OUCH! | May 2012 – Safely Disposing of Your Mobile Device

Posted on May 11, 2012 by Robert Santuci

OUCH! | May 2012

IN THIS ISSUE…

• Stored Information
• Wiping Your Device
• SIM Cards / SD Cards
• Options For Disposal
• Special Training Offer
• Recovery

Safely Disposing of Your Mobile Device

GUEST EDITOR

The Ouch! team would like to welcome and thank Mr. Joshua Wright as our guest editor. Mr. Wright is a SANS senior instructor and author of SANS’ wireless security (SEC617) and mobile device security (SEC575) courses. You can follow Mr. Wright on Twitter at @joswr1ght or on his website at http://www.willhackforsushi.com.

OVERVIEW

Mobile devices, such as smartphones and tablets, continue to advance and innovate at an astonishing rate. As a result, many of us replace our mobile devices as often as every 18 months. A key question becomes, What are you doing with your older devices? Many people simply dispose of their older mobile devices with little thought about all the personal data they have accumulated. However, a surprising amount of personal information is stored on these older devices. If your devices are not securely wiped before disposal, this information can easily be recovered, exposing you or your organization to tremendous risk.

STORED INFORMATION

Mobile devices store far more sensitive data then you may realize, perhaps more than your computer. When you dispose of your device you could be exposing the following information:

• The contact details for everyone in your address book, including family, friends, and co-workers

• Call history, including inbound, outbound, and missed calls

• Text messages or logged chat sessions

• Location history based on GPS coordinates or cell tower history

• Web browsing history, cookies, and cached pages

• Personal photos, videos, audio recordings, and emails

• Stored passwords and access to personal accounts, such as your voicemail

WIPING YOUR DEVICE

Before you begin securely wiping your mobile device, consider whether or not you want to back up any of your data, such as photos, videos, or any other information. Once you’ve followed the steps below, you will not be able to recover any of your data. In addition, if your mobile device was issued to you by your employer or has any organizational data stored on it, be sure to check with your supervisor about proper backup and disposal procedures before following the steps below.

Unfortunately, just deleting your data is not enough, it can still be recovered. We recommend that you use the device “factory reset” function to remove all data from the device and return it to the condition it was in when you bought it. We have found that factory reset will provide the most secure method for removing data from your mobile device. The location of the factory reset function varies among devices; listed below are the steps for the most popular devices.

Apple iOS Devices: Settings | General | Reset | Erase All Content and Settings

Android Devices: Settings | Privacy | Factory Data Reset

Windows Phones: Settings | About | Reset Your Phone

BlackBerry Phones: Options | Security Options | Security Wipe

If you still have questions about how to perform a factory reset, check your owner’s manual or the
manufacturer’s website. Another option is to take your mobile device to the store you bought it from and get help resetting it from a trained technician. Remember, simply deleting your personal data is not enough as it can be easily recovered.

SIM CARDS

In addition to the data stored on your device, you also need to consider what to do with your SIM (Subscriber Identity Module) card. Many mobile devices use a SIM card to uniquely identify you and your account information when you place and receive calls on a mobile network. When you perform a factory reset on your device, the SIM card retains information about your account. If you are keeping your phone number and moving to a new phone, talk to the phone salesperson about transferring your SIM card to the new phone. If this is not possible (for example, if your new phone uses a different size SIM card) keep your old SIM card and physically shred or destroy it to prevent someone else from re-using it.

image    image

              SD CARD                                 SIM

 

EXTERNAL STORAGE CARDS

Some mobile devices utilize an external SD (Secure Digital) card for additional storage. These storage cards often contain pictures, smart phone applications, and other sensitive content. Remember to remove any external storage cards from your mobile device prior to disposal (for some devices, your SD cards may be hidden in the battery compartment of your device). These cards can often be reused in new mobile devices or can be used as generic storage on your computer with a USB adapter. If reusing your SD card is not possible, then just like your old SIM card, we recommend you physically destroy it.

