Robert L. Santuci Jr.'s Blog

OUCH! | January 2012–Securing Your Home Wi-Fi Network

2012-01-18T07:52:00.001-08:00

Technorati Tags: WiFi,router,internet,security

OUCH! | January 2012

IN THIS ISSUE…

• Administration
• Your Network Name
• Encryption & Authentication
• OpenDNS

Securing Your Home Wi-Fi Network

GUEST EDITOR

Raul Siles is the guest editor for this issue. Raul is the
founder of and a senior security analyst with Taddong
(www.taddong.com), a SANS author and instructor, and
security passionate (www.raulsiles.com). You can follow
Raul on Twitter at @taddong and on his blog at
blog.taddong.com.

OVERVIEW

Wi-Fi networks (sometimes called by their technical name
802.11) allow people to wirelessly connect devices to the
Internet, such as smartphones, gaming consoles, tablets,
and laptops. Because Wi-Fi networks are simple to setup,
many people install their own Wi-Fi networks at home.
However, many home Wi-Fi networks are configured
insecurely, allowing strangers or unauthorized people to
easily access your home network or anonymously abuse
your Internet connection. To ensure you have a safe and
secure home Wi-Fi network, here are a few simple steps
you should take.

ADMINISTRATION

Your Wi-Fi network is controlled by something called a Wi-
Fi access point. This is a physical device you can buy at
your local electronics store or that may be built into your
Internet router. The access point is what wirelessly
connects your devices to the Internet. One of the first steps
to securing your Wi-Fi network is limiting who can
administer your Wi-Fi access point and how they can
access it. We recommend you take the following steps
when configuring your Wi-Fi access point for the first time.

• For many Wi-Fi access points the default
administrator login and password is well known. In
fact, these default accounts can often be found
listed on the Internet. So be sure to change the
default administrator login and password to
something that only you know.
• For administrative access to your Wi-Fi access
point, we recommend you disable wireless access
and instead require a physical network connection,
such as using an Ethernet cable. If you must have
wireless administrative access, then at a minimum
disable HTTP access and require HTTPS, which
supports encryption.

SETTING YOUR WI-FI NETWORK NAME

Another option you will need to configure is the name of
your Wi-Fi network (often called SSID). This is the name
your devices will see when they search for local Wi-Fi
networks. We recommend changing your default Wi-Fi
network name. Give your network name something unique
so you can easily identify it, but make sure it does not
contain any personal information. Also, there is little value
in configuring your Wi-Fi network as hidden (or non-
broadcast). Today most Wi-Fi scanning tools or any skilled
attacker can easily discover the details of a hidden network.
The recommended option is to leave your Wi-Fi network
visible, but secure it using the other steps covered in this
newsletter.

ENCRYPTION & AUTHENTICATION

The next step is to ensure that only people you know and
trust can connect to and use your Wi-Fi network and that
those connections are encrypted. We want to be sure that
neighbors or nearby strangers cannot connect to or monitor
your Wi-Fi network. Fortunately, these dangers are easily
mitigated by simply enabling strong security on your Wi-Fi
access point. Currently one of the best options is to use the
security mechanism WPA2. By simply enabling this you
require a password for people to connect to your Wi-Fi
network, and once authenticated, those connections are
encrypted. Be sure you do not use older, outdated security
methods, such as WEP, or no security at all, which is called
an open Wi-Fi network. An open network allows anyone to
connect to your Wi-Fi network without any authentication.
The recommended encryption method for WPA2 is AES
only, versus other options such as TKIP or TKIP+AES.

When configuring the password people will use to connect
to your Wi-Fi network, make sure it is different from the
administrator password and that the password cannot be
easily guessed; we recommend at least 20 characters long.
This may sound like a very long password, but remember
you most likely have to enter it only once for each of your
devices, as they will store and remember the password for
future network access. If your Wi-Fi access point is in a
physically secure location and only trusted members of your
family have access to it, one option may be to tape the user
password to the bottom of the Wi-Fi access point for easy
recall. Remember that anyone you have given the password
to will have access to your Wi-Fi network, so from time to
time you may want to change it.

Finally, we recommend you turn off or disable WPS (Wi-Fi
Protected Setup). WPS is a specification designed to ease
the process of securely setting up your Wi-Fi access point.
At the time of publishing this newsletter, recent vulnerabilities
were found that may allow an attacker full access to your
wireless network if WPS is enabled.

OPENDNS

Once you have your Wi-Fi connection configured, one of the
last steps we recommend is configuring your network to use
OpenDNS as your DNS servers. When you type a name into
your browser, DNS is how your browser knows which server
on the Internet to connect to. OpenDNS is a free service that
helps ensure you connect only to safe websites. In addition,
OpenDNS gives you the ability to manage what websites your
family can connect to. If you want to filter and block
objectionable material, this is a great resource. The
OpenDNS website walks you through step-by-step how to
configure your Wi-Fi access point to use OpenDNS.

RESOURCES

Some of the links shown below have been shortened for
greater readability using the TinyURL service. To mitigate
security issues, OUCH! always uses TinyURL’s preview
feature, which shows you the ultimate destination of the link
and asks your permission before proceeding to it.

OnGuard Online Wi-Fi Security:
http://preview.tinyurl.com/7sylsul

Security Encyclopedia:
http://preview.tinyurl.com/bpc2h23

WPS Vulnerability:
http://preview.tinyurl.com/cjs4l4w

OpenDNS:
http://www.opendns.org

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the
Creative Commons BYNC-ND 3.0 license. Permission is granted to distribute this newsletter
as long as you reference the source, the distribution is not modified and it is not used for
commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner

Blog posted using Windows Live Writer

Need a Florist? Try Arrigo's Flower Shop !!

2011-12-29T16:15:00.001-08:00

If you live in the East Lovejoy area of Buffalo, NY (aka Iron Island, Iron City), try a local merchant for your floral needs. 30 years experience shows that they do it right!

They’re located at 1180 Lovejoy Street, Buffalo, NY and can be reached toll free at

1-800-472-1841

Arrigo's Flower Shop

Cyber Security Tip ST11-001 - Holiday Traveling With Personal Internet-Enabled Devices

2011-12-19T10:03:00.001-08:00

Cyber Security Tip ST11-001
Holiday Traveling With Personal Internet-Enabled Devices

   The internet is at our fingertips with the widespread use of
   internet-enabled devices such as smart phones and tablets. When traveling
   and shopping anytime, and especially during the holidays, consider the
   wireless network you are using when you complete transactions on your
   internet-enabled device.

Know the risks

   Your smart phone, tablet, or other internet-enabled device is a full-fledged
   computer. It is susceptible to risks inherent in online transactions. When
   shopping, banking, or sharing personal information online, take the same
   precautions with your smart phone or other internet-enabled device that you
   do with your personal computer â€” and then some. The mobile nature of these
   devices means that you should also take precautions for the physical
   security of your device (see Protecting Portable Devices: Physical Security
   for more information) and consider the way you are accessing the internet.

Do not use public Wi-Fi networks

   Avoid using open Wi-Fi networks to conduct personal business, bank, or shop
   online. Open Wi-Fi networks at places such as airports, coffee shops, and
   other public locations present an opportunity for attackers to intercept
   sensitive information that you would provide to complete an online
   transaction.

   If you simply must check your bank balance or make an online purchase while
   you are traveling, turn off your device's Wi-Fi connection and use your
   mobile device's cellular data internet connection instead of making the
   transaction over an unsecure Wi-Fi network.

Turn off Bluetooth when not in use

   Bluetooth-enabled accessories can be helpful, such as earpieces for
   hands-free talking and external keyboards for ease of typing. When these
   devices are not in use, turn off the Bluetooth setting on your phone. Cyber
   criminals have the capability to pair with your phone's open Bluetooth
   connection when you are not using it and steal personal information.

Be cautious when charging

   Avoid connecting your mobile device to any computer or charging station that
   you do not control, such as a charging station at an airport terminal or a
   shared computer at a library. Connecting a mobile device to a computer using
   a USB cable can allow software running on that computer to interact with the
   phone in ways that a user may not anticipate. As a result, a malicious
   computer could gain access to your sensitive data or install new software.
   Don't Fall Victim to Phishing Scams If you are in the shopping mode, an
   email that appears to be from a legitimate retailer might be difficult to
   resist. If the deal looks too good to be true, or the link in the email or
   attachment to the text seems suspicious, do not click on it!

What to do if your accounts are compromised

   If you notice that one of your online accounts has been hacked, call the
   bank, store, or credit card company that owns your account. Reporting fraud
   in a timely manner helps minimize the impact and lessens your personal
   liability. You should also change your account passwords for any online
   services associated with your mobile device using a different computer that
   you control. If you are the victim of identity theft, additional information
   is available from http://www.idtheft.gov/.

   For even more information about keeping your devices safe, read
   Cybersecurity for Electronic Devices.
     _________________________________________________________________

Produced in 2011 by US-CERT, a government organization.

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST11-001.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.

Blog posted using Windows Live Writer

#Computers #Internet #Security

OUCH! | December 2011–E-mail Phishing and Scams

2011-12-15T10:51:00.001-08:00

OUCH! | December 2011

IN THIS ISSUE…

• Phishing
• Scams
• Protecting Yourself

E-mail Phishing and Scams

GUEST EDITOR

Pieter Danhieux is the guest editor for this issue. He works
for BAE Systems stratsec in Australia (www.stratsec.net)
and is an instructor for the penetration testing courses at
the SANS Institute.

OVERVIEW

E-mail is one of the primary ways we communicate. We not
only use it every day for work, but also to stay in touch with
our friends and family. In addition e-mail is how companies
provide many products or services, such as confirmation of
an online purchase or updates to our bank account. Since
so many people around the world depend on e-mail, it has
also become one of the primary methods cyber criminals
use to attack others. In this newsletter we explain these
dangers and steps you can take to protect yourself.

PHISHING

Phishing is one of the most common e-mail based attacks.
It uses social engineering, a technique where cyber
attackers attempt to fool you into taking an action. Phishing
was a term originally used to describe an attack designed to
steal your online banking login details. However, the term
has evolved and now refers to almost any cyber attack sent
by e-mail. A phishing attack begins with an e-mail
pretending to be from someone or something you know or
trust, such as your bank or your favorite online store.
These e-mails then try to entice you into taking an action,
such as clicking on a link, opening an attachment, or
responding to a message. Cyber criminals craft these
convincing e-mails and then send them out to thousands, if
not millions, of people around the world. The criminals do
not have a specific target in mind, nor do they know exactly
who will fall victim. They simply know the more e-mails
they send out, the more people they may be able to fool.
Phishing attacks often have one of the following objectives:

. Harvesting Information: The cyber attacker’s
   goal is to fool you into clicking on a link and taking
   you to a website that asks for your login and
   password or perhaps your favorite color or mother’s
   maiden name. These websites may look legitimate
   with exactly the same look and feel of your online
   bank, but they are designed to steal information
   that could give them access to your online account.

. Controlling your computer through malicious
   links: Once again, the cyber attacker’s goal is for
   you to click on a link. However, instead of
   harvesting your information, the goal is to infect
   your computer. If you click on the link, you are
   directed to a website that silently launches an
   attack against your browser, and, if successful,
   these cyber criminals have full control over your
   computer.

. Controlling your computer through malicious
   attachments: These are phishing e-mails that have
   infected attachments, such as infected PDF files or
   Microsoft Office documents. If you open these
   attachments they attack your computer, and if
   successful, give the attacker complete control.

SCAMS:

Scams are nothing new; these are attempts by criminals to
defraud you. Classic examples include notices that you’ve
won the lottery (even though you never entered it) or that a
dignitary needs to transfer millions of dollars into your
country and would like to pay you to help with the transfer.
They will then tell you that you have to pay a processing fee
before you can get your money. After you pay these fees
the criminals disappear, never to be heard from again.

