myself in locations where a secure network can’t be ensured. My phone does have tethering software on it so I often use it but it’s slow and has issues getting disconnected at random intervals.

Thankfully this day and age wireless networks are everywhere. Hotels, Starbucks, airports, etc. But these networks are not secure and should be considered hostile at all time. This was the reason I looked into the previously mentioned Wi-Fi device that could connect to 3G cellular data networks. Of course as I previously stated they wanted a contract and honestly the devices are far more expensive than I could justify since I only really need such a device a few times a year.

That meant either continue using my unreliable phone tethering or use hostile wireless networks. Hostile wireless networks can be used securely though through a protocol called Virtual Private Networking (VPN). VPN is a mechanism where you connect to a remote VPN server. The VPN server acts as a proxy which all your traffic is sent to and from there is sent to its actual destination on the Internet. The key here is all VPN traffic is encrypted so other people on the same network can’t see what you’re doing. So even if you’re connected to an insecure wireless network you can encrypt all your traffic by sending it through a VPN connection.

Most companies that send people around the country provide a VPN connection for their employees. Mine is no exception but I thought I’d try an experiment and see what solutions I could find for those traveling and not having a company provided VPN service available to them.

The easiest, cheapest, and most secure (In the form of privacy of your traffic) method of using a VPN is to set a server up at your home. This way you can remotely connect to your home network through the VPN. Unfortunately for me this is impossible since I live in an apartment complex that also provides me service as an ISP (It’s free so I don’t argue). The downside is this ISP also routes all my traffic through their firewall meaning I can’t actually connect to any of my computers there remotely. Due to this fact I decided to look at using Amazon’s EC2 service to setup a VPN server. Overall it would be a good idea but it’s kind of pricey since Amazon charges you for the number of hours your EC2 instance is running.

Finally I looked into a service mentioned by Leo Laporte on This Week in Tech quite a few times call HotSpot VPN. HotSpot VPN is simply a service that sells VPN connections. It’s not a secure as using a server setup at your home since all your traffic does get routed through their VPN server. But it’s a damned side better than being on an insecure network since HotSpot VPN as a reason to maintain your privacy, money (Granted that’s absolutely no guarantee and in the security business the phrase is trust no one. But security is also a balance between having secure systems and convince.).

What I like about HotSpot VPN is you can but a yearly subscription, monthly subscription, or a few days worth if you only travel sporadically like me. For this test I bought a three day pass for something around $5.88. That’s pretty cheap and well worth it in my book. Setup in Mac OS is simple (I’m not sure about other operating systems since I’ve not done much with VPNs in them) and requires you only enter your e-mail address for the user name and the password they e-mail you. It’s working great on this hotel wireless network and isn’t dropping my connection constantly like my phone does. I tested it on my home network before taking it out into a hostile environment and the data is encrypted so other people listening on the network aren’t going to be able to see what you’re doing it. Speed is so-so since all your data has to go to their servers and then to its destination but tethering my phone always yields even slower connections.

Overall I think it’s a good service for those who travel, don’t have a company provided VPN connection, and are unable to setup a VPN server at their home. There isn’t much else to say about it since it’s a pretty straight forward service that performs and straight forward feature.

Also since this is a review I need to give the FCC required disclaimer. The FCC can go sodomize itself with a retractable baton. That is all.

Getting Pulled Over When You’re Armed

On thing that those of us who carry need to be concerned about is what to do when an officer pulls us over while we’re armed. The rules about this vary state to state but what I’m writing can only be considered applicable in Minnesota.

The rules in Minnesota are simple. You do not need to inform an officer that you’re armed but if asked you must answer truthfully. When an officer runs your license plate number the returned information will include whether the registered owner of the vehicle has a carry permit or not [Pending official verification. See comments below.]. With this knowledge the officer can chose to ask if you’re armed or not.

There are two schools of thought on how to respond to this situation. The first school says you should inform the officer right away. The second school of thought is that you shouldn’t disclose any information to the officer unless he or she asks first. I’m in the second school of thought and this post is my justification.

First the police officer should know whether I have a permit when they pull me over as my vehicle is registered to me. With this knowledge if they want to know I’m armed then they can ask. Duty of information is their burden not mine. Second a police officer’s job requires them to use anything you say against you. Because of this, outside of casual conversation, my rule of thumb is the only answer questions asked by the police. I never give any information they don’t ask for directly and when they ask a question I answer it as to the point as possible. I’m always polite because they are doing their job after all and I’m glad there are police officers out there. But I’m not going to give them any rope to hang me with either.

My third reasoning is the most important to me though. That’s the fact that criminals have impersonated police officers. These criminals have pulled over innocent people and robbed, raped, or murdered those people. Now if you’re like me you obvious take some time and consideration on the subject of self defense. We’re taught to always be in condition yellow and aware of our surroundings. We’re also taught to be suspicious of anybody we don’t know. So why take somebody’s word that their a police officer without question?

