This Rapid Reference will introduce you to you how can encrypt files on your computer, files on your USB key, or your entire USB key. TrueCrypt is a free and open source application that does on-the-fly encryption. This reference sheet will show you where to download the software, create an encrypted container to put files in, mount the container, create a password for the container and more. If you want to make your files on your USB key more secure (in case you lose or misplace the USB key), get TrueCrypt today. Click on the click below to download the PDF:

Rapid Reference: Introduction to TrueCrypt

-Angel Brady

This Rapid Reference is an introduction on Internet Security . This Rapid Reference explains in brief detail how to watch yourself on the internet, avoid things like phishing, trojans, viruses, sniffing wireless networks, and best practices when surfing the web. Feel free to download the PDF below. Enjoy!

Internet Security Rapid Reference

Here is the audio from my presentation on Friday night on Free and Open Source Software to the Brookdale Computer Users Group. We had a fantastic time, and I can’t wait to go back. We had a lot of laughs, we all learned a lot, and I feel like I have a lot of new friends out by the shore. Thanks to BCUG for being so welcoming!

http://media.rider.edu/authors/lemasney/2007_lemasney_bcug_foss.mp3

I recently came across this list of 103 free (but not all Open Source or all cross platform, but some are) security applications for Mac, Windows, and Linux. Security is a fundamental component when using your computer, be it for work or leisure. This list is nice because it doesn’t include trail versions of software. Why not equip your computer with the software it needs to fight grayware and malware and do it without breaking your budget. This list is for a beginner in computer security to advanced power users. Even if you just breeze through the list and never heard of any of these terms, it is a good learning experience in computer security. Check out the list here at :http://www.itsecurity.com/features/103-free-security-apps-041607/.

Thanks to IT Security for this list. If you would like to view an abbreviated version of this list, click on the more link. To view the list with brief descriptions, visit the IT Security website.

-Angel Brady

Spyware

1. Ad-Aware SE Personal [Windows]
2. Spyware Terminator [Windows]
3. Spybot – Search & Destory [Windows]
4. Winpooch [Windows]
5. SpywareBlaster [Windows]
6. Bazooka Adware and Spyware Scanner [Windows]
7. Windows Defender [Windows]
8. MalWhere [Windows]
9.Trend Micro Anti-Spyware for the Web [Web: Windows]
10. Zebra scanner [Mac]

Antivirus

1. McAfee AVERT Stinger [Windows]
2. PC Tools AntiVirus [Windows]
3. Clam AntiVirus [Linux]
4. AVScan [Linux]
5. ClamXav [Mac]
6. AVG Anti-Virus [Windows, Linux]
7. Avast Home Edition [Windows, Linux]
8. Housecall [Web: Windows, Linux, Mac]
9. Symantec Security Check [Web]

Rootkit

1. Sophos Anti-Rootkit [Windows]
2. Rootkit Hunter [Mac]
3. chkrootkit [Linux]

Firewall

1. ZoneAlarm [Windows]
2. VisualZone [Windows]
3. PC Tools Firewall Plus [Windows]
4. Firestarter [Linux]
5. Firewall Builder [Linux]
6. TuxGuardian [Linux]
7. HardWall Firewall [Linux]
8. BullDog [Linux]
9. PeerGuardian [Windows, Linux, Mac]

Email

1. Thunderbird [Windows, Linux, Mac]
2. Smart sendmail filters [Linux]
3. Sagator [Linux]
4. Tiger Envelopes [Windows, Linux, Mac]
5. Simple ASCII Email Encoder [Mac]

Web Utility

1. WinSCP [Windows]
2. Privacy Mantra [Windows]
3. Tor [Windows, Linux, Mac]
4. BarracudaDrive [Windows, Linux, Mac]
5. Firefox [Windows, Linux, Mac]
6. McAfee Site Advisor [Windows, Linux, Mac]
7. Opera [Windows, Linux, Mac]
8. PuTTY [Windows, Linux]
9. WebCleaner [Linux] Cyberduck [Mac]

Network

1. SoftPerfect Network Scanner [Windows]
2. SecureRDP [Windows]
3. Colasoft Packet Player [Windows]
4. DomainScan Light [Windows]
5. SmoothWall [Linux]
7. nLive Core [Linux]
8. Network Mapper [Windows, Linux, Mac]
9. Wireshark [Windows, Linux, Mac]
10. Nessus [Windows, Linux, Mac]
11. dSniff Control [Mac]
12. Flame [Mac]
13. Server Admin Tools [Mac]