PROTECTING YOURSELF

In most cases simply opening an e-mail is safe. For most
attacks to work you have to do something after reading the
e-mail (such as opening the attachment, clicking on the link,
or responding to the request for information). If after
reading an e-mail you think it is a phishing attack or scam,
simply delete the message. Here are some indications if an
e-mail is an attack.

. Be suspicious of any e-mail that requires
immediate action or creates a sense of urgency.
This is a common method used to trick people.

. Be suspicious of e-mails addressed to “Dear
Customer” or some other generic salutation.

. Be suspicious of grammar or spelling mistakes,
most businesses proofread their messages very
carefully.

. If a link in an e-mail seems suspicious, hover your
   mouse over the link. This will show you the true
   destination where you would go if you actually clicked
   it. The link that is written in the e-mail may be very
   different than where it will actually send you.

. Do not click on links. Instead copy the URL from the
   email and paste it into your browser. Even better is
   to simply type the destination name into your
   browser. For example, if you get an email from UPS
   telling you your package is ready for delivery, do not
   click on the link. Instead, go to the UPS website and
   then copy and paste the tracking number.

. Be suspicious of attachments; only open attachments
that you were expecting.

. Just because you got an e-mail from your friend does
   not mean they sent it. Your friend’s computer may
   have been infected or their account may have been
   compromised, and malware is sending the e-mail to
   all of your friend’s contacts. If you get a suspicious email
   from a trusted friend or colleague, call them to
   confirm that they sent it.

Ultimately, using e-mail safely is all about common sense. If
something seems suspicious or too good to be true, it is most
likely an attack. Simply delete the e-mail.

RESOURCES

How Phishing Works: http://preview.tinyurl.com/853xj85

OnGuard Online - Avoiding Scams:
http://preview.tinyurl.com/6vfoljs

Anti-Phishing Working Group: http://www.apwg.org
Phishtank: http://www.phishtank.org

Security Terms & Definitions:

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

#computers #e-mail #email #internet #security #phishing

Blog posted using Windows Live Writer

OUCH! | November 2011–Browser Security & Privacy

2011-12-15T08:39:00.001-08:00

OUCH! | November 2011

IN THIS ISSUE…

• Staying Current
• Plugins and Add-Ons
• Security Features
• Privacy

Browser Security and Privacy

GUEST EDITOR

Mike Poor is the guest editor for this issue. He is a senior
security analyst for the consulting firm InGuardians Inc.
(www.inguardians.com). Mike is also a senior instructor for
the SANS Institute and the track lead for one of SANS’ top
courses, SEC503: Intrusion Detection In-Depth.

OVERVIEW

Your Internet browser, such as Internet Explorer, Firefox,
Chrome, or Safari, is one of the primary tools you use to
interact with the Internet. Cyber attackers know this, which
makes your browser one of their primary targets. Also, your
browser may collect a great deal of personal information
about you that you may not be aware of. In this newsletter
we cover the steps you can take to protect both your
computer and your privacy.

KEEPING YOUR BROWSER CURRENT

The first step to protecting yourself is always using the
latest version of your browser. It does not matter which
browser you use; what is important is that you use the most
recent version of your browser. Cyber attackers are
constantly searching for, and finding, programming errors
and other flaws in browsers. These mistakes (often called
vulnerabilities) can be exploited, giving attackers access to,
and sometimes even complete control, over your system.
The companies that developed your browser (such as
Microsoft, Google, or Apple) release patches to fix these
vulnerabilities. By always having the latest version, you
ensure your browser has these known issues fixed. To
ensure your browser is updated, make sure the auto-
update feature is always enabled in your browser and
operating system. Some browsers, such as Chrome,
automatically update themselves every time you restart the
browser.

PLUGINS AND ADD-ONS

Plugins (sometimes called Add-Ons) are additional
programs you can install in your browser. The problem
with these additional programs is they can expose you and
your system to greater risk. Each program you add to your
browser has its own unique vulnerabilities or weaknesses.
Install only the plugins you absolutely need and be sure you
download them from well known, trusted sites. At times a
website may ask you to install a plugin. Be careful --these
can be attempts to fool you to install infected software.
When possible, always download and install a plugin from
the original vendor’s site. For example, always download
or update your Flash player from the Adobe site
www.adobe.com. Once you have installed a plugin you
have to ensure that you keep it up to date, just like your
browser. This can be challenging as many plugins have
no automatic updating capability; you have to manually
check and update them yourself. If that is the case, we
recommend you check the status of your browser plugins at
least once a month. In the resources section are several
trusted websites that will help you do this.

SECURITY FEATURES

Each browser has its own unique security features. Be
sure to take a moment and review your browser’s security
preferences or options. A key feature that almost all
browsers support is warning you when you visit potentially
malicious websites. Your browser maintains an updated list
of thousands of known websites that are malicious or
attempt to harm people. If you attempt to visit any of these
known malicious websites, your browser will stop you and
present a warning banner. When you get a warning
banner do not proceed to the site. Keep in mind, though,
you still always have to be careful about the websites you
visit. Your browser cannot keep up with cyber criminals; it
will not know all sites that are malicious.

PRIVACY

You may not realize it, but your browser may store a great
deal of information about your online activities, including
cookies, cached pages, and history. Cookies are small
data files that websites send to your browser and can make
using the web easier, such as storing your preferences.
But cookies also allow companies to track your movements
across the web. Cached pages are stored copies of
websites you have recently visited. They are used to
improve your system’s performance but also might be
accessed by unauthorized users. Finally, many browsers
save the history of all the websites you have visited to take
you more quickly to the websites you visit the most.
To protect your privacy you can disable some or all these
features. In addition, some browsers support the ability to
manually erase any stored data, or automatically erase stored
data every time you close your browser. Finally most
browsers support a privacy mode where all data collection is
turned off, including caching, cookies, and history. This
ensures no information is collected about your browsing
activities; however, this can also limit your ability to interact
with some sites. Check your browser’s privacy settings to
change any of these features.

Finally, whenever possible make sure your browser
connections are encrypted. This helps ensure your online
activity cannot be monitored or captured. Encrypted
connections are often called HTTPS. For example, sites
such as Twitter, Facebook, and Google allow you to set your
personal settings to ensure you are always using HTTPS
(encryption) when communicating to these sites. In addition,
whenever banking or shopping online, make sure your
connections are encrypted. To confirm this, look for https:// in
the browser and a lock.

RESOURCES

Browser Plugin Check:
http://preview.tinyurl.com/3m9gjr5

Firefox Plugin Check:
http://preview.tinyurl.com/3ojhl69

Chrome Browser Security:
http://preview.tinyurl.com/36sgakv

Internet Explorer 9 Security:
http://preview.tinyurl.com/3ly6wyv

Safari Browser Security:
http://preview.tinyurl.com/aesqpl

Firefox Browser Security:
http://preview.tinyurl.com/6ee3kx6

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

#computers #browsers #internet #security

Blog posted using Windows Live Writer

OUCH! | October 2011 - Backup and Recovery

2011-12-15T08:02:00.001-08:00

OUCH! | October 2011

IN THIS ISSUE…

• What To Back Up and When
• How To Perform a Backup
• Recovery
• Key Points

Backup and Recovery

GUEST EDITOR

Dr. Eric Cole is the guest editor for this issue of OUCH! Eric
focuses on consulting services that help organizations
deploy solutions that protect themselves. He also is an
author and teacher for the SANS Institute.

OVERVIEW

Backups are one of the most important steps you can take
to protect your information. They are your last line of
defense when something goes wrong, such as hard drive
failures, accidental file deletions, or malware infections. In
this issue, we focus on ways that you can back up your
data and develop a strategy that’s right for you.

WHAT TO BACK UP AND WHEN

There are two basic approaches when deciding what to
back up: (1) any data that you have created or that is
important to you, such as documents, pictures, or videos or
(2) everything, including your operating system and any
programs you have installed in addition to your unique data.
The first approach streamlines your backup process;
however, the second approach makes it easier to recover in
the event of a complete system failure. If you are not sure
what to back up, then back up everything.

Your next decision will be deciding how often to back up
your data. Common options include hourly, daily, weekly,
etc. For home users, personal backup programs, such as
Apple’s Time Machine or Microsoft’s Windows Backup and
Restore, will allow you to create an automatic “set it and
forget it” backup schedule. Other solutions offer continuous
protection, in which new or altered files are immediately
backed up as soon as they’re closed. If you’re part of an
organization with multiple computers, you may wish to
define your own schedule. A good approach is to consider
how much information you can afford to lose in a worst-
case scenario. For example, by backing up daily, you
might lose one day’s work if your computer crashes late in
the day. Many organizations schedule daily backups during
off-peak hours to minimize the impact on normal
operations.

HOW TO PERFORM A BACKUP

In general there are two destinations to which you can back
up your information: physical media or cloud-based
storage. Examples of physical media include DVDs, USB
drives, magnetic tape, or additional hard drives. Avoid
backing up to the same device that holds the original files.
When using physical media, be sure to label it both
internally (in the file name) and externally (on the medium)
so that you can easily identify a backup from a particular
date and time. You can store a local backup copy in a
lockable, fireproof and waterproof container designed for
your chosen media. A more robust option is to store
copies of your backups off site. For personal backups this
can be as simple as storing them at a family member’s
house or in a safe deposit box. Organizations may want to
hire a professional service to securely transport and store
backups. Depending on the sensitive nature of your
backups and where they are being stored, you may also
want to encrypt them.

Many of these issues are addressed for you with cloud
backups. Performing cloud backups is often as simple as
installing and configuring an application on your computer.
After you configure your backup options, new and altered
files are backed up automatically over the Internet to
servers in the provider’s data center.

Finally, you need to decide how far back in time your
backups need to go. Home users most likely do not need
to go back more than thirty days. Some organizations may
have policy or legal requirements for longer retention
periods and may also mandate the destruction of old
backups. If you are backing up organizational data, check
with your information technology, legal, or records
management group to be sure. Cloud backup services may
charge based on the amount of data that is backed up, so
take care not to run up a big bill.

RECOVERY

Backing up your data is only half the battle; you have to be
certain that you can easily recover it. Practice your recovery
process regularly, just as you would a fire drill, to help ensure
that everything will work properly should you need to use it.
Check at least once a month that your backup program is
working. If nothing else, try recovering a file. For more robust
testing, especially in organizations, consider making a full
system recovery, and verify that it is restorable. If you don’t
have spare hardware to use for testing a full system recovery,
restore key files and folders to a different location and then
verify that you have and can open everything.

KEY POINTS

.. Automate your backup process as much as possible, but
verify that it runs correctly.

.. When rebuilding an entire system or recovering key
operating system files, be sure you reapply security patches
and updates before putting it back into service.

.. Outdated or obsolete backups may become a liability and
should be destroyed in order to prevent them from being
accessed by unauthorized users.

.. If you are using a cloud solution, research the policies and
reputation of the organization. For example, do they encrypt
your data when it is stored? Who has access to your
backups? Do they support strong authentication?

.. For robust backup practices, consider the 3-2-1 rule:

... Three: If something is worth keeping, keep the
original plus two backup copies.

... Two: Use different types of media for your two
backup copies. If you must use the same medium
for both, use different vendors to mitigate
manufacturing defects.

.. One: Store one copy off-site, away from the
original and the second copy.

RESOURCES

Apple Time Machine:
http://preview.tinyurl.com/3wkytqs

Windows 7 Backup and Restore:
http://preview.tinyurl.com/ylghqgp

Cloud Backup:
http://preview.tinyurl.com/3reftgv

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

#computers #data #internet #security #backup #restore

Blog posted using Windows Live Writer

DotNetNuke World Session Videos Now Available

2011-11-25T07:22:00.001-08:00

I've recorded the following sessions from DNNWorld 2011 which was held in Orlando, FL on November 10th & 11th:

#01 DotNetNuke Widgets, From A to Z by Will Strohl

#02 Leveraging Social Media with DotNetNuke by Will Morgenweck

#03 Need a Mobile DotNetNuke Site? by Amelia Marschall

#04 Skin a Complete DotNetNuke Website by Amelia Marschall

#05 Advanced Skinning Techniques by Ralph Williams Jr.

