Category Archives: Security

aka infosec

Internet, Internet crime, Security

Web-based password manager LastPass hacked

Leave a comment

One of the more popular online password managers has been hacked. LastPass’s servers were breached and user data stolen, including hashed user passwords, cryptographic salts, password reminders, and e-mail addresses.

According to LastPass staff, your passwords are still secure, because only the encrypted versions were obtained. Analysts have confirmed that the risk to LastPass users is minimal, mostly due to safeguards employed by the service.

Still, if you use LastPass, you should immediately change your master password. You will in fact be prompted to do so when you log in.

Although LastPass had effective safeguards in place, the fact that they were hacked (again) leaves me wondering whether it’s ever a good idea to use any Internet-based password manager. I strongly recommend using an offline password manager like the excellent Password Corral or Password Safe. Both are freeware.

Ars Technica and Brian Krebs have more details on the hack and its implications for users.

Internet, Security, WiFi

VPN doesn’t make open WiFi completely secure

Leave a comment

Public WiFi access points (APs) are extremely convenient. They’re also not very secure. Most WiFi APs are configured to use encryption, which is why you need a password to access them. Most also use strong encryption, in the form of WPA2. That sounds good, but if you’re at all concerned about security, it’s not enough.

Even with strong WiFi encryption, anyone who has the WiFi password and is within range of an AP is sharing the network with everyone else using that AP. That means they can use network sniffing tools to see all the traffic on that network. If you sign in to any web-based service (such as web mail, or your bank site), and that service doesn’t also provide encryption, your username and password can be obtained very easily.

Savvy public WiFi users know this, and use VPN (Virtual Private Network) software to further encrypt their network communications. VPN adds a layer of encryption that is dedicated to your computer and makes your communication indecipherable, even to the hacker at the next table.

Unfortunately, even with VPN software, your communications on a public WiFi network are vulnerable. That’s because – in a typical (i.e. default) setup – there’s a delay after you connect to the AP and before the VPN kicks in. During this delay, you are exposed.

To be truly secure, even with a VPN, you need to apply limitations on what your computer can do over public WiFi – especially what it can do during periods when the VPN is not yet active. Unfortunately, this can get complicated. The guides linked below should help.

Adobe, Flash, Patches and updates, Security

Flash 18.0.0.160 fixes 13 security issues

Leave a comment

The latest Flash release from Adobe is version 18.0.0.160. According to the associated security bulletin, this update addresses at least thirteen security vulnerabilities.

Several other bugs, unrelated to security, were also resolved. See the release announcement and release notes for details.

The new version also includes a somewhat streamlined installation process: users will no longer be prompted to restart their browser after Flash installation. The previous version will continue to function until the browser is restarted.

As usual, Chrome will be automatically updated to use the new Flash, and Internet Explorer 10 and 11 on recent versions of Windows will get the new Flash via Windows Update.

*nix, Hardware, Internet, Internet crime, Linux, Malware, Mobile, Privacy, Security

Security roundup – May 2015

Leave a comment

Recent security breaches at mSpy and AdultFriendFinder are a gift for Internet extortionists. mSpy hasn’t helped matters by first denying the problem, and then trying to downplay its impact.

A serious vulnerability called Logjam has been discovered in the Diffie-Hellman Key Exchange software, which is used to secure communications on many web and email servers. Meanwhile, despite its many flaws, it’s still a good thing that the web is moving towards HTTPS encryption everywhere.

In the world of network-attached hardware, malware called Linux/Moose is exploiting vulnerabilities in routers and spreading across the Internet. A security flaw in NetUSB is making many consumer routers vulnerable.

A serious vulnerability in many virtual hardware platforms, including Oracle’s popular VirtualBox, is making life difficult for many service providers.

Those of you who monitor traffic arriving at your home or work network are no doubt aware that your network is being constantly scanned for vulnerabilities. Brian Krebs rightly points out that much of this scanning activity is not malicious.

And finally, before you exchange that Android device, you should know that even if you’ve performed a full reset, your personal data is not being completely erased.

Hardware, Internet crime, Malware, Security

Insecure routers home to vast botnets

Leave a comment

Huge networks of compromised network routers form the basis of several large botnets. These botnets – described as ‘self-sustaining’ by security researchers – are only possible because routers are shipped with common, known passwords, and because users fail to change those passwords, or leave remote administration features enabled. The compromised routers are mostly used in DDoS attacks.

Users should not depend on their ISP to secure their router. There are numerous guides for improving the security of routers, but this one at HowToGeek is particularly good.

Adobe, Patches and updates, Security, Shockwave

Shockwave 12.1.8.158

Leave a comment

The latest version of Adobe Shockwave is 12.1.8.158, which was actually released on April 22. The release notes don’t even mention it.

You can check the version of Shockwave on your computer by going to the Windows Programs and Features control panel, where it appears as Adobe Shockwave Player. Alternatively, you can check your browser’s add-ons: in Firefox, Shockwave appears in the Plugin list as Shockwave for Director. You can also check the installed version and install the latest version on the Shockwave Player Help page.

Firefox, Patches and updates, Security

Firefox 38.0 released

Leave a comment

Another stealth release from our friends at Mozilla, Firefox 38.0 fixes at least thirteen security issues.

Other changes in this release include tab-based preferences, as well as HTML5 enhancements and improvements to developer tools.

If you’re tired of waiting for Mozilla to issue proper release announcements, you can always get your Firefox news from another source, like the CERT alerts blog.

Update 2015May14: Two days later, and Firefox still isn’t updating itself. I’m not sure if there’s a problem with Mozilla’s update process, or if it’s just sluggish. According to Mozilla:

By default, Firefox is set to automatically update itself but you can always do a manual update. Here’s how:
1. Click the menu button, click help (question mark icon) and select About Firefox.
2. The About Firefox window will open and Firefox will begin checking for updates and downloading them automatically.

What I’m finding is that while the About box may be checking for updates, it’s not finding one, or in any case even if it finds one, it’s not downloading anything. It just says ‘Firefox is up to date’.

In any case, since this release contains fixes for security issues, I’m going to install it manually from the main download page. That page correctly identifies that I’m running an older version and offers a link to download the new version.

Update 2015May14: Via the official #firefox IRC channel, I was just informed that once again, a new version of Firefox is causing crashing problems. Version 38.0 has been pulled from release, and we can expect a fixed version 38.0.1 later this week.