security

The blog is currently being ported from WordPress to over 12 years of static pages of content. If there's an article missing that you're hoping to see, please contact me and let me know and I'll prioritize getting it online.

If you're running TendMicro's antivirus solution on Windows, update it asap!!

If you’re running TendMicro’s antivirus solution on Windows, update it asap!! A major information security flaw was detected in the software: it runs a localhost web service that is very vulnerable to attacks. From the security post: It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(). This means any website can launch arbitrary commands, like this: x = new XMLHttpRequest() x.

Continue Reading

Company uses a Raspberry Pi to create a man-in-the-middle attack

A company used a Raspberry Pi to create a “man in the middle attack”, on purpose, to warn users that they’re not on SSL-enabled web sites. So … exploiting a vulnerable vector to warn about a vulnerable vector. /facepalm It’s shockingly easy to build these kinds of devices, especially in public spaces such as cafes and libraries. You should always utilize some sort of VPN software on your device to protect your in-transit data.

Continue Reading

Don't memorize passwords, Memorize an algorithm

The 1995 Turing Award winner, Manuel Blum, has come up with a clever way to remove the necessity to memorize cryptic passwords. The gist of his approach is that you no longer have to memorize cryptic passwords, you just need a matrix of letters/numbers, and then an algorithm for creating a password based on the name of the web site. All you need to memorize is your personal algorithm of navigating through the 6x6 square of letters and numbers.

Continue Reading

Windows 10 spies on you by default

Windows 10 has a ton of tracking built-in. Here’s how to opt-out. Five things to do as soon as you install Windows 10: http://bgr.com/2015/07/30/windows-10-upgrade-installation-settings/ Open your Settings panel and click on Privacy where you’ll find 13 different screens to go through. Disable anything that you feel you won’t want tracked. Most of the important settings can be found on the General tab, but be sure to go though other tabs as well.

Continue Reading

Android has major security vector with SMS/MMS prefetch

A security vector was found, called StageFright, sent through a malicious video, and gives the attacker access to your device, including storage rights, microphone access, and copying data such as passwords. Because the default action of Hangouts and Android’s stock SMS app was to pre-fetch the videos (thereby processing them ahead of time for you), you could be vulnerable without even knowing it. It was blogged about several times, here are just a few:

Continue Reading

Android Security wakes the sleeping blogger

Can’t believe it’s been so many months since I blogged last. Even quitting Facebook link 1, link 2 wasn’t enough to blog about, but this one deserves a post. Update, April 19, 2012: It seems that Google isn’t showing my user review on the app. At best, they’re holding it for human eyes to review since it was both a 1-star review and contained a URL back to this blog post.

Continue Reading

How not to be secure: blogsvertise.com stores passwords in insecure ways

I was approached by blogsvertise.com recently to reactivate my account, because I let it die a slow, agonizing, forever-alone, kind of death. I figured writing occasional sponsored blog articles would give me some extra Starbucks money here and there, and after talking to “Melissa”, and telling her why I’d left (I was flooded by irrelevant advertising ideas like lawnmowers) and what I’d need to make it worth my while, she reactivated my account, at which point their system sent me an Email:

Continue Reading

HOWTO: Protect Yourself (as best you can) from Facebook's F8 Platform

To recap my “social web is not a private web” article, Facebook’s F8 platform will begin to create a massive social web for which you have already given them permission to share your public info. Be warned, though, that even if you do take some of the following steps to opt-out, your friends might still be able to share some of your public information (Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages) without your consent as these ‘partner' sites will have access to your friend’s contact list which can contain public pieces of information about you.

Continue Reading

Facebook's Social Web will not be a Private Web

Facebook has introduced their new ‘f8' platform which raises several serious privacy concerns. While I’m not usually a tinfoil-hat kinda guy, these realizations today really raised my ire against Facebook. The f8 platform will allow web developers to add a ‘like' button on their sites, and if you’re a content publisher, face it – you’ll WANT to add that to your site. But this HTML iframe will give Facebook access to every site you visit that includes the LIKE button.

Continue Reading