OPTIONS FOR DISPOSAL

When it comes to disposing of your old mobile device, instead of throwing it out, consider recycling it
instead. Most carriers offer a discount on your next purchase when you recycle. Another option is to donate your mobile device to the charitable cause of your choice. Below are just some of the many places you can either recycle or donate your mobile device.

Verizon Recycling
http://preview.tinyurl.com/6r398bq

Sprint Recycling
http://preview.tinyurl.com/cdzfcmu

AT&T Recycling
http://preview.tinyurl.com/cm23qgf

Recycling Mobile Phones
http://preview.tinyurl.com/csa3ak7

EPA Mobile Phone Donations Site
http://preview.tinyurl.com/clulu8x

National Coalition Against Domestic Violence
http://preview.tinyurl.com/l48kw4

Operation Gratitude
http://preview.tinyurl.com/7lefuob

RESOURCES

Some of the links shown below have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp

LEARN MORE

Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at http://www.securingthehuman.org

SPECIAL PROMOTION

Does your Small or Medium organization need help with securing the most vulnerable part of your organization? Check out a great program to train up to 750 Users for just $3,000. Program runs only from June 01 to July 31, 2012. Learn more at: http://www.securingthehuman.org/programs/sme

OUCH! is published by the SANS Securing The Human program and is distributed under the Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter as long as you reference the source, the distribution is not modified and it is not used for commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.
 
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Cara Mueller

© The  S A N S  Institute 2012   http://www.securingthehuman.org                                          

 

Blog posted using Windows Live Writer

Posted in device, disposal, mobile, security, Smartphone | Tagged , , , , | Leave a comment

10 Tools for Blocking Inappropriate Websites for Families

Posted on April 10, 2012 by Robert Santuci

 

If you’re shopping for a reliable product that will make the internet safe for family viewing in your home, we’ve got a list you’re sure to appreciate. The following are 10 tools for blocking inappropriate websites for families:

10 Tools for Blocking Inappropriate Websites for Families

 

Blog posted using Windows Live Writer

Posted in Computer, Family, Internet, security | Leave a comment

OUCH! | April 2012 – Metadata

Posted on April 5, 2012 by Robert Santuci

OUCH! | April 2012

IN THIS ISSUE…

• What is Metadata?
• Identifying & Removing Metadata
• Protecting Yourself

Metadata

GUEST EDITOR

James Tarala is the guest editor for this issue. He is a senior instructor with the SANS Institute and a principal consultant with Enclave Security (www.enclavesecurity.com). He is also the author of numerous SANS training courses, including SANS Audit 566: Implementing and Auditing the Twenty Critical Security Controls and SANS Audit 407: Foundations of Auditing Information Systems.

OVERVIEW

Every day computer users share photos, word processing documents, spreadsheets, presentations, audio clips, and other types of digital files with people around the world. What you may not know is that these files may inadvertently include private or sensitive information about you or your
organization in the form of metadata. To help you maintain both your privacy and security, we will explain what metadata is, how you can find and re

Technorati Tags: ,,

move it, and some steps to take to protect yourself.

WHAT IS METADATA?

Metadata is data that defines or describes another piece of data. Metadata by itself is not evil, but it may reveal more about you, your organization, or your devices than you realize. Many devices, such as your computer, camera, or smartphone, automatically embed metadata in any digital files they create. In addition, most software programs or file formats include placeholders or standards for specific types of metadata. A common example is Microsoft Word, which by default is likely to include information about the author, the date when the document was created, and any embedded comments or revisions. Some examples of metadata include:

• File creation date and time
• The address or geographic location where the file was created
• Your name, your organization’s name, and your computer’s name or IP address
• The names of any contributors to the document or comments they have inserted
• Type of camera you are using and its settings when the photo was taken
• Type of audio or video recording device you are using and its settings when a recording was taken
• Make, model, and service provider of your smartphone

IDENTIFYING AND REMOVING METADATA

Unfortunately, many devices and software make it difficult to remove metadata from the files they create or edit. Many times the metadata is embedded in places that are not easy to reach by ordinary computer users. One common way to view and remove metadata on a Windows computer for any file you are working with is to right-click on the file, and then view its Properties. From there, you can remove the metadata by selecting the Details tab and clicking on Remove Properties and Personal Information. Another way to view metadata is to open the file in special applications. For example, the Mac OS X application Preview can show you the metadata of any photo you open.