#06 Using DNN to Feed Data to Several Social by Cassidy Brickner

#07 A candid look at Small Business E-Commerce by Robb Bryn

#08 Platinum Partner Panel by Various

#09 Community is Your Friend ... but it Could by Scott Willhite

DNNWorld Session Videos

They run approximately 40 to 50 minutes each. Feel free to download them if you wish. The slide decks can be found here:

DNNWorld Session Slide Decks

If you encounter any problems, please let me know. Thanks!

OUCH! | September 2011 - Social Networking Safety

2011-09-30T10:45:00.001-07:00

OUCH! | September 2011

IN THIS ISSUE…

• Overview
• Privacy
• Security

Social Networking Safety

GUEST EDITOR

Lenny Zeltser is the guest editor for this issue of OUCH!
Lenny focuses on safeguarding customers' IT operations at
Radiant Systems and teaches malware combat at the
SANS Institute. Lenny is active on Twitter as @lennyzeltser
and writes a security blog at blog.zeltser.com.

OVERVIEW

This month we’ll look at social networking sites, such as
Facebook, Twitter, Google+ and LinkedIn. Sites such as
these are powerful tools, allowing you to meet, interact with,
and share with people around the world. However with all
these capabilities come considerable risks, not to just you
but your employer, family, and friends. In this newsletter
we will discuss what these dangers are and how to use
these sites safely.

PRIVACY

A common concern about social networking sites is your
privacy, the risk of you or others sharing too much
information about yourself. These dangers of oversharing
include:

.. Damaging Your Career: Embarrassing information
may harm your future. Many organizations search social
networking sites as part of a new employee background
check to see what has been posted about you. Any
embarrassing or incriminating posts, no matter how old they
are, may prevent you from getting that new job. In addition,
many universities conduct similar checks for new student
applications.

.. Attacks Against You: Cyber criminals can harvest
your information and use it for attacks against you. For
example, they can harvest your personal information to
guess the answers to "secret questions" that websites
use to reset your passwords or perhaps apply for a credit
card using your personal information.

.. Attacks Against Your Employer: Criminals may
gather information that you share on social networking sites
when compiling competitive data or preparing for a cyber
attack on your employer. Moreover, your actions online
may inadvertently reflect badly on your employer. Be sure
to consult your employer’s social networking policy for
guidelines on how you are expected to safeguard your
organization’s data and reputation.

The most effective way to protect yourself against these
dangers is to be cautious about what information you post
about yourself. Consider whether the data you are sharing
now could be used against you some time later. Also,
tighten the privacy settings of your social networking profile
to limit who can see the personal information you might
share on the site. Keep in mind that your data may be
inadvertently leaked by the website or your friends, so it is
best to assume that any information you post will at some
point become public knowledge. Also, be aware of what
others post about you. If you have friends posting
information, pictures, or other data you do not want made
public, ask them to remove it.

SECURITY

In addition to being the source of damaging information
leaks, social networking sites can be used as a platform for
attacking your system or conducting scams. Here are
some steps to protect yourself.

..Login: Protect your social networking account with
a strong password. (See OUCH May 2011) Do not share
this password with anyone or use it for other sites. In
addition, some social networking sites, such as Facebook
or Google+, support features for stronger authentication,
such as using one-time passwords when logging in from
public computers or using your phone as part of the login
process. Enable these features where possible.

..Encryption: Many sites, such as Facebook,
Google+, and Twitter, allow you to force all communications
with the website to be encrypted (called HTTPS).
Whenever possible, enable this option.

..E-mail: Be cautious when clicking on links in e-mail
messages that claim to originate from a social networking
site. Instead, access the site using a saved bookmark and
check any messages or notifications using the website
directly.

.. Links: Be careful of clicking on links posted on
people..s walls or public pages. Viruses and worms spread
easily on such sites. If a link seems odd, suspicious, or too
good to be true, do not click on it..even if the link is on your
most trusted friend..s page. Your friend’s account may have
been hijacked or infected and now be spreading malware.

.. Scams: Criminals take advantage of the open nature
of social networking sites to defraud individuals. Such scams
sometimes use the pretext of an offer for a job or money that
is too good to be true. Another common scam uses hijacked
accounts to contact the victim’s friends with requests for help,
claiming that the person got robbed in a foreign country and
needs money. Be cautious when approached by a friend or a
stranger on a social networking site with a request for money
or with an offer that’s surprisingly good.

.. Apps: Some social networking sites give you the
ability to add or install third party applications, such as
games. Keep in mind there is little or no quality control or
review of these applications and they may have full access to
your account and the data you share. Malicious apps can
use this access to interact with your friends on your behalf
and to steal and misuse personal data. Be careful, and only
install apps that come from trusted, well-known sites. Once
they are installed, make sure you keep them updated. If you
are no longer using the app, then remove it.

Social networking sites are a powerful and fun tool; they
allow you to communicate with the world. If you follow the
tips outlined here, you should be able to enjoy a much safer
online experience.

RESOURCES

OnGuard Online: http://preview.tinyurl.com/5yjgjt
Microsoft: http://preview.tinyurl.com/3q4qzzr
US CERT: http://preview.tinyurl.com/df9f2d
Facebook: http://www.facebook.com/safety
Twitter: http://preview.tinyurl.com/3mb92rp

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

Blog posted using Windows Live Writer

Register to Attend DotNetNuke World 2011–In ORLANDO, FL!!

2011-09-28T15:54:00.001-07:00

Every year since the first North American DotNetNuke conference (then named OpenForce), it was nothing short of the who’s who of the DotNetNuke community and ecosystem. The buzz resulting from people before, during, and after the event was simply gravitating, and was sure to make anyone who didn’t attend jealous of those that did. If you pay any attention to the blogs, forums, and twitter during this time, this proves true every year.

For more on this story, you’ll find all the original blog by Will Strohl here:

DNN Blog - DotNetNuke World

Blog posted using Windows Live Writer

Blogger Comes To The iPhone

2011-09-12T05:01:00.001-07:00

You sure wouldn't write a long blog entry but this gets the job done!

Considering Using A Mover? Read This First

2011-09-04T19:48:00.001-07:00

A Short Story of Why We Will NEVER Use Allied Ever Again

Cyber Security Tip ST06-001 - Understanding Hidden Threats: Rootkits and Botnets

2011-08-30T12:42:00.001-07:00

National Cyber Alert System

Cyber Security Tip ST06-001

Understanding Hidden Threats: Rootkits and Botnets

Attackers are continually finding new ways to access computer systems. The

use of hidden methods such as rootkits and botnets has increased, and you

may be a victim without even realizing it.

What are rootkits and botnets?

A rootkit is a piece of software that can be installed and hidden on your

computer without your knowledge. It may be included in a larger software

package or installed by an attacker who has been able to take advantage of a

vulnerability on your computer or has convinced you to download it (see

Avoiding Social Engineering and Phishing Attacks for more information).

Rootkits are not necessarily malicious, but they may hide malicious

activities. Attackers may be able to access information, monitor your

actions, modify programs, or perform other functions on your computer

without being detected.

Botnet is a term derived from the idea of bot networks. In its most basic

form, a bot is simply an automated computer program, or robot. In the

context of botnets, bots refer to computers that are able to be controlled

by one, or many, outside sources. An attacker usually gains control by

infecting the computers with a virus or other malicious code that gives the

attacker access. Your computer may be part of a botnet even though it

appears to be operating normally. Botnets are often used to conduct a range

of activities, from distributing spam and viruses to conducting

denial-of-service attacks (see Understanding Denial-of-Service Attacks for

more information).

Why are they considered threats?

The main problem with both rootkits and botnets is that they are hidden.

Although botnets are not hidden the same way rootkits are, they may be

undetected unless you are specifically looking for certain activity. If a

rootkit has been installed, you may not be aware that your computer has been

compromised, and traditional anti-virus software may not be able to detect

the malicious programs. Attackers are also creating more sophisticated

programs that update themselves so that they are even harder to detect.

Attackers can use rootkits and botnets to access and modify personal

information, attack other computers, and commit other crimes, all while

remaining undetected. By using multiple computers, attackers increase the

range and impact of their crimes. Because each computer in a botnet can be

programmed to execute the same command, an attacker can have each of them

scanning multiple computers for vulnerabilities, monitoring online activity,

or collecting the information entered in online forms.

What can you do to protect yourself?

If you practice good security habits, you may reduce the risk that your

computer will be compromised:

* Use and maintain anti-virus software - Anti-virus software recognizes

and protects your computer against most known viruses, so you may be

able to detect and remove the virus before it can do any damage (see

Understanding Anti-Virus Software for more information). Because

attackers are continually writing new viruses, it is important to keep

your definitions up to date. Some anti-virus vendors also offer

anti-rootkit software.

* Install a firewall - Firewalls may be able to prevent some types of

infection by blocking malicious traffic before it can enter your

computer and limiting the traffic you send (see Understanding Firewalls

for more information). Some operating systems actually include a

firewall, but you need to make sure it is enabled.

* Use good passwords - Select passwords that will be difficult for

attackers to guess, and use different passwords for different programs

and devices (see Choosing and Protecting Passwords for more

information). Do not choose options that allow your computer to remember

your passwords.

* Keep software up to date - Install software patches so that attackers

can't take advantage of known problems or vulnerabilities (see

Understanding Patches for more information). Many operating systems

offer automatic updates. If this option is available, you should enable

it.

* Follow good security practices - Take appropriate precautions when using

email and web browsers to reduce the risk that your actions will trigger

an infection (see other US-CERT security tips for more information).

Unfortunately, if there is a rootkit on your computer or an attacker is

using your computer in a botnet, you may not know it. Even if you do

discover that you are a victim, it is difficult for the average user to

effectively recover. The attacker may have modified files on your computer,

so simply removing the malicious files may not solve the problem, and you

may not be able to safely trust a prior version of a file. If you believe

that you are a victim, consider contacting a trained system administrator.

As an alternative, some vendors are developing products and tools that may

remove a rootkit from your computer. If the software cannot locate and

remove the infection, you may need to reinstall your operating system,

usually with a system restore disk that is often supplied with a new

computer. Note that reinstalling or restoring the operating system typically

erases all of your files and any additional software that you have installed

on your computer. Also, the infection may be located at such a deep level

that it cannot be removed by simply reinstalling or restoring the operating

system.

_________________________________________________________________

Author: Mindi McDowell

_________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Note: This tip was previously published and is being

re-distributed to increase awareness.

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST06-001.html

For instructions on subscribing to or unsubscribing from this

mailing list, visit

http://www.us-cert.gov/cas/signup.html.

Blog posted using Windows Live Writer

OUCH! | August 2011 - Updating Your Software

2011-08-19T08:16:00.001-07:00

OUCH! | August 2011

IN THIS ISSUE…

• Overview
• Operating Systems
• Applications
• Browser Plug-ins

Updating Your Software

GUEST EDITOR

Mike Poor is the guest editor for this issue of OUCH! He is
a senior security analyst for the consulting firm InGuardians
Inc. (www.inguardians.com). Mike is also a senior instructor
for the SANS Institute and the track lead for one of SANS’
top courses, SEC503: Intrusion Detection In-Depth.

OVERVIEW

This month we will look at why updating your operating
system, applications, and browser plug-ins is essential to
maintaining your privacy and security. We will also provide
tools and techniques to help you keep your software
updated and secure. Vulnerabilities are bugs or
weaknesses in your software that cyber attackers can
exploit, and unfortunately, new vulnerabilities are being
discovered constantly. Software vendors, such as Microsoft
and Apple, issue updates (or patches) regularly to correct
these vulnerabilities. As a result, updating your software is
a key step to protecting yourself.

