Displaying the information which is useful for your friends to search you online is equally important to limiting the visibility of the information which is more personal, which let the hackers hack your page quiet easily. Following are the few tips which helps you to make you profile page of Facebook more secured.

Besides, all the privacy setting you made for your profile there are few things which cannot be hidden by any user, that is they will be displayed for every profile. They are called as Publicly Available Information (PAI) according to Facebook, which includes full name, profile picture, gender, and networks. These things are commonly visible to any facebook user.

However, you can reduce the visibility of the remaining information by making the necessary settings. Let us see how to choose the options that makes your profile more secure.

• It is always better to use your full names which are hard for others to guess, but are easy for friends to recognize. It also limits the search results related to your usual name. Coming to the settings, ‘Search for me on facebook’ is available so that you can choose the people who can search for you. It is better to go for ‘Friends only’ if you want yourself limit to your friends.
• ‘Send me friend request’ – this option doesn’t make much difference because unless you accept the request of that person you cannot view your information. So, choose ‘any/every one’ or ‘friends of friends’ since the final decisions rests on you.
• ‘Send me a message’, ‘See my friends list’, ‘See my education and work’, See my interests and other pages’- reserve these rights only for your friends by choosing ‘Friends only’ in order to make your information more secure.
• Finally ‘see my current city and home town’ – it is better to choose ‘only me’ or not entering that info is better.

These are the few recommendations which can help you secure your account.

Related Links:
Facebook covers

Not dealing seriously with passwords
Everyone knows that passwords are important. Yet most of them fail to create or maintain them properly. It might be because of the ignorance on the importance or on how to maintain them properly. Whatever may be the reason, the most common blunders to avoid while dealing with passwords are:

• Creating easy-to-crack passwords
  Hackers use ultra password cracking technologies. Not creating longer and complex passwords, is actually equal to helping the hackers crack in to your account.
• Easy to guess password recovery options
  Many websites use security questions to help people recover their password in case they lose it. Using simple questions like birth date, pet’s name which are either easy to guess or are visible openly on your social networking account, is another major blunder to avoid while dealing with passwords online.
• Using the same password for multiple online accounts
  Same passwords for all online accounts are as safe as the weakest passwords. If one password is cracked or stolen, the chances for hacker to procure other online accounts of the user are high.

Getting lured into fascinating or controversial news
Malware authors know that people naturally are more interested in fascinating news or controversial rumors, and plan new attacks that are targeted specifically towards this crowd. This is called SEO poisoning. It’s estimated that more than 10 percent of search results for Google’s highest-ranked web sites are malicious sites.

Failing to update Microsoft Windows OS / Java / Adobe Reader / Adobe Flash
Updates are provided for software in order to patch-up security vulnerabilities in them. Especially, Windows, Java, Adobe Reader, Adobe Flash remain the most exploited software applications due to their vulnerabilities. Failing to update these leaves the PC potentially vulnerable for malware attacks.

Opening an email attachment / Clicking on a link in an email – from someone you don’t know
According to a recent report released by Symantec, spam now accounts for 78.6% of all email traffic in US and 75.7% of all email traffic, globally. Opening email attachments from unknown user may deploy malware into your PC. A link on a spam email may direct you to a spoofed website.

Checking the “Remember Me” box in public PCs
This option saves cookies and login details of the user in the browser, until he signs-out manually. Thus, if the user checks back into the site later anytime, he doesn’t require to provide login details again, to access his account.

However, while using public PCs, enabling this option is equal to providing your login details to the any user of that PC, who can check back at any time and access your account.

Leaving Facebook privacy settings unchecked
Facebook is recently in the news for hacking of its CEO’s fan page. The most popular social networking site, Facebook, has many users who are not aware of its security features or privacy settings. Your personal information will be available for everyone to see if you leave privacy settings unchecked on Facebook.

Using BitTorrent sites to download copyrighted content
Downloading illegal software from BitTorrent sites can expose your computer to Trojans and Spyware.

Playing free online games
There are many malicious websites online that lure users by providing free online games. Don’t play online games on unreliable websites. Also be cautious when asked to download free games.

Connecting to unknown wireless networks
Many people log into unknown (private) wireless networks at public places like airports and hotels. These networks can be potentially harmful. Always be sure that you are logging into known (private) wireless networks only.

These are the most dangerous online activities. Proper awareness and efficient precautions are required to stay away from committing those mistakes and stay safe and secure online.

