Archive for June, 2010

When it comes to computer security, people are being brainwashed

June 20, 2010 7 comments

As difficult as this may be to accept, people are being brainwashed into believing that it’s acceptable for computers to be insecure. While this might seem like an absurd idea, let me present four real world scenarios to help you understand why it’s true.

Would it be acceptable for you to go into a restaurant and be served undercooked chicken 8 out of 10 times? Of course not, because you know that if you ate it, you could get sick and even die. You expect the chicken to be properly cooked each and every time it’s served to you, right?

Read more…


If your Hotmail, Gmail or Yahoo password is hacked, you need to do more than just change the password

June 18, 2010 1 comment

It seems like a lot of people’s online email accounts are getting hacked these days, with no clear indication of how the hackers are obtaining passwords. If you suspect or know your account has been hacked, change your password. If you haven’t changed your password within 30 days of this post, change it now – just in case hackers already have your password but haven’t used it yet. There are some other things you may want to consider doing as well:

1. Change your security question and/or the answer to the question. Don’t make the answer something that can be successfully guessed. If possible, make the answer so obscure, that it’s impossible to guess.  For favorite color, for example, don’t use the primary colors. Use something like “ripe tomato” for red, “banana boat” for yellow or “Mountain Berry Blast” for blue. Don’t use a question that can be answered by viewing your Facebook or blog page.

Read more…

Understanding the AT&T security breach: Parameter tampering basics

The recent AT&T security breach that disclosed 114,000 Apple iPad e-mail addresses is lingering on the Web like a bad smell in an enclosed car.  Some details on how it was done are provided on under the “Breach Details: Who did it, and how” section. This post will explain the user-agent header and HTTP request elements, and provide an example of parameter tampering that makes a breach like AT&T’s possible.

DISCLAIMER: What I present below has nothing to do with the AT&T site itself.

Read more…

Why the current computer security paradigm is analogous to fixing a leaky dam

June 13, 2010 6 comments

I’m always trying to find new and innovate ways to explain the realities of computer security and hacking to people. It’s not that easy. Many people’s perspective and ideas are “hard coded” into their minds, so they are very resistant to accepting new ways of looking at the problem.  I hope you’re not one of those people.

I’m sure everyone recognizes that a leaky dam is a problem. When a hole appears, it needs to be fixed. The people maintaining the dam will come up with innovate ways to prevent leaks, such as self-sealing coatings or reinforcing certain weak spots. But water is very powerful and sometimes a hole appears despite these measures. Those maintaining the dam will implement a special leak detection system and hire a staff to monitor the system 24 x 7, so they can respond to leaks in an expeditious manner, to prevent a leak from getting bigger. But the bottom line is that leaks are still developing.  Countless time, money and effort will be spent trying to prevent, detect and fix leaks, but does anyone ever stop and think that perhaps they are going about solving the leak problem in the wrong way?

Read more…

Windows will never be secure because of major design flaws

June 11, 2010 6 comments

Let me first start off by saying that I like Microsoft Windows.  I started with Windows 3.11 and have been using the entire Windows product line ever since.  I’ve also developed quite a number of personal, public and enterprise applications on Windows using a variety of languages and development tools. I wouldn’t give it an “A”, because I’m not happy about certain things, but it has served my needs and the needs of organizations where I’ve worked.  From a functionality standpoint, it gets the job done.

Unfortunately, from a security standpoint, I have to give Windows a “F-“. A nice big “F-” written in red ink with a circle around it. Why? Allow me to explain.

Read more…

Video: Cybersecurity Discussion with General Keith B. Alexander

It’s important that you listen to all of this with a critical ear. A lot of important information is disclosed and there is much that can be garnished by reading between the lines. This is just a taste of things to come.

Jun 3, 2010
Duration: 55:27

The Center for Strategic and International Studies (CSIS) hosted an event with keynote speaker General Keith Alexander, Director of the NSA, Commander of U.S. Cyber Command.  General  Alexander spoke about cyber security and USCYBERCOM.

Click here to watch the video

Click here to download the transcript

Looking at hacking and security from a different perspective

June 6, 2010 1 comment

From a hacker’s perspective, what we refer to as “security” is nothing more than a collection of technical obstacles that can be overcome by careful research and planning.  These obstacles can be overcome by attacking devices over the network, obtaining physical access to a device, or socially engineering users into taking actions that result in a compromise. Convincing users to open an email or attachment, go to a Website, insert a CD/DVD, install an application, attach a USB device, or divulge password information, are all proven means to compromise a system.  After a compromise is achieved, a hacker will attempt one or more of the following actions:

Read more…