Many of you reading this post probably have also heard of KrebsOnSecurity. If you haven't already done so I recommend you read his article regarding ApplePay: http://krebsonsecurity.com/2015/03/apple-pay-bridging-online-and-big-box-fraud/
The article explains at a high level how credit card fraud works and then goes on to explain how ApplePay fits into the whole picture. Mr. Krebs has many valid points regarding ApplePay, and I agree that I won't be using ApplePay or Google Wallet any time soon to buy things at stores. But I want to point out that many of these "hacks" can actually be prevented by the end user, here's how.
Apple Pay, Google Wallet, and PayPal all rely on the security of you appropriate iTunes, Google, or PayPal Accounts, meaning that the only way a hacker could steal your credit card information is if they were to gain access to your account as well. If you are security conscience then you probably already have two factor authentication on your Google account and probably have a strong password on the rest of your accounts. Having a strong password is the single most important step in securing your online identity. Even if you password was easy to remember and therefore easy to brute force or guess, but it is a long password (talking 20+characters here) then you will be reasonably safe. The reason for that is that hackers will almost always go for the low hanging fruit. They don't want to spend hours, days, months, years trying to hack passwords, they would never make any money doing that. They are going to hack the people whose accounts are easy to hack into first. Keep in mind that this doesn't always mean they just guess your password. You should also have strong security questions for password recovery, this is less important than having a strong password, however.
You can further protect your online identity and credit by knowing what credit cards you use online and knowing their fraud policies. As standard practice for me, I never store my credit card information on the site when I buy something, I don't know how good their security practices are and if someone were to hack into my account then there would be nothing for them to find/steal. Kind of hard to steal something that isn't there. If I have the option to use PayPal, or Google Wallet (I do not currently use Apple Pay at all) then I take that option. This limits the number of times that I enter my credit card information online, also reducing the possibility that it could be stolen. I trust PayPal and Google with my information but they have shown they can be trusted. Lastly, I NEVER use a debit card or do a direct bank account transaction online, even if there is a fee for using my credit card. The reason for this is that if someone were to get my bank account information or a debit card information, it is very difficult to dispute those charges, sometimes even impossible. All of my credits cards are very generous with their dispute times and all I have to do when I notice a fraudulent charge is give them a call and its taken care of. Most of the time when it is actually fraud they call me.
In summary, passwords are the first step in securing your credit cards, no matter your method of payment. XKCD posted a great little "comic" depicting how you can remember complex passwords easily. (http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength). Or you can use a application to remember your passwords for you, such as LastPass (https://lastpass.com/). Limiting your credit card exposure to the internet is the next biggest step. Limit the number of websites that you allow to store your information and for god sake NEVER EVER EVER put debit cards or bank account information in ANY website unless it is your bank. If you are super freaked out and/or you don't have a credit card, then go to the store and buy a gift card (either merchant specific or just a generic visa gift card) and use that online. They are prepaid so even if they get stolen you are only out a little bit of money. Ideally you would only load enough on it to make one purchase, use it, then leave it empty until next time. The Internet is the wild west, but with little effort even you can stay safe out there.
Security 'N More
Friday, March 13, 2015
Saturday, December 20, 2014
Rid yourself of Unity in Ubuntu 12.04
While setting up an Ubuntu installation recently I wanted to get rid of Unity. I stumbled accross this great guide! Thanks to Linux Tech Crunch for the tutorial (original found here: http://linux-software-news-tutorials.blogspot.com.es/2012/04/totally-remove-unity-from-ubuntu-1204.html), I have reproduced it here. I have not confirmed if this works on any other version of ubuntu but I know it works on 12.04:
1) First we need to install gnome-shell, synaptic package manager, and a tool that will allow us to clean up unity. During installation you will be asked to set the default logon manager, select "gdm". When finished reboot.
Finally, we elminate the config files:
1) First we need to install gnome-shell, synaptic package manager, and a tool that will allow us to clean up unity. During installation you will be asked to set the default logon manager, select "gdm". When finished reboot.
sudo apt-get install gdm gnome-shell synaptic deborphan
2) Next we need to remove all of the packages associated with Unity:
sudo apt-get remove unity unity-2d unity-2d-common unity-2d-panel unity-2d-shell unity-2d-spread unity-asset-pool unity-common unity-lens-applications unity-lens-files unity-lens-music unity-lens-video unity-scope-musicstores unity-scope-video-remote unity-services indicator-messages indicator-status-provider-mc5 appmenu-qt appmenu-gtk appmenu-gtk3 lightdm unity-greeter overlay-scrollbar zeitgeist zeitgeist-core zeitgeist-datahub activity-log-manager-common activity-log-manager-control-center
Then type
sudo apt-get autoremove
Now we need to remove all of the "orphan" packaages:
sudo apt-get purge `deborphan`
Repeat the last command several times to ensure that all packages are remove. Just go until it doesn't find anything else to remove. You might need to run sudo apt-get autoremove again just for good measure.Finally, we elminate the config files:
sudo dpkg --purge `dpkg -l | egrep "^rc" | cut -d' ' -f3`
Reboot and you now have a Unity free Ubuntu 12.04!