Related Links:
IT Contractor
ad serving
oracle vm
wan optimization

Few instances here will tell you how dangerous can a small USB drive be:

• According to research from Avast, roughly one in eight of the 700,000-plus malware incidents it identified in 2010 were due to tainted USB devices.
• Security consulting and research firm the Ponemon Institute, found that more than 800,000 data-sensitive devices, including USB drives, portable hard drives and laptops, were compromised in 2009.
• The top two virus threats reported by BitDefender, are actually spread through USB drives.
• According to research by Panda Security, a whopping 25 percent of malware today is developed to spread through USB devices.
• Recently, an assistant professor and his student at George Mason University, demonstrated how Operating Systems fail a USB Attack. They just used a smartphone connected to a PC through a USB cable and were able to hack it. The professor simply credited his successful exploit to the USB protocol which does not ask for authentication when an unknown device connects to a computing platform.

These are only a few instances on what an infected USB drive can do.

USBs – a threat for Corporate Networks
An employee can simply bring in an infected USB drive to office, knowingly or unknowingly, and connect it to his system and get it infected. The system then spreads its infection to other PCs over the network. A research report from Avast says that more than 60 percent of all malware in circulation can be spread via USB drives. To corporate networks, notorious USB devices are not just confined to spreading malware. They simply offer a way for indiscernible data stealing.

Precautions and necessary steps to be secure
The situation today isn’t so worse that the USB drives would simply force the users to face the threats they impose. It requires just a few changes in the default settings of USB ports to eliminate the hazards of notorious USB drives. Few of them are as follows:

• Disabling autorun option (Windows PCs)
• Blocking unauthorized USB devices
• Maintain personal and business USB drives separate. So that you don’t contaminate your office network from threats outside.
• Do not plug an unknown USB drive into your computer. This is a simple precaution but works best.
• As prevention is better than cure, you can just block USB drives on your computer/laptop (through registry key settings in Windows OS) permanently and use alternatives.

Most people, who are new to the online world, have lack of knowledge on setting up a strong password for their online accounts. But the increasing cyber crime can easily trace the passwords. And the results can be as terrible as the attack on Microsoft’s Hotmail and other web-based email services. A recent survey on these missing passwords revealed that many of the accounts had easy-to-guess passwords and the most frequently used password among these was “123456″.

Some general methods that attackers use for identifying a victim’s password include:

• Guessing—The attacker tries to log on using the user’s account repeatedly by guessing probable or expected words and phrases like their children’s names, their birth city, and local sports teams.
• Online Dictionary Attack—The attacker utilizes an automated program, which consists of a text file of many words. The program frequently tries to log on to the target system by testing a different word present in the text file on each attempt.
• Offline Dictionary Attack— It is similar to the online dictionary attack, the attacker extracts a copy of the file in which the hashed or encrypted copy of user accounts and passwords are saved and runs an automated program to find out what password is used for each account. This type of attack can be finished very quickly if the attacker gains a copy of the password file.
• Offline Brute Force Attack—This is a modified form of the dictionary attacks, and designed to discover passwords, which are not present or available in the text file used in those attacks. Even though a brute (very strong) force attack can be tried online, because of network bandwidth and latency they are generally attempted offline utilizing a copy of the target system’s password file. In a brute force attack, the attacker utilizes an automated program, which produces hashes or encrypted values for all possible passwords and analyzes them with the values in the password file.

Microsoft suggests that the use of strong passwords can slow or sometimes break the various attack methods. This shows the importance of having a strong password.

Creating a Strong password:

Passwords are case-sensitive and may be as long as 127 characters. A strong password:

• Should never consist of user name.
• Should be minimum of eight characters long.
• Should compulsorily include both lower case and uppercase alphabets (minimum one from each group is suggested).
• Should consist of minimum one number (0 to 9).
• Should consist of at least one symbol. (Eg: *, ^, $, #)

A string, which has all the above characteristics, is known as strong password. A complex password should not be something, which is difficult to remember. Forgetting a strong or complex password, which is difficult to remember, is as harmful as getting attacked by a weak password.

The password created must be easier to remember but difficult for anybody to guess. It can also be a favorite phrase or quotation or mixture of two words. Substitutes for alphabets can also be used to satisfy the above criteria for a strong password. For example ‘a’ in password can be substituted with ‘@’, similarly ‘i’ can be replaced with ‘!’; and ‘o’ with ‘0’ or ‘()’.

