Category: Security

Computer Security

  • Quickly lock Windows in your absence with WinLockr

    Quickly lock Windows in your absence with WinLockr

    This free open source application will quickly lock your Windows computer while you are away doing something else and do not want to switch off the computer.

    WinLockr is an easy to use application that besides locking the screen, it will disable the mouse and keyboard for extra protection, a key combination enables it again. The locked screen is replete of appropriate details, informing the user at what time the computer screen was locked and the failed unlock and shutdown attempts, WinLockr also protects against computer shut-off. If someone discovers your password to unlock the computer it will not be enough, they will also need to know the key combination to activate the keyboard to enter it in the login screen.

    WinLockr to lock Windows desktop
    WinLockr to lock Windows desktop

    If you choose it, you can set up WinLockr to unlock and lock your computer using a USB key instead of a password this makes locking Windows very quick and impossible for others to see what password you typed in since there isn’t one. Windows accounts can be set up with a password and lock the screen while you go away but it doesn’t have all of the features that WinLockr has, if you work in an office environment you will be better off protected using it instead of the default Windows lock screen.

    Visit WinLockr homepage

  • Prevent identity theft and fraud with Identity Sweeper

    Prevent identity theft and fraud with Identity Sweeper

    With hard disks getting bigger in size and thousands of files in our computers it is easy to leave behind personal data that could be used for identity theft, Identity Finder renamed Identity Sweeper stops the risk of data leakage by finding and securing private information, it would be a good idea to run something like this on your hard disk before taking your laptop to the repair shop or allowing anyone who is not your family access to your computer.

    Identity Sweeper will scan your computer files searching credit card numbers, dates of birth, passwords, bank account numbers, driver license, phone numbers and other personal data that is often used by identity thieves, it can be used to search for country specific data like the Canadian SIN numbers, British NHS identification and Australian TFN account numbers.

    After the scan the software will show you all of the data it has found on a detailed preview pane with statistics and it will offer to securely wipe it using US Department of Defense standards (DOD 5220.22-M), any wrongly classified data can be filtered out from future scans by marking it as ignore, if you need to have the data in your computer you don’t necessarily have to erase it and can use Identity Sweeper to encrypt it, the applications integrates with Windows Explorer creating context menu options for easy access.

    Some of the locations that will be scanned for sensitive data include the Internet browser temporary files (IE and Firefox), cookies, messenger logs, text documents (.docx, .pdf, .txt, .rtf, .html), compressed files (.zip, .gzip, .rar, .bzip), email messages (Windows Mail, Thunderbird, Outlook Express) and others.

    Identity Finder credit card protection
    Identity Sweeper credit card protection

    Identity theft contains all of the tools that are needed by those not using full disk encryption, a secure data wiper, file encryption and a password manager with the ice on the cake being the hard disk scanning for unsecured data useful to identity thieves. The free edition of this software is pretty basic, it comes with a data shredder and it only scans for credit card numbers and passwords, if you want the whole suite with all of the features you will have to buy it.

    Visit Identity Sweeper homepage

  • Types of Virtual Private Network protocols explained

    Types of Virtual Private Network protocols explained

    A VPN tunnel sets up an encrypted data connection in between your computer and a remote server, any request you make to download or upload data, like viewing a website or making an FTP transfer, will be routed through an encrypted tunnel stopping third parties from eavesdropping on the content, your own ISP will not be able to log and find out what sites you have visited, all they will see it is the address of the remote VPN server your are connecting to and the port used.

    Virtual Private Networks are often used by remote workers to connect to their company server and by home users who want to stop third parties monitoring them, VPNs get around Internet censorship, protect your Wifi connection at public computers and give you a different computer IP located where the VPN server resides.

    A Virtual Private Network can not speed up your Internet connection, it will limit the available bandwidth to that of the server, you will never get more bandwidth that the one the VPN server has available, if the VPN is located far away from your country the ping rate will suffer, for best performance, always try to use a VPN as close as possible to your home.

    Some insecure VPN protocols are used in conjunction with IPSec, a protocol to secure traffic on IP networks, IPSec will implement encryption and authentication in VPN protocols that lack it.

    Virtual Private Network different protocols

    Point-to-Point Tunneling Protocol (PPTP): Commonly used in Microsoft products, the PPTP protocol specification does not describe encryption and authentication, it simply tunnels the traffic. Microsoft runs an improved version of the PPTP protocol with encryption, supporting 40-bit and 128-bit, but numerous vulnerabilities have been found and  PPTP it is not considered secure, this protocol should be used as a last resort.

