Fixing security settings

Since the day I got a new laptop I couldn’t access my online brokerage account. Maybe it was a sign that I should stop loosing money, but chose not to listen. I still wanted to log in to my account and at least see what is going on.

So I called the technical support and asked whats wrong. They were very nice and sent me a pdf that explains how I should ‘fix’ my Internet Explorer security settings (obviously they don’t support Firefox)

Here is the interesting part of what they sent:

IE security settings

When I saw it, I called them and asked the guy if they are serious about these recommendations and if there is any other way to continue working online. The guy was very polite and told me he doesn’t know anything about computers and he will ask someone to call me back. Until this minute nobody called.

Lucky me, I use Internet Explorer only when I have no other choice and that doesn’t happen too often, so ‘fixing’ my security settings does not effect my security too much. Unfortunately, if there was one site I would be really happy to have the best security possible, that would be my online stocks account.

Share

The Internet May Harm your computer!

I have just Googled up some Securiteam pages. Can you imagine my shock when I saw the Google Alert Saying Securiteam can harm my computer?

Active Network Scanning Hacked

Isn’t that great?

Just before I push the Panic Button, I Googled up one more term.

This is what I got:
Site Google Hacked

When I saw this one, I relaxed.

On regular days when you see the message saying “This site may harm your computer” it means that google believes that this site may install malicious software on your computer.
Today Google’s Safe Browsing feature probably freaked out for some reason.

In any case, according to Google, the whole Internet can harm your computer right now, so be careful!

Update: Marissa Mayer wrote in the google blog that the problem happened because the URL of ‘/’ was mistakenly added to the ‘bad sites’ file and ‘/’ expands to all URLs. She also wrote that this problem started at  6:27 a.m. and ended at 7:25 a.m. PST.

SecuriTales is a secure proxy service that allows internet users to unblock facebook, unblock twitter, unblock youtube and unblock google

Share

Hi Goog, where is your user agent?

Net Applications reported this week that one third of the traffic coming from Google’s facilities has no user agent. This report refers specifically to the traffic coming from Google’s employees and not the Search Engine’s traffic.
Vince Vizzaccaro, a senior executive from Net Applications said that they had never seen an OS stripped off the user agent string before. “you have to arrange to have that happen, it’s not something we’ve seen before with a proxy server.”
So what’s Google hiding? Of course, Google, like Google wouldn’t comment on rumors and speculations.

What do you think? Why would they hide their UA?

Share

Who has the keys to your business?

SearchEngineJournal has a story about this guy that gave the keys to his business to Google. Well, not exactly the keys, but he used a Gmail account for all his business emails, and had used the same account for his Google Analytics, Webmaster Tools and his own Google Adsense account.
And then one day he woke up and found out that Google disabled his Google account.

google account disabled
From that moment on, not only his Adsense income stopped and he couldn’t access any email he kept in his Gmail Inbox, but all the emails sent to him by his customers were routed to a voided account.
I can’t even think how to start handling such a crisis. What do you do first? I have a few ideas but that’s for a different post.

What the hell was he thinking about when he gave Google the keys to his business?

If you still want to use a Google account for your business there are a few things you should do:
1. Make sure you backup your account on a regular basis.

2. Get your own domain and use Google Apps. This way in case of emergency you can change your MX Records back you to your original hosting whitin a few hours.

3. Never use your personal account for your Google Adwords.

4. Never use your personal account for your Google Analytics.

5. Never Ever use your personal account for your Google Adsense.

Don’t let them catch you unprepared.

Share

Chrome Keeps it simple

Have you tried Chrome? It’s nice! It definately runs gmail faster than Firefox, all the rest I’m still checking.

There was one very cool feature I noticed today that I really liked.
Did your Firefox ever show you the message below? (The answer is probably yes)
Have you EVER read it? (I didn’t, and neither did you…)

Now look at the same message, as it looks in Chrome:

I can’t think of a better way to explain it.
Once you click “Proceed anyway” you get to the website you were looking for, but the address bar keeps reminding you that this is not a safe site:

This explanation is an Android vpn security warning for regular people that are going to shop online. Not for security experts. Explaining security to the ‘regular people’ is hard. This one is perfect.
I think that the person that thought about this feature is brilliant.

Share

The blog that Sarah Palin doesn’t read.

If only Sarah Palin would have read the securiteam blog more often, I’m sure that after reading this post, she would have changed her security question and her Yahoo account woudn’t have been hijacked.

Well, to be honest, I’m not sure that has the time for this blog, she is busy with other things and I guess her staff is busy too. So maybe someone else can help?

How about Yahoo!?
If only Yahoo! would stop their users from choosing stupid security questions, wouldn’t that help?

BTW, Did you change your security question?

Share

gmail https – not for everyone

A few weeks ago, Google added an option to force your Gmail connection to https instead of http. This feature was great news for people like me who use public networks a lot.
I was looking for that feature in my settings page but couldn’t find anything that looks like it. I stopped looking for it and today when looking for something else, I found the reason why I didn’t get this feature.
I’m using Google Apps for my domain, and apparently my Google Apps account simply doesn’t have this feature. Only my Gmail account has it!

