security

New security features for Evernote

Dave Farquhar security

This comes courtesy of Dan Bowman: If you’re an Evernote user (I’m not, at least not yet), it now has three new security features, including the all-important two-factor authentication. Those of you who rely on Evernote would do well to look into enabling two-factor authentication, at the very least.

Why your favorite web site’s password strength meter is full of hooey

Dave Farquhar security , , ,

What happens when you talk three password crackers into doing their worst to a leaked database of 16,000 passwords and then talk to them about it?

You learn a lot, and we can learn a lot from their experience as well. “qeadzcwrsfxv1331” isn’t a good password. Neither is “Philippians4:13.” Neither is “correcthorsebatterystaple.” Neither is “Qbesancon321” or “Qbe$@ncon321.” Password guessing has too much intelligence built into it now.

And not only that, by continuing to use the password “popcorn,” you make it easier for those guys to guess other passwords too. Read more

What keeps a good security guy from turning to the dark side

Dave Farquhar security , ,

I’m reading the excellent Blackhatonomics right now. And one thing I read in it reminded me of a question that someone asked me last year. I was probably the third or fourth guy with an advanced security certification he’d met, and he asked me one day what it is that keeps us from turning criminal.

I said, “Well, for one thing, good guys have much longer careers.”

I didn’t cite a specific example, but Blackhatonomics cited the case of Albert Gonzalez, the infamous hacker convicted of breaking into TJX, Dave & Buster’s, and others. His crime spree, which ended when he was captured in 2008, netted him $2.98 million.

He was convicted in 2010, and had to give back what was left of his fortune, and now is serving 20 years in a minimum-security prison.

I like my approach better. Read more

Use Audacity to sneak an extra podcast in each week

Dave Farquhar security ,

If you don’t mind your podcasts sounding like chipmunks, you can shave 10-15 minutes off their length by loading the MP3 into Audacity before sneakernetting it to your car. Simply download and install Audacity, install LAME for MP3 support, then, when you download your podcast, load it into Audacity, select the “Effect” menu and choose “Change Speed,” then enter 20% and click “OK.” You may need to experiment a bit. Then save the file to your MP3 player or USB media and you’ll have it for when you’re on the go.

The benefit, of course, is that if you can keep up with it, those 60-minute podcasts drop down to more like 45-50 minutes, so in theory, if you listen to five of them per week, you can get a sixth one in.

Deconstructing my conversation with “Computer Maintenance Department”

Dave Farquhar security , , , , , , ,

My tell-all about my encounter with “Computer Maintenance Department” was a little heavy on the jargon yesterday. It occurs to me that explaining what some of the terminology means, and the problem with their reasoning, may be helpful. I’ve also heard a few questions through various channels, and I think those are worth answering. Read more

This “Computer Maintenance Department” sure doesn’t know much about computer maintenance

Dave Farquhar scams, security , , , , , , , , , , , , ,

“Peggy” from “Computer Maintenance Department” (1-645-781-2458 on my caller ID) called again. Lots of people are aware of these phone calls. They call, make vague claims about receiving a report that your computer is running slow and giving you errors, and are very careful not to say who they are or who they work for. Usually I just do whatever I can to get them off the phone.

But after having lunch with some other computer security professionals last week, a couple of them talked me into finding out how these guys operate. So I fired up a PC that turned out to have a real, legitimate issue. After resolving that issue myself, I turned the caller loose on my semi-functional PC so I could see what these scammers actually do. He had me connect to Teamviewer.com and run their remote access software. I followed his instructions, watched him connect, then slyly unplugged my network cable.

When my network connection dropped, “Peggy” quickly transferred me to a “senior technician” who used the name “Roy.” Read more

How I accidentally found a way to mess with “Peggy”

Dave Farquhar scams, security , , , ,

“Peggy” from “Computer Support Department” just won’t give up. He called me again at about 8 PM this evening. This time, I played along. I had a thrift-store junker PC for him to infect with his malware. The only problem was, the hard drive wasn’t connected and neither was the power cord. So I quickly hooked all that up, booted up, and then played along.

“I want you to click on Internet Explorer.”

“OK.”

“What do you see?”

“Page cannot be found.”

Thus I learned that Peggy isn’t very good at troubleshooting network issues. Read more

Antivirus progress

Dave Farquhar security , , , ,

When Microsoft Security Essentials first came out, it was an improvement in antivirus performance. Now, it’s middle of the pack, according to PC Magazine. That’s great. Vendors are finally taking performance seriously.

What that means is that by replacing MSE with F-Secure Anti-Virus 2013, Kaspersky Anti-Virus (2013), Sophos Anti-Virus 10.2, ESET NOD32 Antivirus 6, Norton Antivirus (2013), Avast Free Antivirus 8, or Bitdefender Antivirus Plus 2013, you can speed up your computer. Considering Norton Antivirus was once bottom-of-the-barrel in the performance arena, I see this as a good thing.

Of the bunch, Avast is the only freebie. Though if your ISP offers one of the others as part of your subscription, or you don’t mind paying for antivirus, the others are an option. But maybe, just maybe, if I replace Microsoft Security Essentials with Avast, Peggy will quit calling me at dinnertime and telling me my computer is slow. But I doubt it. Read more

The NSA’s guide to finding things on the Internet is available now

Dave Farquhar security ,

A wonderful NSA document called Untangling the Web, thanks to a FOIA request, is now available and free for all to download and use. Although dated, the book will prove highly useful. If you company or client is exposing data that it shouldn’t to the public Internet, this book will help you find it, so you can correct it.

The copy isn’t perfect. It’s a bit dated, and it’s a straight scan to PDF, so it isn’t searchable, and it’s not the clearest, cleanest copy. I’m cleaning up a copy for my own use right now. I expect to use it, and often. It isn’t a document I’ve been privileged to see before, so I’m excited to have a chance now to study it and learn its techniques. Read more

“Computer Maintenance Department” called me again from India

Dave Farquhar scams, security , , , , , , ,

So, “Peggy” from “Computer Maintenance Department” called me again last night. This time I decided to mess with him a bit more. This is the second time.

(No, “Peggy” wasn’t his real name, nor did he identify himself as “Peggy,” but that’s the name I’ll use, thanks to that old Discover commercial.)

Read more