Some applications include tools specifically for removing metadata. For example, Microsoft Office 2007 and 2010 come with a built-in tool called Document Inspector which will identify metadata in an Office document and give you the option of selectively removing some or all of it. While
Microsoft Office for Mac does not have this tool, it does give you the ability to remove metadata from an Office document by going into Preferences/Security/Privacy and selecting Remove personal information from this file on save. Finally, there are a variety of both open source and commercial applications designed to identify and edit or remove metadata in files.

PROTECTING YOURSELF

Much of this metadata by itself may not be damaging. In fact you may deliberately make metadata freely available, such as embedding your name in an image for copyright purposes. However, especially when dealing with sensitive or confidential pieces of information, you should be aware
of the metadata that you are revealing to others. When you create a file that includes metadata, there is no telling where that information might find itself in the future. Therefore, some best practices for dealing with metadata include:
 
1. Consider saving the file in a format that does not store or has very limited metadata. For example, instead of sharing a Word document, convert the document into .rtf or .txt file format. For images, use the PNG file format instead of JPEG images.

2. Consider running a metadata cleaner, such as Microsoft Office’s Document Inspector or special software tools designed to identify and remove metadata.

3. Check the preferences or settings for any application or device you are using. You may be able to limit the amount of metadata they store by changing the default configuration options. For example, you can disable geo-location tracking for your smartphone camera.

4. Before you send or post a file, consider the impact if the file contains metadata . This is especially true when posting files such as photos or videos to social networking sites, like Flickr, Twitter, or Facebook.

By following these simple steps, you can help to ensure that only information you intend to share with others is actually shared. Private data should stay private.

RESOURCES

Some of the links shown below have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.

Document Inspector: http://preview.tinyurl.com/3996c2a

EXIF Metadata Explanation: http://preview.tinyurl.com/775mbxc

Free Metadata Extraction Tool: http://meta-extractor.sourceforge.net or http://preview.tinyurl.com/aueb4

Disabling Geo-location for Smartphone Cameras: http://preview.tinyurl.com/3v4xznm

Common Security Terms: http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day: http://preview.tinyurl.com/6s2wrkp

LEARN MORE

Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter as long as you reference the source, the distribution is not modified and it is not used for commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.
 
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Cara Mueller

© The  S A N S  Institute 2012   http://www.securingthehuman.org                                          

 

Blog posted using Windows Live Writer

Posted in Internet, Metadata, security | Tagged , , | Leave a comment

OUCH! | March 2012 – E-mail Dos and Don’ts

Posted on April 4, 2012 by Robert Santuci

OUCH! | March 2012

IN THIS ISSUE…

• Auto-complete
• Cc: / Bcc:
• Distribution lists
• Emotion & Privacy

E-mail Dos and Don’ts

GUEST EDITOR

Fred Kerby is the guest editor for this issue. He recently
retired from the position of information assurance manager
at the Naval Surface Warfare Center Dahlgren Division. He
is also a SANS senior instructor and track lead for the Intro
to Information Security course (SEC 301).

 

OVERVIEW

E-mail has become one of the primary ways we communicate, both in our personal and professional lives. However, e-mail can be confusing to use, resulting in mistakes that can hurt you or your organization. Quite often we can be our own worst enemy when using e-mail. In this newsletter we will explain the most common mistakes people make with e-mail and how you can avoid them in your day-to-day life.

AUTO-COMPLETE

When e-mailing a friend or co-worker, you often start by typing their e-mail address. For example, if you wanted to e-mail Fred Smith you would have to remember and type in his e-mail address fsmith@example.com. This can be a lot to remember, especially if the recipient has a complex
e-mail address or if your e-mail directory includes hundreds of people. With auto-complete, as you type the name of the person, your e-mail software automatically selects the e-mail address for you. This way you do not have to remember the e-mail address, just the recipient’s name.
The problem with auto-complete is when you have contacts with similar names. For example, you may think you are sending an e-mail to Fred Smith (your co-worker), but instead auto-complete selects Fred Johnson (your kid’s soccer coach). As a result you end up sending sensitive company information to unauthorized people.