OPERATING SYSTEMS

Computers and mobile devices have operating systems,
which is the software that allows you to interact with your
system. Examples of operating systems for computers
include Microsoft Windows and Mac OS X. Operating
systems for mobile devices include Apple’s iOS and
Android OS. Microsoft Windows, long the favorite target for
attackers, includes a utility for checking and updating your
system automatically. Microsoft Update covers not only
Windows but also many Microsoft applications you have
installed, such as Office. Mac OS X has a similar autoupdating
feature for OS X and Apple applications.

Keep in mind that even if you have auto-updating enabled,
your computer must be able to download and install the
updates, and some updates require rebooting your system
before they take effect. For auto-updating to be most
effective, we recommend you set your system to check for
updates every day. Pick a time of day when your system
will be powered on, awake, and connected to the Internet.
When prompted, restart your computer without delay. You
can also use the auto-updating tool in Windows and OS X
to check for and install updates manually if you so choose.

iOS, for mobile devices like the iPhone and iPad, does not
include an auto-updating tool. Users must check for and
apply updates manually using iTunes. Android 2.x has an
auto-updater that covers both the OS and installed apps. It
requires your permission when they are ready to install.

SOFTWARE APPLICATIONS

Applications are additional programs you download and
install on your computer or mobile device. The key to
keeping your computer and mobile device apps updated
and secure is to know which ones you have installed,
whether or not they have a built-in auto-update utility, and if
that utility is enabled. In addition, the more apps you have
installed, the greater the risk you run of having a vulnerable
system--a compelling reason to install only the apps that
you need and use and to uninstall those unneeded and
unused. Several of the most common applications, such as
MS Office, Adobe Acrobat Reader, and Java, include an
auto-updater, but most do not. When in doubt, check the
software maker’s website to determine what you need to do
to keep an app updated.

We know and understand that keeping track of all your
computer applications and their update status can be
challenging. Good thing there are tools to help. One we
recommend is Secunia’s Personal Software Inspector
(PSI). PSI scans your computer for known applications and
attempts to determine which are out of date and provides
links so you can update them. Unfortunately, there is no
comparable tool for OS X we can recommend at this time.

Auto-updating is not built into iOS apps. It is up to the user
to download app updates through iTunes manually. Android
2.x has an auto-updater that covers both installed apps and
the OS. It will require your permission when updates are
ready to be installed.

BROWSER PLUG-INS

Finally, there are plug-ins (commonly called Add-ons).
These are small software applications that enhance the
functionality of your browser, such as Adobe Flash Player,
Apple QuickTime, and Microsoft Silverlight. As plug-ins
have proliferated, they have become a popular target for
cyber attackers because they are difficult to keep updated.
Again, the key to protecting yourself is to know which plug-ins
you have installed and whether or not they are current. Most
browsers give you the ability to see which plug-ins you have
installed and their current version. Some popular plug-ins
update themselves automatically.

It can be time-consuming to determine if your plug-ins are up
to date. Qualys’s Browser Check is a simple, easy-to-use,
web-based tool that enables you to determine quickly which
plug-ins you have installed, which are out-of-date, and how to
update them. In addition, most common browsers contain a
built-in tool for checking and updating plug-ins.

--> Mozilla provides a web-based tool for Firefox that
detects third-party plug-ins and provides links to updates.
http://preview.tinyurl.com/ylhbg7v

--> Chrome disables out-of-date plug-ins automatically.
Clicking on “Update plug-in” takes you to that plug-in’s
website where you can download its latest version.
http://preview.tinyurl.com/444vc59

--> Safari has automatic updating for plug-ins
(extensions), but by default it is not enabled. To activate it,
open the Preferences window in Safari and select
Extensions. Then select the Updates link at the bottom of the
extensions list, and put a check in the Install Updates
Automatically box. http://preview.tinyurl.com/3bou9z6

RESOURCES

Some of the links in this newsletter have been shortened
for greater readability using the TinyURL service. To
mitigate security issues, OUCH! uses TinyURL’s preview
feature, which shows you the ultimate destination of the link
and asks your permission before proceeding to it.

Windows Updating: http://preview.tinyurl.com/26glz4q
OS X Updating: http://preview.tinyurl.com/4qmuqs
iOS Updating: http://preview.tinyurl.com/55freg
Android Updating: http://preview.tinyurl.com/3ycw2zr
Secunia’s Personal Software Inspector (PSI):
http://preview.tinyurl.com/5wu6xo
Qualys’s Browser Check:
http://preview.tinyurl.com/3m9gjr5

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the

Creative Commons BY-‐NC-‐ND 3.0 license. Permission is granted to distribute this newsletter

as long as you reference the source, the distribution is not modified and it is not used for
commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

© The S A N S Institute 2011 http://www.securingthehuman.org

OUCH! | July 2011–Understanding Encryption

2011-08-03T06:44:00.001-07:00

OUCH! | July 2011

IN THIS ISSUE…

• What is Encryption?
• Encrypting Stored Information
• Encrypting Information In Transit
• Best Practices and Caveats

Understanding Encryption

GUEST EDITOR

Fred Kerby is the guest editor for this issue of OUCH! He
recently retired from the Naval Surface Warfare Center
Dahlgren Division where he served as the information
assurance manager for the past 16 years. Fred is a senior
instructor with the SANS Institute.

WHAT IS ENCRYPTION?

Encryption is a mechanism that protects your valuable
information, such as your documents, pictures, or online
transactions, from unwanted people accessing or changing
it. Encryption works by using a mathematical formula called
a cipher and a key to convert readable data (plain text) into
a form that others cannot understand (cipher text). The
cipher is the general recipe for encryption, and your key
makes your encrypted data unique. Only people with your
unique key and the same cipher can unscramble it. Keys
are usually a long sequence of numbers protected by
common authentication mechanisms, such as passwords,
tokens, or biometrics (like your fingerprint).

ENCRYPTING STORED INFORMATION

Sensitive information, including medical, financial, or
business records, may reside on your mobile devices, such
as your laptop, USB stick, smartphone, or tablet. These
devices are easily lost or stolen, and if not encrypted, their
contents can be read by anyone who has access to them.
One of the best ways to protect data on a mobile device is
to encrypt it.

In general, there are three ways to encrypt data stored on
your mobile devices. You can encrypt specific files, encrypt
entire folders, or encrypt the entire hard drive. Most
operating systems support one, if not all three, options.
Encrypting your entire disk, commonly called full disk
encryption (FDE), is often considered the most secure. FDE
encrypts all data on your hard drive, including any
temporary files. It also simplifies the process as you do not
have to decide what to encrypt and not to encrypt. If you
cannot encrypt your entire hard drive, encrypt any files or
folders that contain sensitive information.

Mobile devices, such as USB thumb drives, may come with
encryption capabilities built into them, or you can encrypt
them by installing additional software on your computer.
Smartphones and tablets may have encryption capabilities
built into them as well. Otherwise, you will have to install
encryption apps; consult your phone vendor’s app store or
marketplace for information on what’s available.

ENCRYPTING INFORMATION IN TRANSIT

Information is also vulnerable when it’s in transit. If the data
is not encrypted, it can be monitored and captured online.
This is why you want to ensure that any sensitive online
communications, such as online banking, sending e-mails,
or perhaps even accessing your Facebook account, are
encrypted. The most common type of online encryption is
HTTPS, or connecting to secured websites. This means the
traffic between your browser and the website is encrypted.
Look for https:// in the URL or the lock icon in your browser.
Many sites support this by default (such as Google Apps),
and websites like Facebook and Twitter give you the option
in your account settings to force HTTPS. In addition, when
you connect to a public Wi-Fi network, use an encrypted
network whenever possible. WPA2 is currently one of the
strongest encryption mechanisms and the type you should
choose. Finally, whenever sending or receiving e-mail,
make sure your email client is set up to use encrypted
channels. One of the most commonly used is SSL (Secure
Socket Layer); many e-mail clients use SSL by default.

BEST PRACTICES AND CAVEATS

Regardless of which type of encryption you are using or
how you use it, almost all forms of encryption share some
common issues you need to be aware of.

• Your encryption is only as strong as your keys. If
your key is compromised, so is your data. If you are using
passwords to protect your keys, make sure you use strong
passwords and protect them well. (See the May 2011
edition of OUCH! on passwords).

• Don’t lose or lose access to your keys. If you lose
your encryption keys or can't access them because you've
forgotten the password that protects them, you most likely
cannot recover your data.

• Your encryption is only as strong as the security of
your computer. If your computer is infected, the bad guys
can compromise your encryption.

• Maintain the overall security of your computer.
Encryption does nothing to protect against viruses, worms,
Trojans, unpatched vulnerabilities, or social engineering
attacks.

• Always be sure to back up any confidential data
securely. This ensures that if you lose your device or your
encryption keys protecting your data, you can still recover
your data.

• Use encryption based on publicly known algorithms,
such as AES (Advanced Encryption Standard) or Blowfish,
rather than proprietary algorithms. Also, always be sure you
are using the latest version of your encryption programs.

• Consult an IT professional if you need help.
Incorrectly installing, configuring, or using encryption can
render your information permanently inaccessible.

RESOURCES

Full Disk Encryption Tools:

TrueCrypt: http://www.truecrypt.org/

PGP: http://www.pgp.com

Windows 7 Bitlocker: http://preview.tinyurl.com/3xaubbr

File and Folder Encryption:

TrueCrypt: http://www.truecrypt.org/

Windows: http://preview.tinyurl.com/yb29rzn

Mac: http://preview.tinyurl.com/6c2q3cy

USB Encryption

TrueCrypt: http://www.truecrypt.org/

SanDisk: http://preview.tinyurl.com/3nl4g2p

IronKey: https://www.ironkey.com/products

Encryption Standards

AES: http://preview.tinyurl.com/ku33x

WiFi: WPA and WPA2 http://preview.tinyurl.com/am5oa

How HTTPS works: http://preview.tinyurl.com/ya9se7f

How VPN works: http://preview.tinyurl.com/rfc9f

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program
and is distributed under the Creative Commons BY--NC--ND
3.0 license.

Permission is granted to distribute this newsletter as long
as you reference the source, the distribution is not modified
and it is not used for commercial purposes. For translating or
more information, please contact ouch@securingthehuman.org.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman,
Lance Spitzner, Carmen Ruyle Hardy

Blog posted using Windows Live Writer

Cyber Security Tip ST04-024 - Understanding ISPs

2011-08-03T06:34:00.001-07:00

Cyber Security Tip ST04-024

Understanding ISPs

   ISPs offer services like email and internet access. In addition to
   availability, you may want to consider other factors so that you find an ISP
   that supports all of your needs.

What is an ISP?

   An ISP, or internet service provider, is a company that provides its
   customers access to the internet and other web services. In addition to
   maintaining a direct line to the internet, the company usually maintains web
   servers. By supplying necessary software, a password-protected user account,
   and a way to connect to the internet (e.g., modem), ISPs offer their
   customers the capability to browse the web and exchange email with other
   people. Some ISPs also offer additional services. With the development of
   smart phones, many cell phone providers are also ISPs.

   ISPs can vary in size—some are operated by one individual, while others are
   large corporations. They may also vary in scope—some only support users in a
   particular city, while others have regional or national capabilities.

What services do ISPs provide?

   Almost all ISPs offer email and web browsing capabilities. They also offer
   varying degrees of user support, usually in the form of an email address or
   customer support hotline. Most ISPs also offer web hosting capabilities,
   allowing users to create and maintain personal web pages; and some may even
   offer the service of developing the pages for you. Some ISPs bundle internet
   service with other services, such as television and telephone service. Many
   ISPs offer a wireless modem as part of their service so that customers can
   use devices equipped with Wi-Fi.

   As part of normal operation, most ISPs perform backups of email and web
   files. If the ability to recover email and web files is important to you,
   check with your ISP to see if they back up the data; it might not be
   advertised as a service. Additionally, most ISPs implement firewalls to
   block some portion of incoming traffic, although you should consider this a
   supplement to your own security precautions, not a replacement (see
   Understanding Firewalls for more information).