Intrusion Detection System

1. Snort [Windows, Linux, Mac]
2. HenWen [Mac]
3. Open Source Host-based Intrusion Detection System [Windows, Linux, Mac]
4. Prelude [Linux]

Virtual Private Network

1. SSL-Explorer [Windows, Linux, Mac]
2. OpenVPN [Windows, Linux, Mac]
3. IPSecuritas [Mac]
4. strongSwan [Linux]

Temporary Files

1. HijackThis [Windows]
2. Zappit System Cleaner [Windows]
3. CCleaner [Windows]
4. WinXPatch [Windows]
5. Advanced WindowsCare v2 Personal [Windows]
6. EasyCleaner [Windows]
7. CleanCache [Windows]
8. xpy [Windows]
9. Cookie Eraser [Windows]
10. Yet Another System Utility [Mac]

Wireless

1. Kismet [Linux, Mac]
2. AirSnare [Windows]
3. myWIFIzone [Windows]
4. iOpus Private Internet Gateway [Windows]
5. LucidLink WiFi Client [Windows]
6. AirTrafficControl [Mac]

Encryption

1. Pastor [Mac]
2. Access Manager [Windows]
3. RememberMe [Windows]
4. Kruptos 2 [Windows]
5. Crypt4Free [Windows]
6. PicSecret [Web, Mac]
7. GNU Privacy Guard [Windows, Linux, Mac]
8. TrueCrypt [Windows, Linux]

Miscellaneous

1. Active Security Monitor [Windows]
2. PreView 1.0 [Windows]
3. PC Security Test [Windows]
4. PCPal [Windows]
5. Simple File Shredder [Windows]
6. BCWipe [Windows]
7. Permanent Eraser [Mac]
8. S3 Change Explorer [Windows]
9. Process Monitor [Windows]
10. Check Failed Password Attempts [Mac]
11. CheckMate [Mac]
12. Checksum Validator [Mac]

I recently came across an article that explained cookies on a web developer end. I liked the basic explanation of the question “what is a cookie in my web browser?”, so I decided to share the article on this blog. This question usually comes up from time to time on campus. Kudos to informit.com for the wonderful explanation. Please read below.

~Angel Brady

How Not To Use Cookies

Last updated Dec 15, 2006.

Within one week’s time, we stumbled across two different sites using cookies the wrong way. While the attack vectors were a bit different, both sites trusted the cookie data to secure their users’ accounts. Therefore, this week we are going to spend some time discussing cookies, when they should be used, and what can happen if they are misused.

What are Cookies?

Before a web developer can understand the dangers associated with trusting cookies to store sensitive data, it is important to recognize what they are, and what they aren’t. Specifically, a cookie is just a small text file that is stored on your computer by a specific website. Cookies are not programs, they can’t read your personal data, and they don’t cause spam. In fact, cookies can be very helpful if used within the correct context.

Cookies are often used by marketing and advertising companies. For example, the Informit.com website placed one cookie on my computer with the following information:

Domain: .doubleclick.net
Name: id
Content: 800000a5610cc5a
Path: /
Expires: Friday, November 06, 2009 9:23:14 AM

Let’s break this cookie down so we can understand its intent. First, you can easily tell who the cookie belongs to — doubleclick.net. But why did a doubleclick.net cookie come from Informit.com? Well, if you go to Informit.com website, you will see a banner ad at the top of the browser window. This content is controlled by doubleclick.net, which probably pays Informit.com (or a partner) to insert their ad at the top of the pages content.

The next significant part of the cookie is the Name and Content fields, which in this case have a value of ‘id’ and ‘800000a5610cc5a’ respectively. This value pair is my personal identification code that can be used to track my movements across the internet and build a profile about my surfing habits. This is possible because a cookie can be read at any time by the domain that owns it. As a result, when I visit Slashdot.org, doubleclick.net will attempt to read its cookie that is on my computer. This will provide doubleclick.net with my id value, and their database will be updated. In other words, they now know that I like to visit Informit.com and Slashdot.org. Already their profile on my surfing habits can tell them I am probably a computer geek.

