• No matter the size of a business, websites are essential. They are an excellent way to connect with customers and clients, market, network with other businesses, build your brand, and build credibility. When customers reach a business website, they expect to find one that is smooth, reliable, quick, easy to navigate, and secure. In fact, the most important aspect of any business website is its security. This is especially true for business websites that sell items and services or collect personal information. If the website is not secure, then customers will not feel safe, which can potentially cause serious damage to revenue. Not to mention that it can kill the credibility of a business if your site gets hacked and all of the customers’ personal information is stolen. Check out the following ways you can improve the security of your business website: Make Sure You Are Using Up-to-Date Software. One of the biggest mistakes businesses can make with their website is to use software that is not up-to-date. This means that hackers are more likely to be aware of ways to get into the site and take advantage of the software. Additionally, an outdated software can cause conflicts with other programs that you use on your site, which can cause the site to crash or increase vulnerability. As soon as the software offers an update, install it right away. Are You Using a Secure Host? Perhaps, when you first started your website, you did not give too much thought as to who would host it and what their security was like. Choosing which company hosts your website is actually a very important step. You want to pick one that puts an emphasis on security and follows all of the current security protocols and measures. Additionally, your hosts should be backing...
  • Top Spyware Prevention and Removal Software That Could Save You A Lot of Trouble Part of being a responsible computer owner is ensuring your anti-virus and antimalware software is up to date. You would not go to bed without locking the doors, would you? The same goes for your computer, you do not want to leave it open for hackers and identity thieves to steal your information. It can be hard to narrow down the choices for spyware prevention, which is why we have provided a list of the top spyware prevention and removal software available. Bitdefender Bitdefender is rated the number one antispyware software currently available on the market. It will protect your laptop or computer from malware, ransomware, and hackers. The software can do all of this without slowing down your operating system and while allowing you to continue working on your projects. If you want extra security, Bitdenfender offers a web browser that has an extra layer of security in case you want to make a large purchase with a credit card online or need to use your Social Security number. When using this browser, you can ensure all of your personal information will stay safe. Kaspersky Kaspersky will protect your laptop and computer against spyware and malware. This is a well-known brand that is known for making high quality anti-virus software and are continuously putting out top products. The software provides detection and removal tools so your computer will not become infected to begin with. If your laptop already has a virus or malware, this software will hunt it down and eliminate it. Avast Avast will protect your machine from spyware, Trojans, malware, viruses, and keyloggers. In addition, you also receive file scanning, safe browsing, and chat protection all included with the price. The downside to...
  • August 29, 2014

    Dairy Queen Confirms Data Breach

    A Dairy Queen breach was recently revealed by Brian Krebs, who runs the website Krebs on Security. When Krebs initially uncovered evidence of the Dairy Queen breach, the company was unwilling to believe that their customers’ debit card and credit card information had been stolen. Sources in the financial industry say they’re seeing signs that Dairy Queen may be the latest retail chain to be victimized by cybercrooks bent on stealing credit and debit card data. Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters. The U.S. Secret Service contacted Dairy Queen regarding “suspicious activity” related to malicious software called Backoff, A spokesman for Dairy Queen has confirmed that the company recently heard from the U.S. Secret Service about “suspicious activity” related to a strain of card-stealing malware found in hundreds of other retail intrusions. Dairy Queen says it is still investigating and working with authorities, and doesn’t not yet know how many stores many be impacted. Oddly enough, there is no mention of the breach on the officialDairy Queen website. The company does not know how many of their own locations were impacted, but they were working with authorities on the issue.
  • Jonathan Zdziarski gave a great presentation at HOPE this year that I think anyone with an iOS device should read. “Jonathan Zdziarski is considered to be among the foremost experts in iOS related digital forensics and security. As an iOS security expert in the field (sometimes known as the hacker NerveGas), his research into the iPhone has pioneered many modern forensic methodologies used today, and has been validated by the United States’ National Institute of Justice. Jonathan has extensive experience as a forensic scientist and security researcher specializing in reverse engineering, research and development, and penetration testing, and has performed a number of red-team penetration tests for financial and government sector clients. He frequently consults with law enforcement and military on high profile cases and assists federal, state, and local agencies in their forensic investigations, and has trained many federal, state and local agencies internationally. He has written several books related to the iPhone including iPhone Forensics, iPhone SDK Application Development, iPhone Open Application Development, and his latest, Hacking and Securing iOS Applications.” – From Johnathan Zdziarski blog: In addition to the slides, you may be interested in the journal paper published in theInternational Journal of Digital Forensics and Incident Response. Please note: they charge a small fee for all copies of their journal papers; I don’t actually make anything off of that, but it does support the journal. DON’T PANIC Before the journalists blow this way out of proportion, this was a talk I gave to a room full of hackers explaining that while we were sleeping, this is how some features in iOS have evolved over the PAST FEW YEARS, and of course a number of companies have taken advantage of some of the capabilities. I have NOT accused Apple of working with NSA, however I suspect (based on released...
  • July 17, 2014

    Is Tor Traffic Secure?