It is a good practice if password is changed periodically like monthly or quarterly.

KeePass is an open source utility that works on almost any platform, including your smartphone ( Clients available for Windows, Ubuntu, Linux, MacOS X, J2ME (Cell Phones), Blackberry, Windows Mobile and more). You can store your passwords in a password protected and encrypted database and use the passwords when needed. It will even generate a complex password for you. KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithms to encrypt its password databases. There are many plugins available that will allow things like filling forms, onscreen keyboard, etc.

Click here for more information on Keepas.

Keepas Demo Screenshot

Source: http://vjalagam.blogspot.com/2009/09/keepass-opensource-password-safe.html

Related Links:
Wan optimization

The superficial flaw is in the browser’s security User Interface (UI) that is insufficient to deal with today’s strong threats. There are 3 parts for secure authentication: first,indication that the connection is in authenticated mode,second, the site which the user is connected to and third,which authority says it is the site that it claims to be.

Secure Connection: The user easily misses the padlock that was the standard display for secure browsing from the mid-1990s to mid 2000s. Mozilla featured a yellow URL bar in 2005 as a better indication that the connection is secure. However, unfortunately, this innovation was then reversed due to the EV Certificates, which replaced high value certificates with a green display and the rest with a white display.

Which Site: The user is expected to be sure that the domain name in the browser’s URL bar is in fact where they wanted to go. URLs can be too complex to be parsed and users often do not know or recognize the URL they intend to go making authentication meaningless. Many e-commerce sites will change the domain names within the overall set of websites making it harder for the user to trace himself. Also simply displaying the domain name of the visited website as some anti-phishing toolbars do is insufficient.

Firefox offers an alternative- a pet name extension which lets users type in their own labels for websites that they can recognize when they later return to the website. In addition, if the site is not recognized then the software warns the user or detects it outright. This symbolizes the user-centric identity management of the server. A graphical image selected by a user could be a better identification.

With the introduction of EV Certificates, browsers display the organization’s name in green making it more visible ad hopefully more consistent with the user’s expectations. But then the browser vendors have limited this display to only EV Certificates, leaving the user groping in the dark for other certificates.

Who is the Authority As far as the user is concerned, the browser is the authority at the simplest level since no authority is stated at this stage. The current practice is for the browser vendors to control a root list of acceptable Cas. The problem is that all Certification Authorities (CAs) employ neither good nor applicable checking. In addition, neither do all CA s subscribe to the same model and concept that certificates are only about authenticating web sites or e-commerce organizations. Certificate Manufacturing is the term given to low value certificates that are delivered on a credit card and an email confirmation, which can be easily perverted by fraudsters. Thus, a valid certificate issued by another CA may spoof a high value site. This could happen because the CA is in another part of the world and it is unfamiliar with high value e-commerce sites. Nevertheless, since the CA is charged with protecting its own customers and not the customers of another CA there is an inherent flaw in this model.

The solution to the above problem is that the browser should show and the user must be familiar with the name of the authority that issues the certificate. This projects that the CA as a brand and allows the user to come in contact with the handful of CAs in their country. The use of brand provides the CA with an incentive to improve their checking and the user would demand good checking for high value sites.

This solution was put into action in early versions of IE7 when displaying EV Certificates where the issuing CA was displayed. Nevertheless, this turns out to be an isolated case. There is resistance for branding CAs on the chrome resulting in a fallback to the simplest level above: the browser is the user’s authority.

However, we need to update our plugins as soon as a new version is available. Updates of these plugins will not only cover new features of the plugin, but also will address some vulnerability to security threats during browsing. Many people ignore it as it takes little time (a matter of no more than 2 minutes) for the plugin to update and restart the browser. This increases their risk to security threats online like malware, viruses, botnets, etc.

How to check if your plugin is up-to-date? Just click here or copy paste this URL in your browser https://www-trunk.stage.mozilla.com/en-US/plugincheck/.

The window that opens will let you know the status of your plugin.

• Green indicates that your plugin is up-to-date.
• Yellow indicates outdated but without known vulnerabilities.
• Red indicates that the plugin is known to have security holes and is outdated.
• Don’t worry about the Grey colored plugin.

Update your plugin frequently for safe and better browsing.