A little known fact is that you can call 911 when you’re being pulled over and ask the operator if there is actually a cop pulling you over. They will tell you whether the person behind you is a cop or not. This is advice they now give in driver education course as a mechanism to verify the person pulling you over at 3 a.m. in the middle of nowhere is actually a cop or not. Additionally a person impersonating a cop is not going to have access to your license and registration information. Unless the impersonator knows you personally or has access to the police database they will not know you are armed. This brings us to the whole subject of not informing the person pulling you over that you’re armed. If the person pulling you over is a real cop they know you have a carry permit and therefore can ask if you’re armed. On the other hand if the person who is pulling you over isn’t a cop they have no way of knowing you have a carry permit and therefore will most likely not ask you if you’re armed. If they ask if you have a carry permit be suspicious because a real officer will have access to such information.

If the person is actually a criminal impersonating a cop do you want to volunteer the information that you’re armed? I sure wouldn’t. I have a gun as a mechanism to use in self-defense. I also carry concealed because I don’t want people knowing I’m armed, the element of surprise is a good thing in my book. Therefore I’m not going to divulge the face I’m armed to somebody who could be a potential criminal.

Stay alert. Don’t trust people you don’t know, especially when that person appears to be a person of authority. Criminals do use disguises of authority to gain peoples’ trust and obedience. You shouldn’t drop out of condition yellow just because the person in front of you looks like an authority figure.

Look Closely, There’s Hysteria Ahead

I’m sure most of you know about the fiasco occurring at Colorado State University. The campus is trying to ban lawful carrying of concealed firearms by their student body. Well I found a rather interesting article about this. Why is it interesting? Because the article was written in such a way to appear neutral but most certainly is not. Let’s start here:

It is a debate that gets snarled in the conflicting logic of gun ownership rights and the simple notion that bullets and blackboards don’t mix.

Personally I don’t find disarming a populace simple logic. And of course:

Whenever a change in the rules is discussed, national groups rush in with their agendas. On Friday, the Colorado board of governors received a petition from Students for Concealed Carry on Campus (SCCC), a group that says young scholars stand a better chance of surviving the kind of rampage that occurred in Virginia if – as it were – they pack a pistol in their pencil case.

I’m unaware of anybody who carries that doesn’t use a holster. I certainly don’t know anybody who carries a gun in a pencil case. But we’re not done:

On the other side of the argument is Gun Free Kids, an organisation that began a “Keep Guns off Campus” campaign two years ago in response to the Virginia slaughter. It deploys research from law enforcement groups that suggests that there is no correlation between gun-toting citizens and lowered rates of violence.

I’m going to try and find their research. But since most colleges ban students and faculty from carrying on campus and all the major shootings have occurred on disarmed campuses it goes without saying that there is no correlation between armed citizens and lower rates of violence. It’s almost like the cowards who perform mass shootings seek out disarmed populations to enact their rage against. If only there was at least one state that allowed students to carry and didn’t have any occurrences of mass shootings. Oh wait:

“It really came down to two general issues, number one: best practices, just looking at what other universities are doing, and very, very few outside of the state of Utah allow concealed weapons on campus,” he said recently. “The second is risk management, and it really comes down to this university is responsible for managing risk on this campus of the students.”

That’s right Utah. In Utah you can carry on a state campus. Likewise Utah has had no mass shootings on a college campus since the enacting of their carry laws. No this is not proof, nor evidence, nor even a correlation. But it’s on par with what Gun Free Kids (How many kids are in college anyways? Most people there are 18 or older.) is presenting. Finally this is out of order in the article but alas I want to make a statement about it:

The group also says that there are few places where guns should be less welcome than on campuses. “With binge-drinking, drug use and the pressures that college students are under, we just think introducing guns into that environment, it’s the wrong thing to do,” said campaign director Andy Pelosi.

What person who has a concealed carry license is going to binge drink while carrying? Whom of those people are going to abuse drugs and risk losing their license? What college student “under pressure” is going to use a legally carried gun to do something nasty?

The bottom line is conceal carry license holders are some of the most law abiding citizens out there. Anyways consider this post a mini Truth About Guns episode without all the citations and work.

It Appears As Though You Haven’t Thought Your Clever Plan Through

Here is a story implementing a really bad idea via Dvorak Uncensored. It appears as though police officers are going to stage break ins. Yes police officers are going to break into the homes of citizens to raise awareness of burglaries. I see all sorts of bad things coming from this. See people don’t take kindly to strange people breaking into their homes in the middle of the night. Often when a person encounters the stranger they decided to perforate that individuals with gun fire… oh wait this is happening in England. Yeah never mind, capital idea there Bobby.