How do you choose an ISP?

   Traditional, broadband ISPs typically offer internet access through cable,
   DSL, or fiberoptic options. The availability of these options may depend
   where you live. In addition to the type of access, there are other factors
   that you may want to consider:
     * security - Do you feel that the ISP is concerned about security? Does it
       use encryption and SSL (see Protecting Your Privacy for more
       information) to protect any information you submit (e.g., user name,
       password)? If the ISP provides a wireless modem, what wireless security
       standards does it support, and are those standards compatible with your
       existing devices?
    * privacy - Does the ISP have a published privacy policy? Are you
       comfortable with who has access to your information and how it is being
       handled and used?
     * services - Does your ISP offer the services you want? Do they meet your
       requirements? Is there adequate support for the services? If the ISP
       provides a wireless modem, are its wireless standards compatible with
       your existing devices?
    * cost - Are the ISP's costs affordable? Are they reasonable for the
       number of services you receive, as well as the level of those services?
       Are you sacrificing quality and security to get the lowest price?
    * reliability - Are the services your ISP provides reliable, or are they
       frequently unavailable due to maintenance, security problems, a high
       volume of users, or other reasons? If the ISP knows that services will
       be unavailable for a particular reason, does it adequately communicate
       that information?
     * user support - Are there published methods for contacting customer
       support? Do you receive prompt and friendly service? Do their hours of
       availability accommodate your needs? Do the consultants have the
       appropriate level of knowledge?
    * speed - How fast is your ISP's connection? Is it sufficient for
       accessing your email or navigating the internet?
    * recommendations - Have you heard or seen positive reviews about the ISP?
       Were they from trusted sources? Does the ISP serve your geographic area?
       If you've uncovered negative points, are they factors you are concerned
       about?
     _________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

Produced 2004 by US-CERT, a government organization.

Note: This tip was previously published and is being
re-distributed to increase awareness.

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST04-024.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.

Blog posted using Windows Live Writer

OUCH! | June 2011 - Protecting Your Kids Online

2011-06-28T05:32:00.001-07:00

OUCH! | June 2011

IN THIS ISSUE…

• Top three threats to your children online
• Educating and protecting your children
• Resources

Protecting Your Kids Online

GUEST EDITOR

Kevin Johnson is the guest editor for this issue of OUCH!
Kevin is a senior security consultant at Secure Ideas, runs
MySecurityScanner.com, and is a senior instructor with the
SANS Institute. You can find out more information at
http://www.secureideas.net and
www.mysecurityscanner.com

BACKGROUND

We all want the best for our children, including the ability to
leverage the latest in technology. In today’s world, children
need to understand technology not only to be competitive in
their education and careers but also in many cases to
develop and maintain active social lives. However, with
these capabilities come risks – risks that our children are
often not aware of or prepared to deal with. As parents, it is
our responsibility to ensure our children understand these
risks and how to protect themselves. In this newsletter, we
explain the top three threats to your children and how you
can help them stay safe online.

TOP THREE THREATS

To protect your children, you have to first understand the
dangers they face online. By understanding these dangers,
you and your children will be able to work together better to
defend against them.

1. Strangers: Dangerous strangers are one of the
most common threats most parents think of. These are
individuals who establish relationships with your children in
order to take advantage of them. Such individuals may
attempt to befriend your children or pretend to be children
themselves.

2. Friends: Cyber bullying is a growing problem on
the Internet and one that as a parent you may
underestimate. Bullying has always existed, but the
Internet amplifies the issue as bullies can post harassing
messages to the entire world and even hijack your child’s
identity online. In addition, bullies can remain anonymous
on the Internet, making them harder to track down and
stop.

3. Themselves: In today’s world of social networking,
children can be their own worst enemy. Anything they post
is not only accessible to the entire world but once posted
may be difficult or even impossible to remove. What your
children may not realize is how these postings can impact
their future. It is becoming standard practice for universities
or hiring organizations to review the social networking
activities of student candidates or new hires to gain a better
understanding of their potential.
anything embarrassing or illegal posted about them, it may
be held against them. In addition, highly personal
information can be used by strangers--or even by friends-to
target or harm them.

PROTECTING YOUR CHILDREN

Now that you understand the key risks, here are steps you
can take to defend against them.

. Education: The most important step you can take
is education. No single technology or computer program is
going to solve all the dangers your children face online.
Make sure you are always talking to them about their online
activities, and stay current with what they are doing. In
addition, create an environment where your children feel
comfortable coming to you with questions or problems they
may have online.

. Dedicated Computer: Have a separate computer
just for your children. This ensures that if they do
accidentally infect their computer, your online accounts,
such as online banking, are not affected or compromised.
In addition, keep the children’s dedicated computer in a
public, high-traffic area so that you can monitor their online
activities. Finally, make sure each child has and uses his
own non-administrative account on the computer. This will
allow you to more easily track what each child is doing on
the computer.

. Rules: Create a document that identifies the rules
you expect your children to follow when online. Also,
consider posting how the rules will be enforced and
possible consequences for violating the rules. Review the
document with your kids and then post it by their computer or
in some other visible area. This way your children will know
and understand your expectations.

. Monitoring: Children are by nature trusting and
curious. Unfortunately, as parents we know that this can
sometimes lead to dangerous or painful situations. So
monitor your children..s activities; they simply do not realize
how dangerous the world can be. Help them to identify
issues and discuss these issues together so that they can
build a safe online presence. You may not realize it, but your
computer has parental controls that help you to monitor their
activities, or you can purchase programs that give you greater
monitoring capabilities.

. Filtering: In addition, you may want to filter your
children’s online activities, such as restricting which websites
they can visit. This is especially important for younger
children, as it protects them from accidentally accessing
dangerous or unwanted content. Just like monitoring, your
computer has parental controls that enable you to filter their
activities, or you can purchase programs that give you greater
capabilities. However, as children grow older filtering
becomes less effective. Not only do children need greater
access, such as for school or work, but they will be
also accessing the Internet with devices you do not control,
such as computers in libraries, at a friend’s house, or at
school. This is why ultimately education is the most
important step you can take.

RESOURCES

There are additional resources on the Internet on how to
protect your children online or provide additional monitoring
or filtering capabilities. Here are several to start with:

Non-profit Dedicated to Protecting Kids
http://preview.tinyurl.com/63ebnz3

OnGuard Online
http://preview.tinyurl.com/6bm8xyu

Microsoft Family Safety
http://preview.tinyurl.com/3mqatb9

Facebook on Protecting Your Kids
http://preview.tinyurl.com/3tbda2a

OpenDNS Service
http://preview.tinyurl.com/3m37k3k

Parental Software Options
http://preview.tinyurl.com/3sd7pzg

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program
and is distributed under the Creative Commons BY--NC--ND
3.0 license.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman,
Lance Spitzner, Carmen Ruyle Hardy

Cyber Security Tip ST06-005 - Dealing with Cyberbullies

2011-06-13T07:12:00.001-07:00

Cyber Security Tip ST06-005

Dealing with Cyberbullies

   Bullies are taking advantage of technology to intimidate and harass their
   victims. Dealing with cyberbullying can be difficult, but there are steps
   you can take.

What is cyberbullying?

   Cyberbullying refers to practice of using technology to harass, or bully,
   someone else. Bullies used to be restricted to methods such as physical
   intimidation, postal mail, or the telephone. Now, developments in electronic
   media offer forums such as email, instant messaging, web pages, and digital
   photos to add to the arsenal. Computers, cell phones, and PDAs are current
   tools that are being used to conduct an old practice.

   Forms of cyberbullying can range in severity from cruel or embarrassing
   rumors to threats, harassment, or stalking. It can affect any age group;
   however, teenagers and young adults are common victims, and cyberbullying is
   a growing problem in schools.

Why has cyberbullying become such a problem?

   The relative anonymity of the internet is appealing for bullies because it
   enhances the intimidation and makes tracing the activity more difficult.
   Some bullies also find it easier to be more vicious because there is no
   personal contact. Unfortunately, the internet and email can also increase
   the visibility of the activity. Information or pictures posted online or
   forwarded in mass emails can reach a larger audience faster than more
   traditional methods, causing more damage to the victims. And because of the
   amount of personal information available online, bullies may be able to
   arbitrarily choose their victims.

   Cyberbullying may also indicate a tendency toward more serious behavior.
   While bullying has always been an unfortunate reality, most bullies grow out
   of it. Cyberbullying has not existed long enough to have solid research, but
   there is evidence that it may be an early warning for more violent behavior.

How can you protect yourself or your children?

     * Teach your children good online habits - Explain the risks of
       technology, and teach children how to be responsible online (see Keeping
       Children Safe Online for more information). Reduce their risk of
       becoming cyberbullies by setting guidelines for and monitoring their use
       of the internet and other electronic media (cell phones, PDAs, etc.).
     * Keep lines of communication open - Regularly talk to your children about
       their online activities so that they feel comfortable telling you if
       they are being victimized.
     * Watch for warning signs - If you notice changes in your child's
       behavior, try to identify the cause as soon as possible. If
       cyberbullying is involved, acting early can limit the damage.
     * Limit availability of personal information - Limiting the number of
       people who have access to contact information or details about
       interests, habits, or employment reduces exposure to bullies that you or
       your child do not know. This may limit the risk of becoming a victim and
       may make it easier to identify the bully if you or your child are
       victimized.
     * Avoid escalating the situation - Responding with hostility is likely to
       provoke a bully and escalate the situation. Depending on the
       circumstances, consider ignoring the issue. Often, bullies thrive on the
       reaction of their victims. Other options include subtle actions. For
       example, you may be able to block the messages on social networking
       sites or stop unwanted emails by changing the email address. If you
       continue to get messages at the new email address, you may have a
       stronger case for legal action.
     * Document the activity - Keep a record of any online activity (emails,
       web pages, instant messages, etc.), including relevant dates and times.
       In addition to archiving an electronic version, consider printing a
       copy.
     * Report cyberbullying to the appropriate authorities - If you or your
       child are being harassed or threatened, report the activity. Many
       schools have instituted bullying programs, so school officials may have
       established policies for dealing with activity that involves students.
       If necessary, contact your local law enforcement. Law enforcement
       agencies have different policies, but your local police department or
       FBI branch are good starting points. Unfortunately, there is a
       distinction between free speech and punishable offenses, but the legal
       implications should be decided by the law enforcement officials and the
       prosecutors.

Additional information

   The following organizations offer additional information about this topic:
     * National Crime Prevention Council - http://www.ncpc.org/cyberbullying
     * StopBullying.gov - http://www.stopbullying.gov/
   _________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

Produced 2006, 2011 by US-CERT, a government organization.

Note: This tip was previously published and is being re-distributed
to increase awareness.

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/STYY-XXX.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.

Blog posted using Windows Live Writer

OUCH! | May 2011 - Protecting Your Password

2011-05-27T08:13:00.001-07:00

OUCH! | May 2011

IN THIS ISSUE…

• Strong passwords you can remember
• Never share your passwords
• Using your passwords safely

Protecting Your Password

GUEST EDITOR

Eric Cole is the guest editor for the May issue of OUCH!
Dr. Cole is the founder of Secure Anchor Consulting, has
been the CTO of several large organizations, and is a
SANS faculty fellow. He is passionate about helping
organizations do the right things to improve their security.
You can find out more information at
www.securityhaven.com.

OVERVIEW

Passwords are the keys to your kingdom. Combined with
your username, they are the most common means for
proving your identity and logging into your computer and
websites or accessing information. Unfortunately, far too
often people do little to protect their passwords, using
simple combinations such as 123456, password, qwerty, or
abc123. In other cases, people simply use their pet’s name
or their birth date --information that can be easily found on
the Internet, such as on Facebook. With access to your
password, an attacker can steal your digital identity, access
your bank accounts, or even access your organization’s
confidential information, causing a tremendous amount of
harm. It is also important to remember that if someone
steals your password, you could be liable for anything they
do! To better protect you, your family, and your
organization, let’s learn what makes a good password and
how to use it safely.