To protect yourself against this common mistake, always verify the name and the e-mail address of the recipient listed before you hit send. In addition, you may want to include the person’s organization in the name displayed with their e-mail.

CC / BCC

When sending an e-mail, the people you directly address it to may not be the only ones that get your e-mail message. Most e-mail clients also have two additional fields: Cc and Bcc. Cc stands for carbon copy. This means that while your e-mail is not directed to the person in the Cc line, you want to keep them informed. For example, if you send an e-mail to a co-worker, you may cc your boss just to keep your boss current. Bcc means blind carbon copy. This is similar to Cc; however, the recipients on the To and Cc lines will not see the people you’ve included under Bcc.

Care should be taken when using Cc and Bcc. When someone sends you an e-mail and has cc’d people on the e-mail, you have to decide if you want to reply to just the sender or reply to everyone that was included on the cc. If your reply is sensitive in nature, you may want to reply only to the sender. If that is the case, be sure not to use the Reply All option, which will address your reply to all visible recipients from the original message. You may choose to use Bcc to copy someone privately, such as your boss. However, if your boss responds using Reply All, then all of the recipients will know that he was bcc’d on the original message -so much for your secret.

DISTRIBUTION LISTS

Distribution lists are a collection of e-mail addresses represented by a single e-mail address, sometimes called a mail list or a group name. For example, you may have a distribution list with the e-mail address group@example.com. When you send an e-mail message to that address, that message is sent to everyone in the group, which could include perhaps hundreds or even thousands of people. Be very careful what you send to a
distribution list. You would never want to accidentally send an e-mail to a group of people that was really only intended for a limited audience. You should also take care that your auto-complete feature doesn’t select a distribution list. Your intent may be to e-mail only a single person, such as your coworker Carl at carl@example.com, but auto-complete might send it instead to the distribution list you subscribed to about cars.

EMOTION

Never send an e-mail when you are emotionally charged. If you are in an emotional state, that e-mail could cause you harm in the future, perhaps even costing you a friendship or a job. Instead, take a moment and calmly organize your thoughts. Get up and walk away from the computer. If you
have to vent your frustration, another option is to open your e-mail client and make sure the To/Cc/Bcc fields are empty. Now go ahead and type exactly what you feel like saying. Then get up and walk away from your computer, perhaps make yourself a cup of tea. When you come back, delete the e-mail, and start over again. As a wise person once observed: “Draft today, send tomorrow.”

PRIVACY

Finally, remember that e-mail has few privacy protections. Just like a postcard sent through the mail, your e-mail can be read by anyone who gains access to it. In addition, unlike a phone call or personal conversation, once you send an e-mail you no longer have control over it. Your e-mail can easily be forwarded to others, posted on public forums, and may remain accessible on the Internet forever. If you have something truly private to communicate, e-mail may not be your best option.

RESOURCES

Some of the links shown below have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.

12 Tips For Better Email:
http://preview.tinyurl.com/6j4ferk

Apple iMail:
http://preview.tinyurl.com/6dc6ac4

Preventing Auto-Complete Disasters in Outlook:
http://preview.tinyurl.com/75lvgln

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp

LEARN MORE

Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter as long as you reference the source, the distribution is not modified and it is not used for commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.
 
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Cara Mueller

© The  S A N S  Institute 2012   http://www.securingthehuman.org                                          

 

Blog posted using Windows Live Writer

Technorati Tags: ,,,
Posted in Computer, E-mail, Internet, security | Tagged , , , | Leave a comment

OUCH! | February 2012 – Securing Your Mobile Device Apps

Posted on March 2, 2012 by Robert Santuci

 

OUCH! | February 2012

IN THIS ISSUE…

• Obtaining Apps
• Configuring & Using Apps
• Updating Apps
• In-App Purchases

Securing Your Mobile Device Apps

GUEST EDITOR

Kevin Johnson is the guest editor for this issue. Kevin is a senior security consultant at Secure Ideas, runs MySecurityScanner.com, and is a senior instructor with the SANS Institute. You can learn more about his work at
http://www.secureideas.net and http://www.mysecurityscanner.com.