Saturday, December 13, 2014
My favorite browser plugins
Many of you are simple people, and you don't like to be bogged down by a lot of clutter when using your web browser. Well, I am exactly the same way. I would like to share with you my favorite web browser add-ons and why I use them.
These five browsers do not bog down your browser but in my opinion make my web browsing experience safer and private.
Adblock Plus: https://adblockplus.org/
Adblock Plus is definitely the first add-on I install when I start using a clean browser. Adblock Plus blocks all of those annoying ads on websites. In my experience it has also blocked the ads that YouTube has started to put on their videos, you don't even have to wait for a "black screen" it just skips the ad altogether. They have strict rules about what Ads can be white listed and they claim that a company can never buy their way onto the white list. Pretty cool. I personally hate seeing ads on websites and many of them now include noise and that can get very annoying when you have many tabs open and you don't know which one is producing sound. Adblock Plus is a must install for anyone wanting to streamline their browsing experience. Adblock Plus is available for Firefox, Chrome, Android, Opera, Internet Explorer, and Safari.Lastpass Premium: https://lastpass.com/
My next favorite add-on is really just a convenience one. I am a huge supporter of long unique hard to remember (and guess) passwords. But since all of my passwords are hard to remember, how do I remember them all without writing them down for anyone to find? That's where LastPass comes in. LastPass is a browser add-on that conveniently remembers all of your passwords for you and will automatically enter them whenever you go to a site which you have a saved password for. LastPass also has a password generator where you can securely generate a password that meets all the complexity requirements that you want and/or the website allows. All passwords are store in the "cloud" but they are encrypted with a master password (which you must remember on your own). Whenever you want to access your database of passwords, LastPass will download an encrypted copy and then decrypt your passwords locally on your machine. This means that your master password is NEVER transmitted over the internet and nobody, not even LastPass can recover a lost or forgotten master password. LastPass is available for Windows, Mac, Linux, Chrome, Firefox, Opera, Safari, Internet Explorer, iOS, Android, Blackberry, and Windows phone. In order to use Lastpass on your phone you must pay a small subscription fee of $12/year, which in my opinion is well worth it.NoScript: https://noscript.net
For the serious security conscious computer use NoScript is highly recommended. It does take a bit of getting used to as it will inadvertently block content on websites that makes the website useless, thanks to web developers relying way to much on javascript to create their website. NoScript block all JavaScript, Java, Flash, and other plugins and lets you build your own white list of websites that you want to allow to run scripts. This plugin is essential for preventing common web based exploit techniques such as XSS (http://en.wikipedia.org/wiki/Cross-site_scripting). The new version appears to come with a default whitelist of well known good sites and it seems to make initial install of the add-on much more useable and friendly. Currently NoScript is only available for Mozzila based browsers such as Firefox but there are other add-ons, like ScriptSafe that are available for Chrome.Disconnect: https://disconnect.me
Unlike all the add-ons listed above disconnect is the only completely passive add-on that I use. I only use the free version which blocks all trackers. Any website that attempts to collect personal information from your web browser, like advertising, analytics, or social information will be blocked by Disconnect. This is one more step in making your online browsing private. I personally don't like big companies collecting and storing all of that data about how I use the internet so I use disconnect to keep that information private. Disconnect is available on all major browsers and OSX, Windows, Androis, and iOS.These five browsers do not bog down your browser but in my opinion make my web browsing experience safer and private.
Sunday, January 6, 2013
Code Management with SVN
Hey guys, I know it's been awhile since I have made any posts and now that I have more time on my hands hopefully I'll be providing more useful content! I noticed I've gotten a lot of hits on my SELinux stuff so I hope that has helped a lot of people get what they need to get done. Please continue to leave comments and tell me how useful my information was. Today I am going to (hopefully) solve a problem that I have been wanting to solve for a while, and that is code management. I am starting to build up a little code database of my own and before I get too far I would like to have a better way to management. I have provided some tutorials on how to use Git in earlier posts, which is a good piece of software, but today I am going to setup an SVN server and then demonstrate how to create a new repository and how to checkout/checkin your code. I am sure there are a lot of tutorials out there already but I am doing this mainly for my own reference and hopefully some of you will get something out of it as well. Here we go.
