Hardening – one of many layers

Wednesday, August 24th, 2011 | Mark Bedford | Comments Off

For those interested in confirming or checking the secure configuration of their operating systems the National Security Agency (NSA) have some hardening documents available. These cover Apple Mac, Microsoft Windows and Linux operating systems. Generally, hardening is a process that reduces the attack surface or the number of vulnerabilities exposed to attackers. Often this is achieved through disabling unused services, uninstalling unused software, and removing unnecessary user accounts and is considered an essential step in maintaining a trusted computing environment.

Easily scan and update your apps

Thursday, August 11th, 2011 | Gene Teo | Comments Off

It’s important to patch and update your applications as security problems are discovered and fixed. However, not all applications will update themselves automatically, and it’s hard to keep track of each and every one of them.

Secunia Personal Software Inspector (PSI) is an app that automatically detects and installs missing security updates on your Windows computer (or you can opt to manually scan and install if you prefer).

Secunia PSI is an excellent tool to have on your personal computer, and is a valuable extra layer of protection against insecure programs. There is even a quick instructional video on YouTube to get you started.

Google+ is the new Twitter

Monday, August 8th, 2011 | Gene Teo | Comments Off

Google+ (also called Google Plus) does “tweets” better than Twitter. Your post can be as long or as short as you like, and include pictures, links, videos, and location information. You can make the post public, or limit it to a subset of people in your various circles.

You can edit posts or delete them entirely if you change your mind. There are also options to prevent re-sharing or comments.

Twitter should be very, very afraid.

Sophos report

Thursday, August 4th, 2011 | Mark Bedford | Comments Off

The folks over at Sophos have released their mid year report on security threats: Sophos Mid-Year 2011 Security Threat Report [PDF] (free registration required to view).

Some highlights include:

  • 60% increase in malware over 2010, with Sophos seeing more than 150,000 new malware samples daily
  • 19,000 malicious webpages identified daily, with 80% being pages on legitimate websites that have been hacked or compromised
  • 81% of people surveyed by Sophos said Facebook posed the biggest social networking risk with increased amounts of scams, click-jacking, survey spam, and identity theft
  • 30% of all malware detected by Sophos served via black hat SEO poisoning

For those in a hurry, Naked Security have a short summary available.

So what is it with long passwords

Thursday, August 4th, 2011 | Mark Bedford | Comments Off

It seems that there is a public perception that passwords of enormous length are the safest ones. Apart from being hard to remember and difficult to type, this perception is based upon the an attackers ability to guess the password before the number of failed retries locks the account or someone notices and resets the account. Attackers use computers to compute the passwords (known as a brute force attack) or use a list of passwords (called a dictionary attack) to increase their chance of gaining access to the account. There has been considerable research into the area of password guessing and brute force attacks which has resulted in a number of standards emerging. Standards are generally unable to be modified fast enough to keep pace with the rate of change in technology.  This results in a lower cost for more CPU cycles that are able to calculate or guess the password in a given time period of time.

If people want to have shorter passwords then they can as long as the authentication system is able to adapt. To meet this authentication change the risk profile must be lowered. This is achieved through permitting fewer failed attempts over a shorter period of time before the account is temporarily locked. Being able to detect login requests from multiple IP addresses over the same period of time also triggers the account lock seeing as people are not yet physically able to be in multiple places at the same time. The down side of this is that not all authentication systems have the ability to change their behavior to meet the different risk profiles. But knowing about such options and asking for them will hopefully get vendors and developers to implement such features.