 

OVERVIEW

Mobile devices have become one of the primary tools we use in both our personal and professional lives. One of the things that makes mobile devices so powerful is that there are thousands of apps we can select from and use. However, with the tremendous power and flexibility of apps come a number of risks you must be aware of. In this newsletter we cover the dangers of mobile device apps and how you can install, use, and maintain them securely.

OBTAINING APPS

The first step in using apps is making sure you always
download them from a secure, trusted source. Cyber criminals will create malicious apps that look real, but which may be infected with viruses or worms. If you inadvertently install one of these apps, cyber criminals can take control of your mobile device. By downloading apps from only well-known, trusted sources you reduce the chance of installing an infected app. However, even in well-known online app markets, some malicious apps can still be found. This is especially true for devices like the Android where the app markets are not tightly controlled. To reduce your risk, avoid apps that are brand new, that few people have downloaded, or that have very few comments. The longer an app has been available or the more positive comments it has, the more likely that app can be trusted. Finally, install only the apps you need and use. Each additional app brings the potential for new vulnerabilities, so if you stop using an app, remove it from your mobile device.

In addition, you may be tempted to jailbreak or root your own mobile device, the process of hacking into it and installing unapproved apps or changing existing functionality. We highly recommend against this, as jailbreaking not only bypasses or eliminates many of the security controls built into your mobile device but often voids any warranties or support contracts.

CONFIGURING & USING APPS

Once you have installed an app from a trusted source, the next step is making sure it is safely configured and protecting your privacy as well. Installing and/or configuring certain applications requires that you grant certain privileges and permissions. Depending on the device, these applications will prompt you before authorizing. Always think before authorizing any access, does your app really need those permissions? For example, some apps use geo-location services. If you allow an app to know your location, you may be allowing the creator of that app to track your movements. In addition, any public postings you make may include your location, allowing anyone to know where you are or prove where you have been. If you do not like the permissions an app is requesting, simply find another app that better fits your requirements.

Be careful when using apps that request or store sensitive information. Even if the app is legitimate, there is no guarantee that the developer used good coding practices to protect your information while stored on the device or while
transmitted over the Internet. Applications that consolidate sensitive information can be very convenient, but they are also targets for cyber criminals. Read the detailed description about the app and reviews from other users to see if there have been any security issues.

UPDATING APPS

Apps, just like your computer and mobile device operating system, must be updated in order to remain current. Bad guys are constantly searching for and finding weaknesses in apps. They then develop attacks to exploit these weaknesses. The app developers that created your app also create and release updates to fix these weaknesses and protect your devices. The more often you check for and install updates, the better. We recommend that you monitor your app stores and update your apps at least once a month. In addition, some apps can be set to update automatically, but please note that this may also automatically grant additional permissions if requested by that app.

IN-APP PURCHASES

Many applications today allow you to purchase additional features, new content, or the removal of advertising. A common mistake some people make is to store their app store credentials locally on their device, allowing them to easily make future purchases within an application. We highly recommend you do not allow your mobile device to save your app store credentials, log-in information, or payment information. Although convenient, this information may be available to, or misused by, anyone who has access to your mobile device, including the bad guys if your device has been remotely hacked. An alternative is to use gift cards or one-time use virtual credit card numbers instead.

CONCLUSION

We strongly encourage you to follow all the best practices discussed here. Mobile devices and apps are still a relatively new and fast growing field. In addition, one of the challenges we all face is that there are few options available for security
software to help protect you and your apps. You are the best defense for your mobile devices.

RESOURCES

Some of the links shown below have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.

Sophos Webcast on Android Security:
http://preview.tinyurl.com/73q5u76

5 Ways to Protect Your Mobile Apps:
http://preview.tinyurl.com/5wpghmp

iPhone Security Overview:
http://preview.tinyurl.com/783hg2v

iPhone App Insecurity:
http://preview.tinyurl.com/3w5a5cc

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Tip of the Day:
http://preview.tinyurl.com/6s2wrkp

LEARN MORE

Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter as long as you reference the source, the distribution is not modified and it is not used for commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.
 