STRONG PASSWORDS

Cyber criminals have developed programs that automate
the ability to guess, or brute force, your passwords. To
protect yourself, your passwords must be difficult for others
to guess but at the same time easy for you to remember.
Here is some guidance we recommend

. You must have at least one number in your password.

. You must have at least one CAPITAL letter in your
password.

. You must have at least one symbol in your password.

. We recommend your passwords be a minimum of 12
characters in length. For highly confidential sites or
information, we recommend 15 characters. Check with
your supervisor for specific policies your organization may
have about passwords.

At first glance this approach looks very difficult. However,
by using the first letter of each word in a sentence, it
becomes much easier to remember: For example, the
sentence below may be very simple for you to remember:

My 2nd son was born at Boston Hospital at 6:30pm

However, we can use that sentence to create the password
you see here.

M2swb@BH@6:30pm

What we did was simply use the first letter from each word.
We capitalized some of these letters. In addition, we
replaced the word “at” with the symbol “@.” Finally, we
included the time at the end. This is a long, complex
password that will be very difficult to guess but simple to
remember.

PROTECTING YOUR PASSWORDS

Keep in mind that just having strong passwords is not
enough. It does not matter if you have the most complex
passwords in the world; failing to take the following steps
can result in your passwords being compromised:

1. Do not get hacked! One of the most common ways for
cyber criminals to steal your password is to infect your
computer. Once your machine is compromised, bad guys
will install specialized malware on it that captures all of your
keystrokes, including any usernames and passwords to
online banks. When you log in to your bank, your
information is automatically stolen and forwarded to the
cyber criminals. These individuals can then access your
bank account pretending to be you and literally steal all of
your money. To protect yourself, make sure your computer
is actively protected. This means making sure automatic
updating is enabled and you have the latest anti-virus.

2. Be sure to use different passwords for different accounts.
For example, never use the same passwords for your work or
bank accounts as your personal accounts,
such as Facebook, YouTube, or Twitter. This way if one of
your passwords is hacked, the other accounts are still safe.

3. Never share your password with anyone else, including a
supervisor or an IT support professional. Remember, your
password is a secret. If anyone else knows your password, it
is no longer secure.

4. Never use a public computer, such as at hotels or
libraries, to log into an account. Since anyone can use these
computers, they may be infected with a malicious code that is
capturing all your keystrokes. Only log into your work or
personal accounts on trusted computers you control.

5. At times you may have so many passwords that you
cannot remember them all, and storing them may be your
only option. If you write them down, be sure to store them in
locked location that only you have access to; never store
them in public view. Another option is to store them in
encrypted applications designed to store passwords on your
computer or smartphone. Examples of such tools can be
found at http://preview.tinyurl.com/622v9m2 and
http://preview.tinyurl.com/2p385o.

6. Exercise caution when websites require you to answer
personal questions. These questions are often used if you
forget your account password and need to reset it. The
problem is the answers to these questions can often be
found on the Internet, such as your personal Facebook
page. So make sure that if you answer personal questions,
you use only information that is not publicly known. If the
website provides other password reset options, such as
SMS messages to your smartphone, you may want to
consider these alternatives.

7. If you believe your password has been compromised or
have reason to believe it is no longer a secret, contact your
help desk and change your passwords immediately from a
computer you control and trust.

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us
at http://www.securingthehuman.org.

Blog posted using Windows Live Writer

Cyber Security Tip ST05-002 - Keeping Children Safe Online

2011-05-25T14:04:00.001-07:00

Cyber Security Tip ST05-002
Keeping Children Safe Online

   Children present unique security risks when they use a computer—not only do
   you have to keep them safe, you have to protect the data on your computer.
   By taking some simple steps, you can dramatically reduce the threats.

What unique risks are associated with children?

   When a child is using your computer, normal safeguards and security
   practices may not be sufficient. Children present additional challenges
   because of their natural characteristics: innocence, curiosity, desire for
   independence, and fear of punishment. You need to consider these
   characteristics when determining how to protect your data and the child.

   You may think that because the child is only playing a game, or researching
   a term paper, or typing a homework assignment, he or she can't cause any
   harm. But what if, when saving her paper, the child deletes a necessary
   program file? Or what if she unintentionally visits a malicious web page
   that infects your computer with a virus? These are just two possible
   scenarios. Mistakes happen, but the child may not realize what she's done or
   may not tell you what happened because she's afraid of getting punished.

   Online predators present another significant threat, particularly to
   children. Because the nature of the internet is so anonymous, it is easy for
   people to misrepresent themselves and manipulate or trick other users (see
   Avoiding Social Engineering and Phishing Attacks for some examples). Adults
   often fall victim to these ploys, and children, who are usually much more
   open and trusting, are even easier targets. Another growing problem is
   cyberbullying. These threats are even greater if a child has access to email
   or instant messaging programs, visits chat rooms, and/or uses social
   networking sites.

What can you do?

     * Be involved - Consider activities you can work on together, whether it
       be playing a game, researching a topic you had been talking about (e.g.,
       family vacation spots, a particular hobby, a historical figure), or
       putting together a family newsletter. This will allow you to supervise
       your child's online activities while teaching her good computer habits.
     * Keep your computer in an open area - If your computer is in a
       high-traffic area, you will be able to easily monitor the computer
       activity. Not only does this accessibility deter a child from doing
       something she knows she's not allowed to do, it also gives you the
       opportunity to intervene if you notice a behavior that could have
       negative consequences.
     * Set rules and warn about dangers - Make sure your child knows the
       boundaries of what she is allowed to do on the computer. These
       boundaries should be appropriate for the child's age, knowledge, and
       maturity, but they may include rules about how long she is allowed to be
       on the computer, what sites she is allowed to visit, what software
       programs she can use, and what tasks or activities she is allowed to do.
       You should also talk to children about the dangers of the internet so
       that they recognize suspicious behavior or activity. Discuss the risks
       of sharing certain types of information (e.g., that they're home alone)
       and the benefits to only communicating and sharing information with
       people they know (see Using Instant Messaging and Chat Rooms Safely,
       Staying Safe on Social Network Sites, and the document Socializing
       Securely: Using Social Networking Services for more information). The
       goal isn't to scare them, it's to make them more aware. Make sure to
       include the topic of cyberbullying in these discussions (see Dealing
       with Cyberbullies for more information).
     * Monitor computer activity - Be aware of what your child is doing on the
       computer, including which websites she is visiting. If she is using
       email, instant messaging, or chat rooms, try to get a sense of who she
       is corresponding with and whether she actually knows them.
     * Keep lines of communication open - Let your child know that she can
       approach you with any questions or concerns about behaviors or problems
       she may have encountered on the computer.
     * Consider partitioning your computer into separate accounts - Most
       operating systems give you the option of creating a different user
       account for each user. If you're worried that your child may
       accidentally access, modify, and/or delete your files, you can give her
       a separate account and decrease the amount of access and number of
       privileges she has.
       If you don't have separate accounts, you need to be especially careful
       about your security settings. In addition to limiting functionality
       within your browser (see Evaluating Your Web Browser's Security Settings
       for more information), avoid letting your browser remember passwords and
       other personal information (see Browsing Safely: Understanding Active
       Content and Cookies). Also, it is always important to keep your virus
       definitions up to date (see Understanding Anti-Virus Software).
     * Consider implementing parental controls - You may be able to set some
       parental controls within your browser. For example, Internet Explorer
       allows you to restrict or allow certain websites to be viewed on your
       computer, and you can protect these settings with a password. To find
       those options, click Tools on your menu bar, select Internet Options,
       choose the Content tab, and click the Enable... button under Content
       Advisor.
       There are other resources you can use to control and/or monitor your
       child's online activity. Some ISPs offer services designed to protect
       children online. Contact your ISP to see if any of these services are
       available. There are also special software programs you can install on
       your computer. Different programs offer different features and
       capabilities, so you can find one that best suits your needs.

Additional information

   The following websites offer additional information about protecting
   children online:
     * GetNetWise - http://kids.getnetwise.org/
     * StaySafeOnline - http://www.staysafeonline.org/
     _________________________________________________________________

Authors: Mindi McDowell, Allen Householder
_________________________________________________________________

Produced 2005 by US-CERT, a government organization.

Note: This tip was previously published and is being
re-distributed to increase awareness.

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST05-002.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.

Blog posted using Windows Live Writer

Cyber Security Tip ST08-001 - Using Caution with USB Drives

2011-05-10T10:27:00.001-07:00

Cyber Security Tip ST08-001
Using Caution with USB Drives

USB drives are popular for storing and transporting data, but some of the
characteristics that make them convenient also introduce security risks.

What security risks are associated with USB drives?

   Because USB drives, sometimes known as thumb drives, are small, readily
   available, inexpensive, and extremely portable, they are popular for storing
   and transporting files from one computer to another. However, these same
   characteristics make them appealing to attackers.

   One option is for attackers to use your USB drive to infect other computers.
   An attacker might infect a computer with malicious code, or malware, that
   can detect when a USB drive is plugged into a computer. The malware then
   downloads malicious code onto the drive. When the USB drive is plugged into
   another computer, the malware infects that computer.

   Some attackers have also targeted electronic devices directly, infecting
   items such as electronic picture frames and USB drives during production.
   When users buy the infected products and plug them into their computers,
   malware is installed on their computers.

   Attackers may also use their USB drives to steal information directly from a
   computer. If an attacker can physically access a computer, he or she can
   download sensitive information directly onto a USB drive. Even computers
   that have been turned off may be vulnerable, because a computer's memory is
   still active for several minutes without power. If an attacker can plug a
   USB drive into the computer during that time, he or she can quickly reboot
   the system from the USB drive and copy the computer's memory, including
   passwords, encryption keys, and other sensitive data, onto the drive.
   Victims may not even realize that their computers were attacked.

   The most obvious security risk for USB drives, though, is that they are
   easily lost or stolen (see Protecting Portable Devices: Physical Security
   for more information). If the data was not backed up, the loss of a USB
   drive can mean hours of lost work and the potential that the information
   cannot be replicated. And if the information on the drive is not encrypted,
   anyone who has the USB drive can access all of the data on it.

How can you protect your data?

There are steps you can take to protect the data on your USB drive and on
any computer that you might plug the drive into:

     * Take advantage of security features - Use passwords and encryption on
       your USB drive to protect your data, and make sure that you have the
       information backed up in case your drive is lost (see Protecting
       Portable Devices: Data Security for more information).

     * Keep personal and business USB drives separate - Do not use personal USB
       drives on computers owned by your organization, and do not plug USB
       drives containing corporate information into your personal computer.

     * Use and maintain security software, and keep all software up to date -
       Use a firewall, anti-virus software, and anti-spyware software to make
       your computer less vulnerable to attacks, and make sure to keep the
       virus definitions current (see Understanding Firewalls, Understanding
       Anti-Virus Software, and Recognizing and Avoiding Spyware for more
       information). Also, keep the software on your computer up to date by
       applying any necessary patches (see Understanding Patches for more
       information).

     * Do not plug an unknown USB drive into your computer - If you find a USB
       drive, give it to the appropriate authorities (a location's security
       personnel, your organization's IT department, etc.). Do not plug it into
       your computer to view the contents or to try to identify the owner.

     * Disable Autorun - The Autorun feature causes removable media such as
       CDs, DVDs, and USB drives to open automatically when they are inserted
       into a drive. By disabling Autorun, you can prevent malicious code on an
       infected USB drive from opening automatically. In How to disable the
       Autorun functionality in Windows, Microsoft has provided a wizard to
       disable Autorun. In the "More Information" section, look for the
       Microsoft Fix it icon under the heading "How to disable or enable all
       Autorun features in Windows 7 and other operating systems."
     _________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

Produced 2008, 2011 by US-CERT, a government organization. Terms of use US-CERT

Note: This tip was previously published and is being re-distributed to increase awareness.

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/STYY-XXX.html

For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html.