    In the wake of Ed Snowden’s revelations there’s been a litany of calls for the widespread adoption of online anonymity tools. One such technology is Tor, which employs a network of Internet relays to hinder the process of attribution. Though advocates openly claim that “Tor still works”1 skepticism is warranted. In fact, anyone risking incarceration in the face of a leveraged intelligence outfit like the NSA would be ill-advised to put all of their eggs in the Tor basket. This is a reality which certain privacy advocates have been soft-pedaling. Many of you have heard of or used TOR. When the NSA openly acknowledges the existence of TOR and the routing has been proven as corrupt several times, one should wonder what the true intent of TOR is and just who really created and proliferated TOR. While I have used TOR for some time, when you run a wireshark scan while TOR is running you will find several interesting port pings. Also, when you run a who is on the network outlet ports around the world, you have no idea if the outlet port is any safer than you would be in the USA. So far there’s no hard evidence that the government has compromised the anonymity of Tor traffic. But some on a Tor-related e-mail list recently pointed out that a substantial chunk of the Tor Project’s 2012 operating budget came from the Department of Defense, which houses the NSA. Granted, if you are in a country where internet is restricted or limited to certain sites TOR is a huge asset, but in the USA you are simply sniffed, logged, and added to the database for the watch list. Cryptome has a great article today regarding Tor and security as well
  • There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software. The new vulnerability could only be exploited to decrypt traffic between a vulnerable client and a vulnerable server, and the attacker would need to have a man-in-the-middle position on a network in order to do so. That’s not an insignificant set of conditions that must be present for a successful attack, but in the current environment, where open wireless networks are everywhere and many users connect to them without a second thought, gaining a MITM position is not an insurmountable hurdle. Researchers who have looked at the vulnerable piece of code say that it appears to have existed, nearly unchanged, in the OpenSSL source since 1998. OpenSSL released the Security Advisory (CVE-2014-0224) on their web site today a long with 7 other security bugs.
  • How a Password Vault Can Save Your Business from Itself If you pass by a construction site where a new commercial building is going up, you can tell right away if it’s going to be a bank. While the work crews are still putting up the skeleton of the building, you can already see the steel-reinforced concrete cage that surrounds the vault on the ground floor. The security of the vault is created right from the start. Unfortunately, data security for businesses often doesn’t work that way. Despite the best efforts of IT pros, managing user access and password security is often a haphazard process that grows and evolves over time, rather than being built from the ground up. The good news is, you can improve data security at any point by implementing a password vault to protect your users and your business. A Password Vault — Because Sticky Notes Won’t Do A password vault aggregates your end users’ passwords — and thus their access to apps containing sensitive company data — in a single, secure location. This improves your data security from the perspectives of both the end user and the IT system as a whole. Your users probably want to do the right thing when it comes to network security. Typically, they understand the rationale behind establishing secure network access, using only approved applications, creating strong passwords, and all the rest of the requirements put forth by the IT department. But they’re also busy doing their actual jobs, so their sense of security tends to lose out to their desire for convenience. No doubt you’ve seen employees with sticky notes on their monitors that put all of their critical app logins and passwords in plain sight. (Worse, the passwords they use tend to be laughably easy to break,...
  • May 19, 2014

    Cryptocat Encrypted Facebook Chat

    Open-source chat-encryption tool Cryptocat announced its latest update, which includes full encryption for Facebook private messages, in a blog post Monday. “Cryptocat’s mission is to make encrypted chat accessible and easy to use. With Cryptocat celebrating its third birthday (already!), we’re happy to announce the new Encrypted Facebook Chat feature in the latest Cryptocat 2.2 update. Facebook Chat as a Cryptocat Buddy List Cryptocat can now log into your Facebook account for you, fetch your Facebook contacts, and if another contact is also using Cryptocat, you’ll be able to automatically set up an end-to-end encrypted chat. If a Facebook friend later logs in via Cryptocat, your chat will be immediately upgraded to an encrypted Cryptocat chat: Effectively, what Cryptocat is doing is benefitting from your Facebook Chat contact list as a readily available buddy list. As a compliment to Cryptocat’s ephemeral group chat feature, Encrypted Facebook Chat lets you view which of your friends are online and allows you to immediately set up encrypted chat with them” With Cryptocat offering free, easy encryption for everyone with its browser add-on, its user base is likely to grow pretty substantially. The tool works by reading users’ Facebook contact lists and turning them into Cryptocat buddy lists, and it requires both users in conversations to have the add-on installed. This isn’t a complicated process. Cryptocat launched three years ago, and it allows users to encrypt their online chat-room exchanges by means of a browser extension. It also offers a free iPhone application, enabling the encryption of messages sent via iOS, with an Android version on its way. Now users can enjoy genuine privacy while communicating via Facebook chat.
  • April 10, 2014

    Heartbleed Bug Information

    Dire warnings about Heartbleed, a serious internet security risk affecting millions of websites, is echoing across the internet today. Described as a flaw in OpenSSL, the open source encryption technology used by the vast majority of web servers. The Heartbleed bug is a particularly nasty bug. It allows an attacker to read up to 64KB of memory, and the security researchers have said: “Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.” Alleged Yahoo user credentials visible due to Heartbleed (source: Mark Loman). The problem is fairly simple: there’s a tiny vulnerability — a simple missing bounds check — in the code that handles TLS ‘heartbeat’ messages. By abusing this mechanism, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space. Since this is the same memory space where OpenSSL also stores the server’s private key material, an attacker can potentially obtain long-term server private keys TLS session keys confidential data like passwords session ticket keys