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Cara Mueller

© The  S A N S  Institute 2012   http://www.securingthehuman.org

Posted in Malware, security, Smartphone, Technology | Tagged , , , | Leave a comment

Some Timely Reminders from Cyberheist News

Posted on February 14, 2012 by Robert Santuci

 

1) This week, you will see a wave of Whitney Houston malware coming through, all trying to capitalize on her death. Think Before You Click!

2) Miscreants are sending tons of Valentines Day spam, laced with malicious links. Think Before You Click!

* Valentine’s Day Scams: For The Love Of Money

3) Viruses tend to come into end-user’s mailboxes between 8 and 9am EST. I told you three times… Think Before You Click!

E-Mail Viruses Most Likely To Appear In The Morning

 

Cyberheist News

 

Blog posted using Windows Live Writer

Posted in Computer Security, Computers and Internet, Internet, Malware, Phishing, Scams, security | Tagged , , , , | Leave a comment

Digeus Registry Cleaner 7.3

Posted on February 10, 2012 by Robert Santuci

 

I’m testing out Digeus Registry Cleaner Version 7.3.

I am receiving a free version as compensation for this entry and evaluation.

Here is brief information about the Product:

Digeus Registry Cleaner speeds up your computer by cleaning errors in your Windows. It removes the junk that accumulates in your Windows Registry, fixes Windows errors which results in speeding up your computer. With Digeus Registry Cleaner you just need a few mouse clicks and your computer will become as good as a brand new one.

Key features:
* Removes unused and invalid entries
* Speeds up boot up time
* Fixes Windows errors which results in speeding up your computer
* Eliminates BSOD (Blue Screen of Death)
* Invaluable when your system starts crashing, hangs, freezes and works slow
* This is one of the most popular registry cleaners on the Internet

Here are links to screenshots of Digeus Registry Cleaner:
http://www.digeus.com/products/regcleaner/images/regcleaner.jpg
http://www.digeus.com/products/regcleaner/images/registrycleaner01.jpg
http://www.digeus.com/products/regcleaner/images/registrycleaner02.jpg
http://www.digeus.com/products/regcleaner/images/registrycleaner03.jpg
http://www.digeus.com/products/regcleaner/images/registrycleaner04.jpg

For more information please visit:
http://www.digeus.com/products/regcleaner/registry-cleaner.html

 

Blog posted using Windows Live Writer

Posted in Uncategorized | Leave a comment

OUCH! | January 2012–Securing Your Home Wi-Fi Network

Posted on January 18, 2012 by Robert Santuci

OUCH! | January 2012

IN THIS ISSUE…

• Administration
• Your Network Name
• Encryption & Authentication
• OpenDNS

Securing Your Home Wi-Fi Network

GUEST EDITOR

Raul Siles is the guest editor for this issue. Raul is the
founder of and a senior security analyst with Taddong
(www.taddong.com), a SANS author and instructor, and
security passionate (www.raulsiles.com). You can follow
Raul on Twitter at @taddong and on his blog at
blog.taddong.com.

 

OVERVIEW

Wi-Fi networks (sometimes called by their technical name
802.11) allow people to wirelessly connect devices to the
Internet, such as smartphones, gaming consoles, tablets,
and laptops. Because Wi-Fi networks are simple to setup,
many people install their own Wi-Fi networks at home.
However, many home Wi-Fi networks are configured
insecurely, allowing strangers or unauthorized people to
easily access your home network or anonymously abuse
your Internet connection. To ensure you have a safe and
secure home Wi-Fi network, here are a few simple steps
you should take.

ADMINISTRATION

Your Wi-Fi network is controlled by something called a Wi-
Fi access point. This is a physical device you can buy at
your local electronics store or that may be built into your
Internet router. The access point is what wirelessly
connects your devices to the Internet. One of the first steps
to securing your Wi-Fi network is limiting who can
administer your Wi-Fi access point and how they can
access it. We recommend you take the following steps
when configuring your Wi-Fi access point for the first time.

