Blackhat Europe 2011 just wrapped up. If you weren’t able to make it (like me) then we must rely on the community to fill us in on what went down until Blackhat.com puts up the archives. I would like to share the write ups I found most useful:
I hope to make Blackhat and Defcon in the US this year. Let me know if you plan to as well.
Till next time,
Jorge Orchilles
Every information security professional will tell you to use different passwords for every site. This is because if one site gets compromised and your password is cracked then the attacker can log into every site you use. The biggest complaint consumers have with using different passwords is remembering them all; now you don’t have to. Reading 59 Open Source Tools That Can Replace Popular Comercial Software, they suggest three Password Management solutions. Only one of these suggestions will work across different platforms (operating systems). If you are unfamiliar with password management please review the basics of password management. We will be discussing the desktop solution. I am not focusing on hosted/web solutions like LastPass as I do not trust a single site with all my passwords however here is a great write up by Steve Gibson as to why you should trust LastPass.
This post will focus on using a password management system across multiple operating systems: Windows, Mac OS X, and Linux. I will be using KeePassX for password management and DropBox for syncing across multiple devices. If you only use Windows you can use KeePass or Password Safe with DropBox, the process is similar.
First, create a DropBox account (free for 2GB), and install the application on your computers. They have support for Windows, Mac OS X, Linux, and smart phones. Make sure to note where you placed the DropBox folder. Inside the DropBox folder, create another folder and call it “Safe” or whatever you want for your password file.
Next download KeePassX for the operating system being used. Extract the directory to your Applications directory. On Windows this is most likely C:\Program Files\KeePassX. Open KeePassX and select File-New. You will be creating the new database file. You can select to use a master password and/or a key file. I suggest always using a master password that is a very complex password (or phrase) that you do not use ANYWHERE else. Retype the password when prompted. Now before adding anything to the file, select Save. Choose the folder within the DropBox folder you created.
The basic setup is complete, now repeat the step on all your systems. Ensure you can open the KeePassX file on all your systems. You can only write to the file on one system at a time, so if you try to open the file that is already open it will prompt you to open as read only.
Once all your systems have Dropbox and KeePassX installed you are ready to start filling the database. Take this time to change your passwords on all your sites and ensuring you are using unique passwords on each web site.
Till next time,
Jorge Orchilles
I hope no one is still running Internet Explorer 6; if you are Microsoft has a countdown and awareness campaign to get you and your grandmother to upgrade. For those that are fairly up to date, be informed you are not because Microsoft released Internet Explorer 9 today. If you are feeling risky and are running Windows Vista or Windows 7 you can download Internet Explorer 9 from Microsoft’s official download site (not the millions of Google results for it’s download location). There are issues with certain sites so ensure you test this before deploying in production:
Microsoft also set up a domain dedicated to the new browser: www.beautyoftheweb.com. Unfortunately, that site isn’t hosted under the microsoft.com domain, nor does it have an SSL certificate to confirm that it belongs to Microsoft. Using this site to distribute the browser goes against the advice of downloading software only from known vendor websites. Copycat malicious sites claiming to distribute IE 9 will probably appear shortly, if they aren’t around yet.
Internet Explorer 9 includes a number of security improvements that make the upgrade worth your consideration. These include application reputation capabilities that are part of the SmartScreen feature thathelps protect the user against socially-engineered malware. The browser also supports the notion of Pinned Sites, which implements “secure launch” capabilities to safeguard users’ sessions with important websites. Internet Explorer 9 also improves its resistance to exploits by embracing support for DEP/NX, ASLR and SafeSEH memory protection capabilities. The new browser also improves the messages its users see when they download files and programs; the messages are designed to make it easier for the users to assess the risk of opening such files.
Till next time,
Jorge Orchilles
It seems the information security industry has finally convinced Twitter to enable HTTPS and provide an option to have it enabled always. Tools like FireSheep and multiple research has been pushing companies to force HTTPS all the time. Make sure to enable this especially fi you frequent public networks. Twitter has posted this blog post with instructions:
Today, we’re taking an important step to make it easier to manage the security of your Twitter experience – we are adding a user setting that lets you always use HTTPS when accessing Twitter.com. Using HTTPS for your favorite Internet services is particularly important when using them over unsecured WiFi connections.
For some time, users have been able to use Twitter via HTTPS by going tohttps://twitter.com. We’ve made it simpler for users to do this by adding the option to always use HTTPS.
To turn on HTTPS, go to your settings and check the box next to “Always use HTTPS,” which is at the bottom of the page. This will improve the security of your account and better protect your information if you’re using Twitter over an unsecured Internet connection, like a public WiFi network, where someone may be able to eavesdrop on your site activity. In the future, we hope to make HTTPS the default setting.
For sites that do not allow this option you can use the Firefox extension ForceTLS.