This is how the setting page of my Gmail account looks like:

This is how my Google Apps setting page looks like:

I can’t think of a good reason for Google to make a Google Apps account less secure than a Gmail account. I can only hope that it’s a matter of time and it is not one of those features that will never be included in Google Apps.

In any case, if you are using Google Apps you can still use a secured connection.
Instead of going to http://mail.google.com/a/your-domain , take your browser to https://mail.google.com/a/your-domain.
That will make your connection https instead of http.

Google had supported https for Gmail from day 1. The thing is, it was kind of a secret and if you didn’t look for it, or didn’t have somebody to tell you about it, you would still be using http. As a matter of fact, I doubt it if more than a tiny fraction of Gmail users have ever heard of https and know if it’s good or bad.

Security should be built over security awareness. Without awareness real security will never happen. Employees who write classified documents should be aware of the document classification they work on. It is not enough to tell them that their document is classified. They need to know about classification and think about classification and understand what classification means when dealing with it.
The same way that people know not to keep their ATM card PIN code in their wallet, (the bank helped them to raise their security awareness) Google must help their users raise their security awareness and know not only that https is available for Gmail but also that https is so much safer than http and should be used by default.

I doubt it if the majority of people will ever use the secured connection for Gmail. Such a feature requires education and Google will never do that. Since https is significantly slower than http, and since most people don’t know about security and don’t really care about security, this feature is probably just another feature for the readers of this blog, and their family and friends.

Update: I checked gmail corporate user iphone vpn comment, and he is right. My gemstones shop uses the free version of Google Apps. The paid version has a feature called “SSL enforcement for secure HTTPS access” that is included in the paid version only (no.4 in “Collaboration application features”).To be honest, I don’t think I have the right to complain about something I got for free. I also have customers that are paying for premium features that cost me nothing, features that are there just to make the customers upgrade to the Advanced Plan. I guess this is not a mistake and someone wants me to upgrade. Fair enough.

Share

The Security Question Vulnerability

How easy is it to break into your Gmail account? How about Yahoo! Or Windows Live?
If you provided a truthful answer to the security question during signup, it is probably quite easy to hijack your account, with just a little bit of a research.

Take a look at the Yahoo! Security Questions:

Yahoo Security Questions

Are these security questions?

Anyone that knows my address can easily figure out the name of my first school or my high school mascot. All of my neighbors, family and friends know both my dog’s name and my dad’s middle name, and everybody in the world knows I just LOVE the Lakers. As for my wife and me, the people who attended our wedding had the chance to hear about it in the ceremony – in case you couldn’t make it, we met on a roof of a bus, in Ladakh, India in 1994…

The fact that the answer to each of the security questions above is relatively easy to find out, makes them a security vulnerability in my Yahoo! account.
By letting me make a security key based on the name of my first school, Yahoo! actually puts me at risk, allowing anyone that knows where I live to hijack my account. It’s like saying “We have the greatest lock to protect your house. Now, why don’t we hide the key under the mat”.

Windows Live is pretty much the same as Yahoo!:

windows live security questions
Gmail is a little bit more sophisticated with one major difference:
gmail security questions

Gmail is the only one of these three that allows you to choose your own question.
By letting you do that, Gmail asks “which question only you can answer?” I think that most people might still come up with “Who is my favorite singer”, “What is my date of birth” or “My dog’s name”.
However, that isn’t a security vulnerability encouraged by Google. If they give you the tools and you fail to use them, it’s not their fault.

So, what can we do about it?
If you can write your own question, How to unblock Facebook that would be the best. If not, choose the question about the name of your first school and put your first phone number as the answer. That’s what I did! :)
Got better ideas? Share them with us!

Share

msApache?

The InformationWeek reports that Microsoft had just became an Official Apache sponsor.
The article says that the sponsorship is a “Platinum Sponsor” which means a donation of more than $100,000 per year.

My first reaction was “Oh now, please don’t touch this one, it is working so good. ”

MS and Open Source in the same sentence simply doesn’t sound right. Especially when it comes to Apache. Something tells me this is not good news. I don’t know why. On the other hand, $100K for MS is peanuts. Maybe I’m just paranoid?…

Share

Secure your coffee maker

It is raining these days in Sydney and I guess that this guy didn’t want to get wet and stayed home all day. One thing led to another, and eventually, he managed to break into his coffee machine… Apparently he had found some cool security holes in his Jura F90 Coffee maker. I was looking for more hacks like this one, but couldn’t find any laundry machine, electric toothbrush or a fridge in the product vulnerabilities list.
I wonder if one day I’ll discover that someone hacked my toothpick, (although I’m sure that toothpicks will be safer since they will run Linux, not Windows).
Is the world turning into a place where every toilet seat needs it’s own Firewall?

Share