• For many Wi-Fi access points the default
  administrator login and password is well known. In
  fact, these default accounts can often be found
  listed on the Internet. So be sure to change the
  default administrator login and password to
  something that only you know.
• For administrative access to your Wi-Fi access
  point, we recommend you disable wireless access
  and instead require a physical network connection,
  such as using an Ethernet cable. If you must have
  wireless administrative access, then at a minimum
  disable HTTP access and require HTTPS, which
  supports encryption.

SETTING YOUR WI-FI NETWORK NAME

Another option you will need to configure is the name of
your Wi-Fi network (often called SSID). This is the name
your devices will see when they search for local Wi-Fi
networks. We recommend changing your default Wi-Fi
network name. Give your network name something unique
so you can easily identify it, but make sure it does not
contain any personal information. Also, there is little value
in configuring your Wi-Fi network as hidden (or non-
broadcast). Today most Wi-Fi scanning tools or any skilled
attacker can easily discover the details of a hidden network.
The recommended option is to leave your Wi-Fi network
visible, but secure it using the other steps covered in this
newsletter.

ENCRYPTION & AUTHENTICATION

The next step is to ensure that only people you know and
trust can connect to and use your Wi-Fi network and that
those connections are encrypted. We want to be sure that
neighbors or nearby strangers cannot connect to or monitor
your Wi-Fi network. Fortunately, these dangers are easily
mitigated by simply enabling strong security on your Wi-Fi
access point. Currently one of the best options is to use the
security mechanism WPA2. By simply enabling this you
require a password for people to connect to your Wi-Fi
network, and once authenticated, those connections are
encrypted. Be sure you do not use older, outdated security
methods, such as WEP, or no security at all, which is called
an open Wi-Fi network. An open network allows anyone to
connect to your Wi-Fi network without any authentication.
The recommended encryption method for WPA2 is AES
only, versus other options such as TKIP or TKIP+AES.

When configuring the password people will use to connect
to your Wi-Fi network, make sure it is different from the
administrator password and that the password cannot be
easily guessed; we recommend at least 20 characters long.
This may sound like a very long password, but remember
you most likely have to enter it only once for each of your
devices, as they will store and remember the password for
future network access. If your Wi-Fi access point is in a
physically secure location and only trusted members of your
family have access to it, one option may be to tape the user
password to the bottom of the Wi-Fi access point for easy
recall. Remember that anyone you have given the password
to will have access to your Wi-Fi network, so from time to
time you may want to change it.

Finally, we recommend you turn off or disable WPS (Wi-Fi
Protected Setup). WPS is a specification designed to ease
the process of securely setting up your Wi-Fi access point.
At the time of publishing this newsletter, recent vulnerabilities
were found that may allow an attacker full access to your
wireless network if WPS is enabled.

OPENDNS

Once you have your Wi-Fi connection configured, one of the
last steps we recommend is configuring your network to use
OpenDNS as your DNS servers. When you type a name into
your browser, DNS is how your browser knows which server
on the Internet to connect to. OpenDNS is a free service that
helps ensure you connect only to safe websites. In addition,
OpenDNS gives you the ability to manage what websites your
family can connect to. If you want to filter and block
objectionable material, this is a great resource. The
OpenDNS website walks you through step-by-step how to
configure your Wi-Fi access point to use OpenDNS.

RESOURCES

Some of the links shown below have been shortened for
greater readability using the TinyURL service. To mitigate
security issues, OUCH! always uses TinyURL’s preview
feature, which shows you the ultimate destination of the link
and asks your permission before proceeding to it.

OnGuard Online Wi-Fi Security:
http://preview.tinyurl.com/7sylsul

Security Encyclopedia:
http://preview.tinyurl.com/bpc2h23

WPS Vulnerability:
http://preview.tinyurl.com/cjs4l4w

OpenDNS:
http://www.opendns.org

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the
Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter
as long as you reference the source, the distribution is not modified and it is not used for
commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.
 
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner

© The  S A N S  Institute 2012                                                    http://www.securingthehuman.org

 

Blog posted using Windows Live Writer

Posted in Computer Security, Internet, security, WiFi | Tagged , , , | Leave a comment

Need a Florist? Try Arrigo’s Flower Shop !!

