If someone hacks into your laptop/computer, and it has a webcam, they can control turn it on whenever they’d like. This video, based on a true story, should motivate you to cover your webcam:

One tech tip, don’t put tape directly over the camera as I initially did, as it will leave sticky artifacts on your lens. Instead, put a piece of tape on each side of a piece of paper, and place the paper part on top of the camera.

If you’re in the Victoria, British Columbia region, we’re going to start a community-based reverse engineering class, and you’re invited. Reverse Engineering is understanding someone else’s software well enough to be able to do what you want with it. You can follow the latest on the REclass page on the Ideas – Victoria  wiki.

You don’t need any software or computer programming experience, but it will definitely help. You will have to be willing and eager to learn. You can do a search online for “introduction to computer architecture” and “introduction to assembly language” to get an idea of what to expect.

You might also watch on their Facebook page and/or Twitter account for updates.

UPDATE Feb 15: See the initial syllabus as presented by Guy: Reverse Engineering Brainstorm Session

One of the most common ways your computer gets compromised, is by malicious scripts opened by your web browser. This means you go to a website that might look normal, but it’s doing bad stuff in the background that you don’t see, potentially giving the attacker full access to your computer. This is a particularly nasty problem, as when you go to a site, you want everything to work as the website developer intended, but allowing all scripts on untrusted site creates a risk.
The most popular way to avoid this is to block scripts by default, but take note it moves the responsibility on to you to decide what sites to trust… or not.

There are various no script plugins, depending on your browser:

• If you use Firefox, download the NoScripts plugin.
• While not quite as good as NoScript, Google Chrome has a the NotScripts plugin.
• Opera also has a NotScripts plugin.
• Internet explorer has a cross side scripting (XSS) filter

Once you have installed the plugin, restart your browser. You should notice a new icon or bar at the top or bottom of your browser, for your new plugin. If you click your mouse over that icon on any given website, you can allow scripts to run on that site, either temporarily (as long as your browser is open that session) or permanently. Don’t allow scripts to run on websites you’re not sure whether to trust. It’s better to be safe than give a stranger full access to your computer!

Over the week-end, the University of Victoria’s new administrative building was broken into. A payroll server with the personally identifiable information (PII) of over 11,000 people was on it, including social insurance numbers (SIN), as well as bank account information. I’ve been told there were no cameras or alarms in the area, and the information was not encrypted. If your organization handles personal information, let this be your final reminder to ensure that all personal information is encrypted both while in transit (transport layer) as well as on the computer (storage layer).

I was interviewed for over 30 minutes by CBC BC today, a few second made it onto the news. Check out this clip from the top of the 6pm news.

One of the tips I gave but didn’t make it in, is to annually request a copy of your credit report. This is free once a year to do if you send your request in writing, and is the best way to determine if you’re a victim of  identity fraud. When you do this, put it in your calendar as a reminder to make the request again in a year from now.

UPDATE: Jan 13, 2012:

Saanich news is reporting that UVic will pay for $1.7M worth of credit reporting monitoring as a result of this breach. So if you’re thinking your organization can’t afford an organization like PrivaSecTech to protect the personal information of your staff and clients, this is another example of how being proactive would have been less than 1% of the reactive cost. It costs you nothing more than an email or a phone call to see what we can do for your organization. We look forward to working with you to ensure this doesn’t happen to you.

What is your computer doing on the internet without your knowledge?

Does it ever seem like your computer is working, even when you’re not telling it to do anything? Have you ever wondered if there is someone else accessing your computer, or if your computer is transferring information over the internet without your knowledge? If you’ve never checked, it’s probably doing a lot of things–some of them not good! Viruses may be working, hackers could be connecting to your computer, and “legitimate” programs may be transferring information about you that you didn’t authorize.

How do I find out what programs are running secretly on my computer?

Here’s a quick and easy way to open a window onto what your computer is doing over the internet:

* For Windows download and install TCPView
* For Macosx, go to Applications -> Utilities -> Terminal and run “lsof -i”
* For Linux, you can also install lsof and run “lsof -i”

If you run one of those programs right now, you may see 50 activities or more in a long list. That’s a lot of communication going on between you and your computer without your knowing about it, isn’t it!

One item in the list you will see is a connection from your computer, to TCP port 80 of privasectech.com (67.205.0.134) which is where this website is currently being hosted.

If you see the word “LISTEN”, that means it’s a program waiting for people on the internet to connect to it. Are you sure you want these programs running even when you didn’t tell them to?