I am going to be using Ubuntu server 12.04 64 bit as my operating system. Everything should be the same for all distros just change the apt-get commands to your appropriate repo's command's (yum for redhat/fedora etc.).
1. I am going to start by getting my basic LAMP up and running, I know I don't need all of it but I like to start from a good well known starting point:
Next, let's go ahead and create a location to store all of our repositories. I am going to use the '/var/lib/svn' directory as a common place:
Now create a repository. This is also the command you will use anytime you want to create a new project's repository. Replace 'myproject' with whatever you desire your project name to be.:
Subversion is now all setup and ready to go. Since this is a security blog I want to talk about some security things for a second. From here you can choose whether you want to use http/https or svn/svn+ssh to access your repositories over the network. I chose to use http/https and here's why. From what I can tell there is no way to allow the svnserv daemon to use encrypted passwords, and if by some miracle somebody were to gain access to my box I wouldn't want them to see my passwords in plaintext. Let's make them work for it! Since http/https uses apache2 we can store our passwords in an encrypted manner using the htpasswd tool. So here we go.
We need to configure the Apache2 SVN module by editing the file
Then add the following configuration:
Restart apache:
NOTE: The -c flag indicates that you are creating a new password file. To add a user to an existing passwd file omit the -c flag.
That's it! Now you can checkout your svn repository over http.
I hope this posting has helped some of you get your svn server up and running. I will have future posts that explain changing over to https and more security features of svn so please check back.
I must give a shout out to the guys at Howtoforge.com for providing a walk through that I used when getting this setup myself: http://www.howtoforge.com/installing-subversion-and-configuring-access-through-different-protocols-on-ubuntu-11.10
I am going to be using Ubuntu server 12.04 64 bit as my operating system. Everything should be the same for all distros just change the apt-get commands to your appropriate repo's command's (yum for redhat/fedora etc.).
1. I am going to start by getting my basic LAMP up and running, I know I don't need all of it but I like to start from a good well known starting point:
sudo apt-get install -y apache2 mysql-server php5
Once that is done then we need to install svn and additional tools:
sudo apt-get install -y subversion libapache2-svn
Next, let's go ahead and create a location to store all of our repositories. I am going to use the '/var/lib/svn' directory as a common place:
sudo mkdir -p /var/lib/svn
Now create a repository. This is also the command you will use anytime you want to create a new project's repository. Replace 'myproject' with whatever you desire your project name to be.:
sudo svnadmin create /var/lib/svn/myproject
Subversion is now all setup and ready to go. Since this is a security blog I want to talk about some security things for a second. From here you can choose whether you want to use http/https or svn/svn+ssh to access your repositories over the network. I chose to use http/https and here's why. From what I can tell there is no way to allow the svnserv daemon to use encrypted passwords, and if by some miracle somebody were to gain access to my box I wouldn't want them to see my passwords in plaintext. Let's make them work for it! Since http/https uses apache2 we can store our passwords in an encrypted manner using the htpasswd tool. So here we go.
We need to configure the Apache2 SVN module by editing the file
/etc/apache2/mods-available/dav_svn.conf
.:
sudo vim /etc/apache2/mods-available/dav_svn.conf
Then add the following configuration:
<Location /svn>
DAV svn
SVNParentPath /var/lib/svn
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/apache2/dav_svn.passwd
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
NOTE: you can have the AuthUserFile be whatever you want, we will create the file later.Restart apache:
sudo /etc/init.d/apache2 restart
Because we will read and write to our repositories as the Apache user and group, we must change the owner and group of /var/lib/svn
and it's subdirectories to the Apache user and group:
sudo chown -R www-data:www-data /var/lib/svn
Now we must create the password file that will contain the users and their passwords that will be able to access the repositories:
sudo htpasswd -c /etc/apache2/dav_svn.passwd
NOTE: The file path should be the same you specified in the dav_svn configuration file.NOTE: The -c flag indicates that you are creating a new password file. To add a user to an existing passwd file omit the -c flag.
That's it! Now you can checkout your svn repository over http.
svn co -username bill http://url/svn/myproject /local/path/to/project
NOTE: If you just want to read the repository (not make changes to it) then you do not need to specify the username. It is possible to secure your repository to make it so only authorized users can read your repository.I hope this posting has helped some of you get your svn server up and running. I will have future posts that explain changing over to https and more security features of svn so please check back.
