November 24, 2006 – 10:57 am
Inspired by this post from Dan that links to a suggestion for keeping your passwords safe when using a computer that isn’t your own, I’ve decided to post on my idea for safe remote access, even though I haven’t actually implemented it yet.
Taking a step back, I should start by explaining the need for such measures. The basic idea is that if you are using a computer that you don’t have complete control over, you have no way of knowing what may have been done to that computer (either by its owner or some third party) in an attempt to grab your passwords.
Basically, I wanted to come up with a method that will allow you to securely use this kind of a system without fear of your passwords being compromised. To lay the ground rules, I think you have to assume the following things about the computer you will be using:
Read More »
Dr. Dave (author of Spam Karma) offered this deliberately non-specific warning on his blog today about a potential exploit related to enabling user registration in all current versions of WordPress.
He hesitates to give the details of the problem, since the lid is apparently still on pretty tightly, and so far there are no exploits “in the wild”. I generally disagree with this approach to security announcements, and have some issues with this one in particular, which I can elaborate on if anyone’s really interested, but it may be wise just to heed his advice for now until more info is uncovered.
The worst that could happen is it’s just a big practical joke to see how many people will respond to him “crying wolf”, but I don’t think he would really do that. The odd thing is that he said the WP developers have been notified, but Matt hasn’t heard anything about it.
December 12, 2005 – 1:15 am
For anyone who finds themselves in need of the services that a product like GoToMyPC can provide (namely accessing a computer on one network from one on another network, both behind firewalls which restrict direct connection attempts) but don’t want to pay $20 per month (or whatever it is now), I would like to recommend sslexplorer, an excellent replacement for such needs.
There are a lot of reasons why I like this, even though I personally already do most of this kind of thing using SSH tunneling. One is that this is way easier for the average user to setup, and they can run it on pretty much any computer (doesn’t require you to run an SSH server at home). The other is that if you’re working behind an extremely secured network and trying to connect back to another computer (at home for example), the network administrators could potentially restrict your ability to use SSH if they really wanted to do so, but chances are that if they want to allow any secure browsing at all, they will probably have to allow outbound HTTPS connections, which is all this product needs in order to make the connection.
I found this especially interesting since the company behind GoToMyPC / GoToMeeting has been heavily pushing their products lately, sponsoring pretty much every tech podcast that takes sponsorships. It will be interesting to see if those shows will avoid mentioning sslexplorer to avoid conflicts with their sponsors.
September 11, 2005 – 1:04 pm
In this article/interview with Kiwi Mark Borrie, he reminds users that security considerations are important no matter which platform you run on, and not to be lulled into a false sense of security just because most viruses are written for Windows.
I thought that the description for the Renepo exploit was pretty interesting. Here is a synopsis:
Dubbed Renepo (alias Opener), Ducklin said the malware: “turns off system accounting, turns off the OS 10 firewall, turns off auto updates, turns file-sharing on, opens an SSH back door, downloads and installs an open source video conferencing program and opens it in ‘do not advise the user mode’.”
The article also suggests that Microsoft has surpassed Apple in terms of their approach to addressing security issues as a company. I’ve seen a lot of what MS has been doing internally to support this, in terms of making huge (schedule impacting) priority changes in the dev plans on almost all of their products. Don’t know anything about what Apple is doing, but I do seem to hear a lot of the (false) assumption that it’s automatically secure because it’s based on *nix now, and/or there aren’t as many viruses etc. written for it. This article does a pretty good job of explaining why that’s the wrong way to think about it.
August 28, 2005 – 1:42 pm
After talking to Nathan about it this morning, I realized that I forgot to mention here about my new network configuration at home. Once I finished the closet, I reconfigured the network so that I’m now using a Linux box connected directly to the cable modem, and then all the other routers (for the other network segments), etc. connected to the Linux box.
This allows me to do a couple things much better than I could do before. One is that I now have a “true”, fully featured firewall that all communications to the outside go through, rather than the very limited firewall software that comes with most home routers. Using the Linux box allows for much more advanced routing functionality and firewall rules, in both directions (which is important for the next part).
The second advantage (and the main reason I did it) is so that I can force any outgoing traffic to go through a proxy server (which I also set up - squid). Aside from the other benefits caching provides, I have attached a content filter to the proxy which will block any stuff that I don’t want getting through to the computer that the kids use, based on a very flexible and customizable set of filtering functionality.
Now that I have the process down pretty well, I am thinking of offering to do it for schools, etc. who want internet access. But that would assume that I had spare time on my hands…
August 10, 2005 – 2:33 pm
Quick concept overview: mag stripe reader mounted on top of the card insert slot (to capture the card data for later duplication) and a hidden camera mounted
on the side (usually in a form / brochure holder) to record PINs. *UPDATE - here is a site that explains it in detail, with photos.
I heard about this technique a while ago, but today was the first time I’d actually heard from someone (a friend I work with) who experienced it. (Lost $2000 from his account in one day). For you Venturan readers, the hacked machine was the B of A ATM by Mervyns/Baja Fresh (but possibly others in the area as well), so you may want to check your balances.