    Layer Two Tunneling Protocol (L2TP): An improved version of PPTP, not secure by itself but often implemented with IPsec, L2TP/IPsec encrypts the data transmission and also provides integrity. Some smartphones like the iPhone will not work with OpenVPN unless it has been jailbroken, you can use L2TP in those cases.

    VPN tunnel encryption
    VPN tunnel encryption

    Layer 2 Forwarding (L2F): Developed by Cisco, this tunnelling protocol does not provide encryption, L2F was designed to tunnel PPP traffic.

    Secure Socket Tunneling Protocol (SSTP): It encapsulates PPP or L2TP traffic through an SSL connection, supporting AES encryption, this protocol is only available in Windows since Windows Vista SP 1 version, it has been integrated into the remote access architecture of Windows, SSTP VPN tunnels can be established on top of IPv6 based networks.

    What is OpenVPN?

    OpenVPN is not a VPN protocol, it is an open source application to establish a VPN tunnel, it uses SSL/TLS encryption and it can get through firewalls.

    OpenVPN software uses a preshared key or digital certificate to authenticate with the VPN server, many VPN providers provide their own VPN client, this customized VPN software is based on the original open source OpenVPN program, the typical VPN provider adds some extra features, e.g. server location map, brands it with its name and makes an eye candy interface, the security and inner workings principles remain the same.

    Virtual Private Network and Email

    Because many VPN services provide a no logs service, some spammers take advantage of it to send mass emails, many VPN providers block sending of SMPT email through the tunnel.

    To stop spammers, VPN services allowing sending of email will limit the number of messages that can be sent in a given time, other VPN services will whitelist your chosen SMTP to allow that specific customer to send email through an specific service that it is not an open relay which is what spammers use most, a solution to send email through a VPN is to use webmail.

  • LastPass possibly compromised by malicious hackers

    LastPass possibly compromised by malicious hackers

    One of the most used online password managers, LastPass, winner of numerous IT awards, like PC Magazine editor’s choice and featured in IT podcasts like Security Now, is asking all its users to change their main account password after detecting an abnormal data transfer on their servers.

    LastPass has noticed unexplained traffic and it is possible that encrypted data was pulled out from their database, the people who would be at risk in that scenario are those users using a weak password to log in, LastPass encryption algorithm is sound but using an easy to guess password makes it crackable using brute force attack, which consists in quickly trying all of the dictionary words in a matter of hours using specialist password cracking software.

    Those using a weak easily guessed masterpassword stand a good chance to be affected, LastPass recommends all of its users to change their main password account, the amount of data transferred by the hackers appears to be enough to contain the user’s email and salted hashed (encrypted) password.

    Is LastPass still secure?

    The company is announcing the roll out of a one-way encryption algorithm even stronger than the one they are using, PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds.

    I would be concerned about about storing all of your passwords online, whether encrypted or not, breaking into LastPass, or any other online password manager, would mean a profit of millions of dollars for malicious hackers, just imagine what they could get, email accounts, online banking details, credit card numbers (stored in notes), date of birth and names (stored in profile), forum usernames for identity theft, etc.

    I would imagine LastPass is pretty high in the list of targets for cybercriminals, my main concern with LastPass it is that like all of the online password managers out there, their PR claims that their servers are extremely secure, but even the USA Government secret services get hacked, I don’t think any server out there is 100% secure if it is connected to the Internet.

    My other concern, with online password managers in general, not only LastPass, is that the company will have a personal interest in minimizing the incident, LastPass for example it is not even admitting they have been hacked.

    Password security hacker
    Password security hacker

    I doubt LastPass would come out public with this if they did not believe the chances of someone having hacked their servers were pretty high. Can hackers erase all of their IP traces or is LastPass unwilling to admit they have been hacked for certain? Whichever the case, poor log auditing or a company covering it up, the result it is the same, not trustworthy.

    Every time I see a company with its user’s database compromised (Gawker, Sony, Lush, etc), I notice a total lack of transparency, you just have to sit down and trust that the company with a direct economical interest in not making fuss over the incident explains the details of what exactly happened and what security mistakes they did.

    You should also be aware that due to all of the people login into LastPass at once to change their password the server could not handle it and it momentarily it blocked some user’s access, a Denial of Service attack locking you out of your password manager is another hazard you are exposed to by using an online password manager.

    Online password manager alternative

    The obvious LastPass, or any other online password manager, alternative it is an offline password manager, a good choice would be KeePass which is free and open source. By using KeePass you are making sure that you will be in control of you passwords database at all times, if you are a LastPass customer, read the instructions to import LastPass passwords into KeePass.