I must give a shout out to the guys at Howtoforge.com for providing a walk through that I used when getting this setup myself: http://www.howtoforge.com/installing-subversion-and-configuring-access-through-different-protocols-on-ubuntu-11.10
Thursday, June 28, 2012
GIT Reference
I am getting absolutely tired of trying to find my GIT references again after I have found them and used them and for some reason I am unable to remember certain commands with git. I am going to use this post as a central location for all of the GIT references that I find with a short description of the command/section that I found useful there.
When creating a branch here are the steps that you want to follow:
1) First we need to create the remote branch so we have a place for us to start. We can do that with the following command:
2) Next, we need to checkout this newly created branch so we can start work on it. This is the command for that:
The above steps will create a remote branch and then a local branch that you can edit that will track the newly created remote branch. There is also a way that you can create a local branch that is not remote so that way only you can see that branch. For more information about that please go to this site: http://git-scm.com/book/en/Git-Branching-Basic-Branching-and-Merging
This site also provides a good explanation about how git branches work so if you are confused about that please read it there.
When creating a branch here are the steps that you want to follow:
1) First we need to create the remote branch so we have a place for us to start. We can do that with the following command:
git push origin [current-branch]:refs/heads/[branch-name]
So for example let's say that I wanted to create a new branch called bill-fix but I don't want to start at the master branch, I want to start at say our new-ui branch. So then my command would look like this:
git push origin new-ui:refs/heads/bill-fix
You can see the logic of the push command, in this example.2) Next, we need to checkout this newly created branch so we can start work on it. This is the command for that:
git checkout --track -b [branch-name] origin/[branch-name]
So, this command is also pretty self explanatory. The first [branch-name] that appears is the name that you want your local branch to be, and the second has to be the same as the remote branch created. So using the example above, my new branch was named bill-fix but lets say that I want my local branch to be bill-fixed-everything but I want it to track the remote branch of bill-fix, then my command would look like this:
git checkout --track -b bill-fix-everything origin/bill-fix
The above steps will create a remote branch and then a local branch that you can edit that will track the newly created remote branch. There is also a way that you can create a local branch that is not remote so that way only you can see that branch. For more information about that please go to this site: http://git-scm.com/book/en/Git-Branching-Basic-Branching-and-Merging
This site also provides a good explanation about how git branches work so if you are confused about that please read it there.
Saturday, June 23, 2012
One computer, multiple networks
Now, this is a problem that I have been facing for a few years now. Let me sum it up for you. I am a former network administrator for my mom's business. Being the network administrator I completely overhauled the entire network and replaced the server a few years back. With these improvements we wanted to be able to access the internet, but only from a couple of computers. So the objective was to have to client computers connect to two separate networks, one that was just for the business and another one that was connected to the internet. When all was said and done I had one computer that was working just fine and was able to connect to both networks without any difficulty, but the second one would not do this no matter what I tried. After years of having this problem I finally found this forum topic:
http://www.velocityreviews.com/forums/t297470-wireless-and-wired-network-together-on-windows-xp.html
After reading this post I remembered everything that I learned in my networking class about how computers/routers prioritize routes. I wish I had more information but this is definitely something that I need to keep in mind for future endeavors and if anybody else is having the same problem I hope that it will help you too.
Friday, April 20, 2012
SSL VPN
While working on my final project for my security lab class, I ran across this amazing tool, OpenVPN ALS or Adito. Our group decided to implement a VPN as part of security for our network. This is all fine and dandy but we don't have any enterprise tools available to us to use. I don't know really anything about how to setup a VPN, except for making one in Windows. Anyway, in my searching on Google I found this video:
http://revision3.com/hak5/sslvpndsolo
Much thanks go to hak5.org for making this very informative video. He does talk about how to setup the service in the video and I encourage you to watch it if you are interested. I do want to post some comments I have about the service myself. I installed the server on a FC14 machine and it worked exactly the same as in the video except I installed the OpenJDK package rather than sun-java. Also, when I tried to access the VPN from a linux client machine I could not get the SSL tunnel to the server on my network working. It worked fine with Windows. I'll look into this more and try and see whats going on. Bottom line if you are looking for a simple VPN setup, this will probably do what you are looking for.
http://revision3.com/hak5/sslvpndsolo
Much thanks go to hak5.org for making this very informative video. He does talk about how to setup the service in the video and I encourage you to watch it if you are interested. I do want to post some comments I have about the service myself. I installed the server on a FC14 machine and it worked exactly the same as in the video except I installed the OpenJDK package rather than sun-java. Also, when I tried to access the VPN from a linux client machine I could not get the SSL tunnel to the server on my network working. It worked fine with Windows. I'll look into this more and try and see whats going on. Bottom line if you are looking for a simple VPN setup, this will probably do what you are looking for.
Subscribe to:
Posts (Atom)