]]> http://cyber-smarty.com/2009/10/how-safe-are-you-browsing-with-firefox/feed/ 0 http://cyber-smarty.com/2009/09/phishing-types-and-precautions/ http://cyber-smarty.com/2009/09/phishing-types-and-precautions/#comments Fri, 11 Sep 2009 06:43:23 +0000 cyber-geek http://cyber-smarty.com/?p=58 The criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication is known as Phishing.

Types of Phishing
Phishing is usually carried out by email or instant messaging and it often directs users to enter details at a fake website, which is similar to the legitimate one. Since the fake website is similar to the original one, it requires tremendous skill to determine whether a website is fake or not.

1. Misspelled URLs: Phishers use some sort of deceptive techniques, which design a link in an e-mail (and the spoofed website it leads to) apparently belong to the spoofed organization by using misspelled URLs or of sub-domains. Sometimes the phishers make the anchor text for a link appear to be valid, whereas the link actually goes to the phishers site.
2. Whaling: Phishing attacks directed specifically at senior executives and other high profile targets within businesses is known as Whaling.
3. Image Phishing: Phishers have also used images instead of text to make it difficult for anti phishing filters.
4. Cross site scripting: An attacker can even exploit flaws in the original website’s script against the victim making it even more difficult to detect since everything from the web address to the security certificates seem to be original. This technique is known as cross site scripting.
5. Phone Phishing is the case where in a customer gets a call asking him to call back to discuss his problems while accessing his bank accounts. The person then is trapped into giving his sensitive information such as credit card information and the like.

Measures to counter phishing
People need to change their browsing habits when it comes to phishing. For example, when asked to reveal their sensitive information they should directly contact the company to make sure the mail is genuine and shouldn’t fall prey to mails that address them as “Dear Customer”. Paypal, for instance makes it a point to address the users by their usernames.

One of the major flaws of the user is the Click-through syndrome where he treats any pop-ups as a case of misconfiguration and proceeds with his work without heeding to the warning of the computer.

Related Links:
Umbrella Company

However, online shopping has some concerns and risks associated with it. A lot of these risks are basically people dependent and can be prevented by being a little vigilant and following some basic precautions.

Precautions to keep online shopping secure:

Selecting a website: It is little difficult to check for a reliable website for shopping online. As we know, creating a website is quite easy has no restrictions. One must make sure that the website that they are transacting with is reliable. Always opt for buying from companies you already know. If you are planning to buy from an unknown website, start with smaller orders till you are contented with their service and reliability.

The URL of the website also helps you to find if the website is reliable or not. It should start with https://. The “s” that is displayed after “http” indicates that Web site is secure. Often, you do not see the “s” until you actually move to the order page on the Web site.

Checking if website is secure: Make sure the website is consistent on security grounds. The company may be reliable, but if it has no proper mechanism to secure their customer’s information from hacking, it is troublesome. Try to find if the merchant stores your data in encrypted form. Be sure to read privacy and security policies of the website before providing your personal information to them.

Checking for its reputation: Though there is no good logic to prove relation between reputation and reliability, reputed businesses cheat very rarely. Thus, it is good to go with the reputation of the website before doing business with it. You can check this with the help of search engines. Reputed businesses often have first page search listings.

Checking for its usability: Usability of the website helps you to attain certain knowledge on its credibility. Popup windows are always troublesome while doing the transaction in any website. Stay away from popup windows, and if possible, from the sites which allow them.

Run Antivirus Software: Before doing any online transaction one must update their antivirus software, which can help you to stay secure from unwanted cookies and applications.

Reveal Only the Bare Facts: It is common for any online merchant to ask you to signup before ordering a product. However, make sure you disclose only data which is mandatory and makes sense to provide. You do not require providing your social security number to any eCommerce merchant. If the site is trying to push you on edge to get too much information, it is recommended to simply leave the website.

Rechecking: Before doing or finalizing payment to the merchant make sure that the shopping cart has all and only the products that you have selected. You can add or delete any product only at this stage.

Payment Options: When it comes to payment options for purchasing online, there are many options like credit cards, debit cards, cash and cheques. Of all these options, credit cards are the safest option for purchasing online. It is recommended to have a separate credit card for e-commerce purchasing so that it will help in tracking dissolute credit charges easily.

Recheck again: After the transaction is complete, recheck for transaction details. Try to record them if possible. Finally, don’t forget to sign off from the site.

Online shopping is a trendy boon for shoppers, only if they are cautious during the transaction.

Related Links:
Automotive marketing
Wan optimization