Blog posted using Windows Live Writer

OUCH! | APRIL 2011 - Staying Secure Online While Traveling

2011-05-10T08:26:00.001-07:00

OUCH! | APRIL 2011

IN THIS ISSUE…

• Planning ahead
• Dealing with public networks
• Avoid using public computers

Staying Secure Online While Traveling

GUEST EDITOR

Raul Siles is the guest editor for the April issue of OUCH!
Raul is the founder and senior security analyst with
Taddong (www.taddong.com), SANS author and instructor,
and security passionate (www.raulsiles.com). You can
follow Raul on Twitter at @taddong and his blog at
blog.taddong.com.

OVERVIEW

Going online has become universal. We expect Internet
access wherever we are for whatever we need. However,
when you are on the road or on vacation, accessing the
Internet can be challenging. Connections may be not only
slower but also at greater risk, especially when connecting
to public networks or using a public computer. The key to
using the Internet securely while traveling is to understand
these additional risks, use caution, and be prepared.

PLANNING AHEAD

One of the most effective ways you can protect yourself
when traveling is to first take simple, preventive steps
before you leave.

. Update your laptop and smartphone operating
systems and applications to the latest version
reduce their vulnerability to attack.

. Make sure the firewall on your laptop is enabled.
This helps prevent others from connecting to your
laptop over the network.

. Check that your anti-virus software is up-to-date
and in good working order.

. Laptops and smartphones are targets for thieves
and easy to lose. Enable automatic screenlock on
your laptop and smartphone using a strong
password or, at the very least, a PIN code.

. Consider attaching a label with your name and
email address or phone number, so that you can be
contacted if you lose a device, such as at airport
security. Offering a reward for their safe return
often helps.

. If your laptop or smartphone has personal or
confidential information stored on it, consider
encrypting the information or your entire hard drive
before you leave. Check with your supervisor about
your organization’s security policies. Encryption
may be required

. If you set an out-of-the-office message at work,
identify a colleague as an alternate point of contact
while you are gone. In addition, do not provide
specific details about your trip. If possible, limit
delivery of your out-of-the-office message to
recipients within your organization or to people
already in your address book.

. Check with your IT department to see what special
services they offer to travelers.

In addition to preparing ahead of time, there are several
things you need to consider once you are traveling.

CONNECTING TO PUBLIC NETWORKS

A public network is a network to which anyone has access,
such as those that are available at airports, hotels,
restaurants, and cafés, usually in the form of Wi-Fi
connections. When you connect to a public network, your
online activities can be monitored by others. In addition,
malicious individuals may operate fake Wi-Fi networks that
are designed to fool you into using them and potentially
attack your system.

When possible, use a sponsored Wi-Fi networks hosted by
a legitimate organization. Look for signs with the name of
the Wi-Fi network displayed in the hotel lobby, airport
terminal, or café. Using these sponsored networks is a
better security bet than picking a public Wi-Fi network at
random. In addition, when possible use encrypted Wi-Fi
networks, and pay attention to the type of encryption. In
order from best to worst, the common Wi-Fi encryption
types are: WPA2, WPA, and WEP.

Even with Wi-Fi encryption, your communications could still
be intercepted by other users of the same Wi-Fi network.

Take the additional precaution of using an encrypted data
connection. The most common data encryption methods are
HTTPS (SSL/TLS) and VPN (Virtual Private Network).
An HTTPS browser session, usually indicated by the familiar
padlock icon, encrypts the information you send over the
Web. Many websites and online services, such as Google,
Gmail, Twitter, and Facebook allow you force that HTTPS
encryption be used at all times.

You create a VPN by installing software on your computer
that encrypts your online activities. Contact with your IT
department to find out if your organization supports a VPN. If
not, consider purchasing a VPN service for your personal use
(http://preview.tinyurl.com/67mnrng).

Another option is to use your smartphone as a Wi-Fi access
point. If you have a smartphone, contact your service provider
about using its +3G capabilities to set up a secure “tethered
connection” or “personal Wi-Fi hotspot” for your laptop. In
addition, your smartphone’s email and browser capabilities
may be enough to meet your needs while on the road. If so,
the security afforded by your smartphone’s mobile broadband
connection is a better bet than public Wi-Fi.

AVOID USING PUBLIC COMPUTERS

Public computers are those that anyone can use, and are
found in libraries, hotels, and cafés. There is no way for you
to know who used the computer before you. It may have
been infected or otherwise compromised accidentally, or
malware may have been planted on it deliberately. Any
information you enter may be stolen by cybercriminals.
Limit your use of public computers to casual web browsing
only, such as checking the weather, the status of your flight,
or catching up on the news. If you have no choice but to
use a public computer to make a transaction or to
communicate sensitive information, assume that any
information and your login and password you used have
been compromised. Keep track of the accounts you had to
access and change your passwords immediately the next
time you have access to a trusted computer and network.

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting us
at http://www.securingthehuman.org.

OUCH! is published by the SANS Securing The Human program and is
distributed under the Creative Commons BY‐NC-ND 3.0 license.

Permission is granted to distribute this newsletter as long as you reference the source,
the distribution is not modified and it is not used for commercial purposes.

For translating or more information, please contact ouch@securingthehuman.org.

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Carmen Ruyle Hardy

Blog posted using Windows Live Writer

Cyber Security Tip ST06-004 - Avoiding the Pitfalls of Online Trading

2011-04-11T07:09:00.001-07:00

Cyber Security Tip ST06-004
Avoiding the Pitfalls of Online Trading

   Online trading can be an easy, cost-effective way to manage investments.
   However, online investors are often targets of scams, so take precautions to
   ensure that you do not become a victim.

What is online trading?

   Online trading allows you to conduct investment transactions over the
   internet. The accessibility of the internet makes it possible for you to
   research and invest in opportunities from any location at any time. It also
   reduces the amount of resources (time, effort, and money) you have to devote
   to managing these accounts and transactions.

What are the risks?

   Recognizing the importance of safeguarding your money, legitimate brokerages
   take steps to ensure that their transactions are secure. However, online
   brokerages and the investors who use them are appealing targets for
   attackers. The amount of financial information in a brokerage's database
   makes it valuable; this information can be traded or sold for personal
   profit. Also, because money is regularly transferred through these accounts,
   malicious activity may not be noticed immediately. To gain access to these
   databases, attackers may use Trojan horses or other types of malicious code
   (see Why is Cyber Security a Problem? for more information).

   Attackers may also attempt to collect financial information by targeting the
   current or potential investors directly. These attempts may take the form of
   social engineering or phishing attacks (see Avoiding Social Engineering and
   Phishing Attacks for more information). With methods that include setting up
   fraudulent investment opportunities or redirecting users to malicious sites
   that appear to be legitimate, attackers try to convince you to provide them
   with financial information that they can then use or sell. If you have been
   victimized, both your money and your identity may be at risk (see Preventing
   and Responding to Identity Theft for more information).

How can you protect yourself?

     * Research your investment opportunities - Take advantage of resources
       such as the U.S. Securities and Exchange Commission's EDGAR database and
       your state's securities commission (found through the North American
       Securities Administrators Association) to investigate companies.
     * Be wary of online information - Anyone can publish information on the
       internet, so try to verify any online research through other methods
       before investing any money. Also be cautious of "hot" investment
       opportunities advertised online or in email.
     * Check privacy policies - Before providing personal or financial
       information, check the website's privacy policy. Make sure you
       understand how your information will be stored and used (see Protecting
       Your Privacy for more information).
     * Conduct transactions on devices you control - Avoid conducting
       transactions on public resources such as internet kiosks, computers in
       places like libraries, and other shared computers and devices. Other
       users may introduce security risks.
     * Make sure that your transactions are encrypted - When information is
       sent over the internet, attackers may be able to intercept it.
       Encryption prevents the attackers from being able to view the
       information.
     * Verify that the website is legitimate - Attackers may redirect you to a
       malicious website that looks identical to a legitimate one. They then
       convince you to submit your personal and financial information, which
       they use for their own gain. Check the website's certificate to make
       sure it is legitimate (see Understanding Web Site Certificates for more
       information).
     * Monitor your investments - Regularly check your accounts for any unusual
       activity. Report unauthorized transactions immediately.
     * Use strong passwords - Protect your computer, mobile devices, and
       accounts with passwords that cannot easily be guessed (see Choosing and
       Protecting Passwords for more information). Use different passwords for
       each account.
     * Use and maintain anti-virus software - Anti-virus software recognizes
       and protects your computer against most known viruses. However, because
       attackers are continually writing new viruses, it is important to keep
       your virus definitions current (see Understanding Anti-Virus Software
       for more information).
     * Use anti-spyware tools - Spyware is a common source of viruses, and
       attackers may use it to access information on your computer. You can
       minimize the number of infections by using a legitimate program that
       identifies and removes spyware (see Recognizing and Avoiding Spyware for
       more information).
     * Keep software up to date - Install software updates so that attackers
       can't take advantage of known problems or vulnerabilities (see
       Understanding Patches for more information). Enable automatic updates if
       the option is available.
     * Evaluate your security settings - By adjusting the security settings in
       your browser, you may limit your risk of certain attacks (see Evaluating
       Your Web Browser's Security Settings for more information).

   The following sites offer additional information and guidance:
     * U.S.      Securities      and      Exchange      Commission      -
       http://www.sec.gov/investor/pubs/cyberfraud.htm
     * National Consumers League -
       http://www.fraud.org/tips/internet/investment.htm
     _________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Note: This tip was previously published and is being
re-distributed to increase awareness.

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST06-004.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.

Blog posted using Windows Live Writer

OUCH! MARCH 2011 Understanding Anti-Virus Software

2011-04-08T06:37:00.001-07:00

Understanding Anti-Virus Software

IN THIS ISSUE…

• How anti-virus software works
• How it can and cannot protect your computer
• Tips for using anti-virus software
• Trusted sources for anti-virus programs
• Understanding Anti-Virus Software

GUEST EDITOR

Lenny Zeltser served as the guest editor for this issue
of OUCH! Lenny leads the security consulting team at
Savvis (www.savvis.com) and teaches malware defense
courses (http://www.CombatingMalware.com) for the
SANS Institute. He is active on Twitter at @lennyzeltser
and writes regularly on his security blog at blog.zeltser.com.

OVERVIEW

Any computer can be infected by malware. Malware is a
catch-all term for malicious programs, such as viruses,
worms, Trojans, and spyware, which are designed to infect
and take control of your computer. Once your computer
has been infected, bad guys can capture all your
keystrokes, steal your documents, and use your computer
to attack other computers. Anti-virus software is designed
to protect your computer against malware. It is available
as a stand-alone product and is also included in most
security software packages.

Anti-virus detects and blocks attempts by the bad guys to
infect your computer. The problem is that anti-virus can no
longer keep up with the bad guys. There are so many
new versions of malware being released every day that
no anti-virus can detect and protect against all of them.
For this reason, it is possible for your computer to be
infected even with the latest version of anti-virus installed.
To understand why this is so, let’s look at how most
anti-virus programs work.

SIGNATURE DETECTION

Most anti-virus programs work like the human immune
system by scanning your computer for the signatures
(patterns) of digital pathogens and infections. They refer
to a dictionary of known malware, and if something in a file
matches a pattern in the dictionary, the anti-virus software
attempts to neutralize it. Like the human immune system,
the dictionary approach requires updates, like flu shots,
to provide protection against new strains of malware.
Anti-virus can only protect against what it recognizes as
harmful. Again, the problem is the bad guys are developing
new malware so fast that anti-virus developers cannot keep
up. Your computer is vulnerable during the delay between
the time new malware is identified and the time a dictionary
update is released by anti-virus vendors. This is why
it is important that you keep your anti-virus product as
up-to-date as possible.