The final significant part of the cookie is the Expires value. Since it expires in 2009, doubleclick.net could gather a significant amount of data about my surfing habits, which would then be sold or used to dynamically load ads that target people with my “profile.” Obviously, this has some serious privacy concerns, which is why we recommend the blocking/removal of cookies used by ad agencies.

Note: One quick and easy way to block marketing company cookies is to block their cookies using your browser. In Firefox, this is simple. Just click on Tools — Options — Privacy — Cookies — Exceptions, enter *.doubleclick.net and click block.

Cookies do have many user friendly functions. For example, web applications like PHPBB (PHP Bulletin Board) use cookies to store unique session id values. These session values are used by the web application to validate a user after they have logged in to the program. This way, the user doesn’t have to keep entering their user/pass each time they want to access a secure part of the website. The program will simply request the session id in the cookie, look it up in a database, and determine that the session is authenticated.

Other uses for a cookies are to store usernames/passwords, or to temporary store web application information. For example, cnn.com uses cookies to store the users preferences as to what version of cnn.com should be displayed by default (international vs. national).

Security Risks

While cookies can help web developers offer services and features that would require extensive programming otherwise, there are some significant security risks that must be understood before cookies are ever implemented into a website.

First, cookies are stored as plaintext on the user’s computer. This means anyone can read them at any time from the local machine. This includes a nosy family member, but also includes the user of the website. In other words, web developers can never assume that the cookie data is a place to store sensitive data.

Second, cookies are passed as plaintext unless there is an encrypted session. As a result, anyone with a sniffer can capture the cookies contents and use them as their own. In other words, if a person logs into a web application at an unprotected wireless hotspot, an attacker can grab the session value and insert it into their own cookie, thus hijacking the session from the valid user.

Third, and possibly the most significant, cookies can be stolen via cross-site scripting exploits on a vulnerable web application. For example, numerous blogging sites have been found to have persistent XSS vulnerabilities over the last few years. If a malicious hacker wants to steal a user’s session id cookie information, they can easily do this by injecting a simple “document.cookie” request into a blog post. This type attack can be used to steal hundreds of session values, all of which can be used by the attacker to collect sensitive information or create chaos by posting fake content under a stolen account.

To illustrate the problems that improper cookie use can lead to, we are going to look at one example that not only exposes user information, but also can lead to the theft of valuable gift certificates.

Restaurant.com

Restaurant.com is an excellent site that offers discounted gift certificates to restaurants through out the nation. Recently, they held a promotion where you could buy a $25 gift certificate for $4. We like to eat out on occasion, so we purchased a couple certificates from the website. During our purchase, we were monitoring our cookies with the AnEC Cookie editor extension for Firefox that allows a user to view, delete, and edit cookies easily and quickly. During our online session at Restaurant.com, we noted that there was little in the way of a unique identifier to keep our session open, yet we were able to move about the site and maintain our login status. Figure 1 provides a shot of AnEC and a list of the cookie names.

Figure 1: AnEC viewing restaurant.com cookie names

Note the list of names. Normally, you would see a “session’, ‘id,” or similar name listed. However, restaurant.com does not appear to have any per session value. So, what then could it be using to keep track of a users logged-in status?

After looking at the list, we considered the idea that the session information was stored in the web page itself and was passed as hidden form fields. This option is used by ASP.NET web application and allows a cookieless environment. While not fool proof, using the ASP.NET session tracking option is generally considered more secure than relying on cookies. However, after a quick look, it was determined that restaurant.com was not using this type of session management.

So, our attention turned back to the cookie. After reviewing the list, we took a closer look at the names and their values:

In this online Article at campustechnology.com, it talks about a topic that has become rather important at Rider University, Emergency Preparedness. In my meetings about this topic, it’s specifically about technology, e.g. how to keep the web server up in the case of a blackout. This article talks about a presentation done by the people at Tulane, who had spotlights of national coverage on them regarding their response to emergency and their preparedness during Katrina, and the focus is that they realized the people are so much more important than the technology, and it’s actually possible to over prepare in terms of technology. I’m not saying that we’re over-preparing at Rider, but maybe we should consider the length to which we’ll rely on technology as a focus in the case of a real emergency.