Posted on December 29, 2011 by Robert Santuci

 

If you live in the East Lovejoy area of Buffalo, NY (aka Iron Island, Iron City), try a local merchant for your floral needs. 30 years experience shows that they do it right!

They’re located at 1180 Lovejoy Street, Buffalo, NY and can be reached toll free at

1-800-472-1841

Arrigo’s Flower Shop

Posted in Anniversary, Floral, Florist, Flowers, Funeral, Iron City, Iron Island, Lovejoy, Wedding | Tagged , , | Leave a comment

Cyber Security Tip ST11-001 – Holiday Traveling With Personal Internet-Enabled Devices

Posted on December 19, 2011 by Robert Santuci

                         Cyber Security Tip ST11-001
            Holiday Traveling With Personal Internet-Enabled Devices

   The internet is at our fingertips with the widespread use of
   internet-enabled devices such as smart phones and tablets. When traveling
   and shopping anytime, and especially during the holidays, consider the
   wireless network you are using when you complete transactions on your
   internet-enabled device.

Know the risks

   Your smart phone, tablet, or other internet-enabled device is a full-fledged
   computer. It is susceptible to risks inherent in online transactions. When
   shopping, banking, or sharing personal information online, take the same
   precautions with your smart phone or other internet-enabled device that you
   do with your personal computer — and then some. The mobile nature of these
   devices  means  that you should also take precautions for the physical
   security of your device (see Protecting Portable Devices: Physical Security
   for more information) and consider the way you are accessing the internet.

Do not use public Wi-Fi networks

   Avoid using open Wi-Fi networks to conduct personal business, bank, or shop
   online. Open Wi-Fi networks at places such as airports, coffee shops, and
   other public locations present an opportunity for attackers to intercept
   sensitive  information  that  you  would provide to complete an online
   transaction.

   If you simply must check your bank balance or make an online purchase while
   you are traveling, turn off your device’s Wi-Fi connection and use your
   mobile device’s cellular data internet connection instead of making the
   transaction over an unsecure Wi-Fi network.

Turn off Bluetooth when not in use

   Bluetooth-enabled  accessories  can  be helpful, such as earpieces for
   hands-free talking and external keyboards for ease of typing. When these
   devices are not in use, turn off the Bluetooth setting on your phone. Cyber
   criminals have the capability to pair with your phone’s open Bluetooth
   connection when you are not using it and steal personal information.

Be cautious when charging

   Avoid connecting your mobile device to any computer or charging station that
   you do not control, such as a charging station at an airport terminal or a
   shared computer at a library. Connecting a mobile device to a computer using
   a USB cable can allow software running on that computer to interact with the
   phone in ways that a user may not anticipate. As a result, a malicious
   computer could gain access to your sensitive data or install new software.
   Don’t Fall Victim to Phishing Scams If you are in the shopping mode, an
   email that appears to be from a legitimate retailer might be difficult to
   resist. If the deal looks too good to be true, or the link in the email or
   attachment to the text seems suspicious, do not click on it!

What to do if your accounts are compromised

   If you notice that one of your online accounts has been hacked, call the
   bank, store, or credit card company that owns your account. Reporting fraud
   in a timely manner helps minimize the impact and lessens your personal
   liability. You should also change your account passwords for any online
   services associated with your mobile device using a different computer that
   you control. If you are the victim of identity theft, additional information
   is available from http://www.idtheft.gov/.

   For  even  more  information  about  keeping  your  devices safe, read
   Cybersecurity for Electronic Devices.
     _________________________________________________________________

   Produced in 2011 by US-CERT, a government organization.

   Terms of use

   http://www.us-cert.gov/legal.html

   This document can also be found at

   http://www.us-cert.gov/cas/tips/ST11-001.html

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit http://www.us-cert.gov/cas/signup.html.

 

Blog posted using Windows Live Writer

 

#Computers #Internet #Security

Posted in Computer Security, Computers and Internet, Internet | Tagged , , | Leave a comment