How do I learn about what these unknown programs are doing?

The list you’re seeing shows the applications on your computer that are using the internet right now. The list also shows the “Remote Address”, which is where your computer is connecting to. If the remote address is an internet address (IP), you can find out where or what that address is if you resolve the DNS.

Next week, I’ll show you how to identify exactly what all those programs are, and how to stop, remove or gain control of them.

If you want this done for your organization in an automated fashion, with reporting as part of an internal audit, this is a service that PrivaSecTech.com provides.

While working in information security for the largest company in Canada, I realized there was no one internally, actively attacking the password database to see what passwords could be cracked. After raising this concern, I became the prime for resolving this.

There are a lot of password crackers out there, that anyone can download for free. The priorities for password cracking involve the processor power you have, how optimized your cracking algorithm is, and your keyword database. I built a pretty monster database, using many languages, as well as popular keystroke patterms like qwerty or bhunji. When I was finally ready to start cracking passwords, I was able to crack (decrypt) thousands in the first hour, if I recall correctly over 9,000 in the first day alone. This means if someone steals the encrypted password database from any website you frequent, they can run the same tools on that database to find your password.

The two questions I hope you’ve asked yourself while reading this, is “How hard is my password to crack?” and “If someone cracked my password, what other sites could they use it on?”

In order to determine how hard your password is to crack, there are a lot of tools out there, but I’ll recommend you try howsecureismypassword.net. But before you do, I have no affiliation with this website! This means you should not trust it, it could be a phishing attempt (they could be  logging the passwords you enter, and trying them on Gmail or Facebook for example). Don’t use any of your real passwords, but enter a few dozen different passwords, to get a general idea of how hard a password is to crack. I wouldn’t recommend using anything that would take less than 100 years to crack, as this site shows how long it takes with a single desktop PC. Advanced attackers have a lot more resources than a single computer.

Sometimes when an organization has their encrypted password stolen, it is published online for others to crack. If someone cracks your password for one website, where else can they use it? I hope nowhere. One idea is to have a dynamic password on every website you go to. For example, say my base password was secretpassword%^&. I could then add something in the middle for each site I go to. Let’s say I choose the first 3 letters of each site I go to, after the http://www. part, and put those 3 letters in the middle of the password. I would have secretpasswordfac%^& for Facebook and secretpasswordgma%^& for Gmail. A clever attacker might recognize the fac or gma, so maybe you reverse those letters. Hopefully you get the point, find a base password that would take a long time to crack, and then add something unique to it on an individual site basis that is not visually obvious.

If you want to try password cracking your own encrypted passwords on your personal computer, check out this list of password crackers that are free for anyone to download.

It’s not often we’ve given Google credit for privacy or security steps, but this week is one of them. Following the steps by Facebook and Twitter we announced back in May, five months later, Google has just announced they are now offering SSL searches! Mind you this is a more significant step than that of Facebook or Twitter, as those involved in SEO/optimization will quickly realize that search keyword data is no longer provided to you as the web manager (They’ll provide you the top 1000 through their webmaster tools). And while optimization folks won’t be pleased, on behalf of the privacy and security community, I would like to give credit where credit is due, thanks Google!

Tech tip: Both https://www.google.com and https://encrypted.google.com work now, update all of your Google bookmarks, so others between you and Google can’t quietly see what you’re searching anymore!

You may have read my comodogate article back in March where I reported that the comodogate hacker, going by the name Ich Sun told me “…there is a lot of vulnerable CAs, I got some other stuff”. Well, in the last 24 hours he claims to have been responsible for the DigiNotar compromise and a few minutes ago provided another update; in these updates he reveals that as a 21 year old Iranian, he has compromised another 4 certificate authorities (CAs) as well as reverse engineered windows update (update your windows here). What do these hacks do? He can impersonate any secure website he wishes, which includes impersonating google and gmail which has already been seen in the wild using these certificates. The certificate authority model that secures the internet as we know it today will change as a result of this, so it has some serious impact.

What can you do?

• Update your Windows update 
• Upgrade your browser (Firefox, Chrome, Opera, Safari, Internet Explorer etc) to the latest version! (all major browsers have removed the DigiNotar CA in their latest release)

In an overwhelming scary move, the Vancouver Police Department and the Integrated Riot Squad have just launched a Vancouver riot tell-on-your-friends website. I’m not sure who in their right mind could think this is a good idea, but clearly no one that understands information security, personal privacy or civil liberties. The potential for abuse and false positives are staggering.