Campus Technology
Moreover, they added, no level of hitech preparedness can ever be guaranteed to be enough, or to be precisely the right kind of technological preparation for any given disaster. How easy it would be to assuage our fear of future catastrophe by constructing a fortress of systems and tools! But that would not only be no assurance of safety, the panelists pointed out, it would represent a conscious decision to move dollars (always a finite commodity in institutions of higher education) away from the provision of learning—and the mandate to educate our students is the reason that institutions of higher learning exist.

I just found the potential replacement for PuTTY as an Open Source SSH client for Windows: Poderosa. There are some things that are caveats, such as missing portability (this must be installed to work), and the fact that the .Net framework is required for it to work, but other than that it seems like a genuine improvement over some of the inconsistencies in PuTTY, like the nonstandard private key. I especially like that you can set your options globally, instead of per connection. (that’s just me, I’m sure)

At any rate, I’ve only been using it a few minutes, but I like it a lot. Due to PuTTY’s portability, I’ll probably be keeping that handy on my USB key for a while. – j.

index – Terminal Emulator Poderosa
Against common terminal emulators such as Putty or TeraTerm, Poderosa has following features.

Tabbed style GUI
It is convenient to open multiple connections at the same time. Moreover, you can split the window into panes and allocate each connection.
Many differnt ways in connection method.
In addition to Telnet and SSH1/2, local cygwin shell and serial ports are supported.
Fulfilling options and tools
A lot of functions for terminals are available. For example, SSH2 port forwarding tool, SSH Key generation wizard, SOCKS connection.

Plugin architecture
You can extend the feature of Poderosa by plugins like Eclipse. Actually serial port and X/ZModem are provided as additional plugins. A manual for plugin developers is included the installation package.

Support of government
In 2005, the government of Japan chose us as one of originative software projects and promoted financial resources.

Privacy on the internet is a big issue these days. If you haven’t heard of the recent AOL leak of personal web searches (or even if you have), you might want to read on about how you can protect yourself, your identity, and privacy while searching through the big ol’ world wide web. These tips from LifeHacker will help prevent people from putting together a personal profile of you (think marketing, id theft, or worse).

Protect Your Web Searches

Protect Your Web Searches

by Wendy Boswell

“My goodness, it’s my whole personal life,” she said. “I had no idea somebody was looking over my shoulder.” -Thelma Arnold, AOL Searcher No. 4417749

AOL’s recent “doh!” release of more than 500K user search records has prompted many people to examine their search methods. While no one approach is absolutely foolproof, using a combination of common sense searching strategies will make it harder for engines (or anyone else) to put together a detailed profile of you. Keep reading today’s feature for a few ways to protect yourself from search engines.

AOL: shock and awe

The biggest problem with AOL’s search records release is not what the individual queries revealed (although some of them were pretty disturbing); it was the fact that any search could be tied to one unique user ID. Looking at someone’s individual searches is not necessarily invasive – however, tie all those searches to one unique user ID and we’ve got a problem. For example:

~Angel Brady

So here is a site that shows why it’s important to choose good passwords. For those of you who groan when I give you your default password for an account because it’s ‘hard to remember’ note that the reason it’s not something as simple as, oh, your last name, is so that bad people don’t come into our system and mess up your stuff without having to do some work to figure out your shift-character laden, alphanumeric, mnemonically phrased password.

From: http://www.lockdown.co.uk/?pg=combi&s=articles

Examples

These are just a couple of examples to show the resilience of certain types of password, using the information in the tables above you will be able to make your own examples.

Sample Passwords		Class of Attack
Pwd	Combinations	Class A	Class B	Class C	Class D	Class E	Class F
darren	308.9 Million	8½ Hours	51½ Mins	5 Mins	30 Secs	3 Secs	Instant
Land3rz	3.5 Trillion	11 Years	1 Year	41 Days	4 Days	10 Hours	58 Mins
B33r&Mug	7.2 Quadrillion	22,875 Years	2,287 Years	229 Years	23 Years	2¼ Years	83½ Days

As always, OpenSSH is one of my favorite applications, and understanding it is kind of an art. Whenever I see a good overview, howto, or explainer, I like to capture it here. Enjoy!

An Illustrated Guide to SSH Agent Forwarding
In this paper, we’ll present the various forms of authentication available to the Secure Shell user and contrast the security and usability tradeoffs of each. Then we’ll add the extra functionality of agent key forwarding, we hope to make the case that using ssh public key access is a substantial win.