  • 2 ways to track a stolen digital camera

    2 ways to track a stolen digital camera

    • Find your stolen camera using its serial number

    Digital cameras have a unique serial number, many cameras will embed this number in the digital photographs you take, more specifically it is included in what it is know as the EXIF (Exchangeable Image File Format) data, other data is also included there like geolocation, camera model, data and time, author,etc.

    Not all digital cameras store the camera’s serial number in the photographs, this will not work for everyone, it is also possible to erase or fake the EXIF metadata, Facebook for example, will automatically strip the EXIF data from pictures uploaded to your account, erasing EXIF data takes times and many people do not bother with it or just don’t know how to do it.

    Stolen Camera Finder is a website that will search pictures on the web taken with your camera, they do this by looking at the camera’s unique serial number stored in the pictures.

    Visit StolenCameraFinder homepage

    FujiFilm FinePix digital camera
    FujiFilm FinePix digital camera

    • Find your stolen camera using Eye-Fi & Wifi & 3G

    An Eye-Fi card is composed of a memory card with wireless capabilities, it will upload all of your photos online automatically as soon as it detects an open Wifi access point in range, best of all, an Eye-Fi card will automatically tag your pictures and videos geographically with the details of the exact location where they have been taken.

    If your camera has been lost or stolen look at your online photo account, e.g. Flickr, SmugMug, to see if any pictures have been uploaded there recently, then look at the metadata (EXIF) and you will have not only the thief photographs but also the location of where the photos where taken, you should facilitate this information to the police for them to follow it up.

    One problem you will find is that most Wi-fi access points need a password and if your Eye-Fi card has not been configured to use it it won’t be able to access the Internet, it can be solved buying a high end digital camera with built-in 3G the latest Eye-Fi cards can be made to work with it an upload the photos using your camera built-in 3G Internet.

    Journalists and bloggers living in dangerous places will also appreciate the ability to upload their photos online instantly while erasing the pictures from their digital camera memory card just a couple minutes after they have been taken.

    Visit Eye-Fi homepage

  • 5 services to manage your online accounts after death

    5 services to manage your online accounts after death

    Online account management after death

    Death it is not a possibility but a certain fact that only depends on when and not if, it makes sense to prepare a list of all your valuable online accounts like Paypal, Google account, Flickr, eBay, Amazon, Hotmail, domain registrar accounts, etc, for your loved ones.

    You could store all of your digital accounts user names and passwords inside an encrypted file and tell your next of kin what the password is, with instructions to open it up and seize your digital accounts after you die, or you could use an online trustee that will take care of all of your digital assets and pass them on to your selected beneficiaries.

    The companies managing your online accounts will verify that you have died before carrying out any instructions, you can leave a last email to be sent after your death, including attachments with photos or documents,  some trustee services can be directed to update your social media accounts (Facebook, LinkedIn, Twitter, Flickr, etc) announcing you have died.

    Online legacy companies

    AfterSteps: They will send you a detailed planning guide to understand how everything works, you can upload any digital document and receive reminders about your progress completing the whole process. The company guarantees that your end of life plan will be received by your designated verifier, usually a family member or loved one, after you pass away.

    Digital legacy services AfterSteps
    Digital legacy services AfterSteps

    Legacy Locker: After human verification process of your death or incapacitation, Legacy Locker will grant access to your loved ones to your digital accounts and digital documents or photos stored with them, until then, all of your stored data is kept encrypted and nobody can access it, not even the company can view your data.

    Legacy Locker online trustee after death
    Legacy Locker online trustee after death

    SecureSafe: Any online account with a password and a username can be left with SecureSafe, there are various plans available, the basic one transfers your passwords and usernames to your designated person after death verification.

    SecureSafe online legacy services
    SecureSafe online legacy services

    AssetLock: It will organize all of the data you would like your family to know about if anything happened to you, this is not an online will but a digital assets manager that will pass on everything to your loved ones when you pass away, data is encrypted using AES 256bit. You should create various accounts and write down the credentials on your paper will for the benefactors to be able to log in and read the data.

    AssetLock online digital assets
    AssetLock online digital assets

    MyWonderfulLife: This service will help you plan your funeral online leaving letters for your loved ones and notes telling them where everything is located and what your last wishes are, you can even write your own orbituary after sharing stories and memories.

    MyWonderfulLife funeral planning
    MyWonderfulLife funeral planning