Back to Firefox For Now

I’ve been using Chrome for Mac for a while now and honestly I really like the browser. But there is one fatal flaw, the inability to extensions to tie deeply into the browser. What am I getting at here? Simple, extensions like NoScript and Flash Blocker can’t work properly in Chrome.

Most of the extensions in Firefox I use revolve around making the browser more secure. To this end one of the first extensions I install is NoScript. NoScript is an extension that allows you to block all scripting on sites you don’t specifically white list. This is useful for blocking malicious behavior on many websites. The extension also prevents cross site scripting attacks. Well I’ve been curious when or even if NoScript will be made available for Chrome. The bottom line is it never will be since there are no hooks in Chrome to allow extensions to selectively interact with scripting elements.

To further compound the issue Chrome’s cookie handling, at least on the Mac version, is unusable. When I hope the cookie browser in Chrome it just hangs there and I get the spinning beach ball of death until I have to force quit Chrome. Of course I’ve been seeing a lot of tracking cookies popping up which has gotten to the point I’m finding absurd. There are no extensions for Chrome that allow me to block all cookies except those I specifically white list and I really want this behavior.

This means I’m forced back to Firefox which I’m not horribly fond of. In Chrome each tab is a separate process which means you close it all the memory is freed properly. Firefox on the other hand never seems to properly free up memory from closed tabs and windows which leads it to eventually consume insane amounts of memory. Hopefully the newly release 3.6 will be better than previous versions. If it’s not you’ll be seeing more browser oriented bitching coming up on this blog.

Virginia Tech Still Isn’t Getting It

Virginia Tech is still going about gun violence prevention in the wrong manner. Currently the campus is looking at banning ammunition, including Airsoft pellets and Painballs. Here is part of the proposed ban:

Resolved, that Policy # 8300, Student Code of Conduct – Weapons be amended as follows:

Student Code of Conduct – Weapons

Unauthorized possession, storage, or control of firearms, weapons, on university property, including storing weapons in vehicles on campus as well as in the residence halls. Furthermore, ammunition can not be stored in any residence halls on campus. (Note: organizational weapons of the Virginia Tech Corps of Cadets, approved by the commandant, are not prohibited by this policy.) Weapons

Firearms are defined as any gun, rifle, pistol, or handgun designed to fire any projectile including but not limited to bullets, BBs, pellets, or shots (including paint balls), regardless of the propellant used. Ammunition is defined as any material intended for use in a firearm, capable of being projected by a weapon and/or makes the weapon operational. Other weapons are defined as any instrument of combat or any object not designed as an instrument of combat but carried for the purpose of inflicting or threatening bodily injury.

Anybody who goes there needs to group behind your local Students for Concealed Carry on Campus and do everything you can to ensure this resolution doesn’t pass.

Body Scanner Fail

Bruce Schneier linked to a video of a person sneaking bomb components pasted on of those fancy full body scanners the TSA wants to put everybody through.

The video is in German but you can tell what’s going on even without knowing the language the French fear.

If You Aren’t Doing Anything Wrong

You have nothing to hide. I found some chilling news that everybody already expected from Says Uncle. Apparently the TSA has been searching the electronic devices of travelers and going so far as to copy files and send them to third parties. From the link:

• In a span of just nine months, CBP officials searched over 1,500 electronic devices belonging to travelers. Under the current policy, they were not required to justify a single one of these searches.

• Travelers’ laptops are not the only devices at risk of being examined, detained, or seized by the government. In fact, cell phones were the most commonly searched and seized devices between October 2008 and June 2009.

• Other types of devices that were searched and detained during this time period include digital cameras, thumb drives, hard drives, and even DVDs.

• Between July 2008 and June 2009, CBP transferred electronic files found on travelers’ devices to third-party agencies almost 300 times. Over half the time, these unknown agencies asserted independent bases for retaining or seizing the transferred files. More than 80 percent of the transfers involved the CBP making copies of travelers’ files.

We need to have a chat for a second. When you have sensitive information it should be encrypted. A great tool to created encrypted partitions is TrueCrypt. It’s a great utility that even goes so far as to allow you to create hidden encrypted partitions in such a way you have plausible deniability should you be asked for the encryption key to a hidden partition (You can’t prove it’s there so they can’t hold you indefinitely if you say there isn’t one). On all of my computers my entire home directory is encrypted (Mac OS has a feature called FileVault that allows for easy home directory encryption). Furthermore important files are then put into a TrueCrypt partition.

Another option to consider when traveling with important and secure data is to not have it on any device you travel with. Put the information on a server and download it when you get to your destination. Some companies have started doing this practice. Nobody can get your data if it doesn’t exist.

Either way this is important and scary information. I know almost everybody assumed this was the case but it’s finally been confirmed. Encrypt everything, period.