BEHAVIOR DETECTION

In this approach, instead of attempting to identify known
malware, anti-virus software monitors the behavior of
software installed on your computer. When a program acts
suspiciously, such as trying to access a protected file or to
modify another program, anti-virus spots the suspicious
activity and alerts you to it. This approach provides
protection against brand new types of malware that do not
yet exist in any dictionary. The problem with this approach
is that it can generate a large number of false warnings.
You, the computer user, may be unsure about what to
allow or not allow and over time become desensitized to
all those warnings. You might be tempted to click
Accept on every warning, leaving your computer
wide open to attack and infection.

ANTI-VIRUS TIPS

1. Don’t Assume You’re Not At Risk

Every computer, regardless of its operating system,
is vulnerable to attack. While anti-virus cannot protect
against all types of malware, the security of your computer
is enhanced substantially when anti-virus software is
installed, up to date, and working properly.

2. Download Only From Trusted Sources

Obtain security software only from known, trusted sources
and vendors. It is a common ploy of cybercriminals to
pretend to be selling anti-virus programs that are in fact
malware. We list several trusted sources for anti-virus
solutions at the end of this newsletter.

3. Keep Your Software Current

Make sure you have the latest version of your anti-virus
product installed and that it is set to update automatically.
Check the status of the signature updates periodically to
make sure they are current.

4. Don’t Delay Updates

If your computer has been offline or powered off for a
while, your anti-virus will most likely need an update when
you turn it back on or reconnect it to the Internet. Do not
postpone these updates.

5. Scan Additional Devices

Make sure your anti-virus automatically scans portable
devices, such as USB sticks, when you plug them into
your computer.

6. Track Warnings And Alerts

Pay attention to the onscreen warnings and alerts
generated by your anti-virus software. Most alerts include
the option of clicking on a link to get more information
or a recommendation about what to do next. At the
office, write down the alert messages and contact your
computer help desk or security team.

7. Don’t Disable The Software

Do not disable your security software because you feel
it is slowing down your computer, blocking a website,
or preventing you from installing an app or program.

Disabling your anti-virus will expose your computer to
unnecessary risk and could result in a serious security
incident. If problems persist, replace your anti-virus
with another product.

8. Install One Program Only

Do not install multiple anti-virus programs on your
computer at the same time. Doing so may leave your
computer with less protection instead of providing
more protection.

9. Consider A Security Suite

Understand that anti-virus cannot protect your computer
against all threats. We recommend you install a security
suite that includes additional tools, such as a firewall,
browser protection, and other advanced security features.

TRUSTED SOURCES

PC Magazine – http://preview.tinyurl.com/48tc9y5
Consumer Reports – http://preview.tinyurl.com/5ve99ck

LEARN MORE

Subscribe to the monthly OUCH! security awareness
newsletter, access the OUCH! archives, and learn more
about SANS security awareness solutions by visiting
us at http://www.securingthehuman.org.

OUCH! is published by the SANS Securing The Human program
and is distributed under the Creative Commons BY-NC-ND
3.0 license.

Permission is granted to distribute this newsletter as
long as you reference the source, the distribution is
not modified and it is not used for commercial purposes.

For translating or more information, please contact
ouch@securingthehuman.org.

Editorial Board:
Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner,
Carmen Ruyle Hardy

Blog posted using Windows Live Writer

Cyber Security Tip ST06-006 - Understanding Hidden Threats: Corrupted Software Files

2011-03-14T05:52:00.001-07:00

Cyber Security Tip ST06-006

Understanding Hidden Threats: Corrupted Software Files

   Malicious code is not always hidden in web page scripts or unusual file
   formats. Attackers may corrupt types of files that you would recognize and
   typically consider safe, so you should take precautions when opening files
   from other people.

What types of files can attackers corrupt?

   An attacker may be able to insert malicious code into any file, including
   common file types that you would normally consider safe. These files may
   include documents created with word processing software, spreadsheets, or
   image files. After corrupting the file, an attacker may distribute it
   through email or post it to a web site. Depending on the type of malicious
   code, you may infect your computer by just opening the file.

   When corrupting files, attackers often take advantage of vulnerabilities
   that they discover in the software that is used to create or open the file.
   These vulnerabilities may allow attackers to insert and execute malicious
   scripts or code, and they are not always detected. Sometimes the
   vulnerability involves a combination of certain files (such as a particular
   piece of software running on a particular operating system) or only affects
   certain versions of a software program.

What problems can malicious files cause?

   There are various types of malicious code, including viruses, worms, and
   Trojan horses (see Why is Cyber Security a Problem? for more information).
   However, the range of consequences varies even within these categories. The
   malicious code may be designed to perform one or more functions, including
     * interfering with your computer's ability to process information by
       consuming memory or bandwidth (causing your computer to become
       significantly slower or even "freeze")
     * installing, altering, or deleting files on your computer
     * giving the attacker access to your computer
     * using your computer to attack other computers (see Understanding
       Denial-of-Service Attacks for more information)

How can you protect yourself?

     * Use and maintain anti-virus software - Anti-virus software can often
       recognize and protect your computer against most known viruses, so you
       may be able to detect and remove the virus before it can do any damage
       (see Understanding Anti-Virus Software for more information). Because
       attackers are continually writing new viruses, it is important to keep
       your definitions up to date.
     * Use caution with email attachments - Do not open email attachments that
       you were not expecting, especially if they are from people you do not
       know. If you decide to open an email attachment, scan it for viruses
       first (see Using Caution with Email Attachments for more information).
       Not only is it possible for attackers to "spoof" the source of an email
       message, but your legitimate contacts may unknowingly send you an
       infected file. If your email program automatically downloads
       attachments, check your settings to see if you can disable this feature.
     * Be wary of downloadable files on web sites - Avoid downloading files
       from sites that you do not trust. If you are getting the files from a
       supposedly secure site, look for a web site certificate (see
       Understanding Web Site Certificates for more information). If you do
       download a file from a web site, consider saving it to your computer and
       manually scanning it for viruses before opening it.
     * Keep software up to date - Install software patches so that attackers
       cannot take advantage of known problems or vulnerabilities (see
       Understanding Patches for more information). Many operating systems
       offer automatic updates. If this option is available, you should enable
       it.
     * Take advantage of security settings - Check the security settings of
       your email client and your web browser (see Evaluating Your Web
       Browser's Security Settings for more information). Apply the highest
       level of security available that still gives you the functionality you
       need.

Related information

     * Securing Your Web Browser
     * Recovering from Viruses, Worms, and Trojan Horses
     _________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Note: This tip was previously published and is being
re-distributed to increase awareness.

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST06-006.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.

Blog posted using Windows Live Writer

Cyber Security Tip ST06-002 - Debunking Some Common Myths

2011-02-17T12:26:00.001-08:00

Cyber Security Tip ST06-002
Debunking Some Common Myths

   There are some common myths that may influence your online security
   practices. Knowing the truth will allow you to make better decisions about
   how to protect yourself.

How are these myths established?

   There is no one cause for these myths. They may have been formed because of
   a lack of information, an assumption, knowledge of a specific case that was
   then generalized, or some other source. As with any myth, they are passed
   from one individual to another, usually because they seem legitimate enough
   to be true.

Why is it important to know the truth?

   While believing these myths may not present a direct threat, they may cause
   you to be more lax about your security habits. If you are not diligent about
   protecting yourself, you may be more likely to become a victim of an attack.

What are some common myths, and what is the truth behind them?

     * Myth: Anti-virus software and firewalls are 100% effective.
       Truth: Anti-virus software and firewalls are important elements to
       protecting your information (see Understanding Anti-Virus Software and
       Understanding Firewalls for more information). However, neither of these
       elements are guaranteed to protect you from an attack. Combining these
       technologies with good security habits is the best way to reduce your
       risk.
     * Myth: Once software is installed on your computer, you do not have to
       worry about it anymore.
       Truth: Vendors may release updated versions of software to address
       problems or fix vulnerabilities (see Understanding Patches for more
       information). You should install the updates as soon as possible; some
       software even offers the option to obtain updates automatically. Making
       sure that you have the latest virus definitions for your anti-virus
       software is especially important.
     * Myth: There is nothing important on your machine, so you do not need to
       protect it.
       Truth: Your opinion about what is important may differ from an
       attacker's opinion. If you have personal or financial data on your
       computer, attackers may be able to collect it and use it for their own
       financial gain. Even if you do not store that kind of information on
       your computer, an attacker who can gain control of your computer may be
       able to use it in attacks against other people (see Understanding
       Denial-of-Service Attacks and Understanding Hidden Threats: Rootkits and
       Botnets for more information).
     * Myth: Attackers only target people with money.
       Truth: Anyone can become a victim of identity theft. Attackers look for
       the biggest reward for the least amount of effort, so they typically
       target databases that store information about many people. If your
       information happens to be in the database, it could be collected and
       used for malicious purposes. It is important to pay attention to your
       credit information so that you can minimize any potential damage (see
       Preventing and Responding to Identity Theft for more information).
     * Myth: When computers slow down, it means that they are old and should be
       replaced.
       Truth: It is possible that running newer or larger software programs on
       an older computer could lead to slow performance, but you may just need
       to replace or upgrade a particular component (memory, operating system,
       CD or DVD drive, etc.). Another possibility is that there are other
       processes or programs running in the background. If your computer has
       suddenly become slower, it may be compromised by malware or spyware, or
       you may be experiencing a denial-of-service attack (see Recognizing and
       Avoiding Spyware and Understanding Denial-of-Service Attacks for more
       information).
     _________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Note: This tip was previously published and is being
re-distributed to increase awareness.

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST06-002.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.

Blog posted using Windows Live Writer

Ouch! February 2011

2011-02-16T07:16:00.001-08:00

OUCH!: USING YOUR SMARTPHONE SECURELY

February, 2011

Download, share, and distribute this newsletter in .pdf format.

English - http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201102_en.pdf
Spanish - http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201102_sp.pdf
***********************************************************************

Your smartphone has tremendous capabilities, but with those capabilities
come risks. In this month's issue we explain what those risks are and
how to use your smartphone securely.

The OUCH! team would like to welcome and thank Mr. Joshua Wright as our
guest editor. Mr. Wright is a senior security analyst with InGuardians,
Inc, a SANS senior instructor, and the lead author of SANS' wireless
security course SEC617. You can follow Mr. Wright on Twitter at
@joswr1ght or on his website at http://www.willhackforsushi.com.

***THE PROBLEM***
They are everywhere - iPhones, Androids, and Blackberrys. Whether you
call them smartphones, handhelds, feature phones, or pocket PCs, they
are cellular telephones with integrated computers. They differ from
traditional cell phones in that they are also microcomputers, and like
other computers, they have an elaborate operating system, can run a
variety of software applications, and provide access to the web. They
can send and receive e-mail (not just text messages), have embedded
memory, and include a fully functional keyboard. Most newer smartphones
provide one or more types of wireless network connectivity, be it 3G,
4G, Wi-Fi, and/or Bluetooth.

It is no surprise that an Internet-enabled computer you can hold in your
hand that costs less than $300 is an extremely popular device. New
models appear at a dizzying pace, leapfrogging each other with new
features and all promising to give you the fastest, most advanced, most
versatile capabilities and the greatest ease of use. The combination of
popularity, enticingly low prices, rapid turnover, and new features can
lead users to overlook the security fundamentals that apply to all
networked computers regardless of their size.

Unfortunately, today's smartphone users are in a situation strikingly
similar to that faced by computer users fifteen years ago. Security
resources for smartphones are very limited and not fully developed. As
a result, most smartphones lack the level of security you find on your
desktop or notebook computer. Meanwhile, the complexity of smartphones
continues to grow along with the number and types of network-borne
threats. This makes smartphones both an easy target for bad guys and
malware and a more inviting one than well-protected desktop and notebook
systems.

***USING YOUR SMARTPHONE SECURELY***
The most important thing you can do to protect your smartphone is to
understand how to use it safely. We've put together a list of the top
10 most effective steps you can take to protect your smartphone. These
apply regardless of the model of smartphone you have or the operating
system it uses.

1. Passwords: One of the greatest features of smartphones is how mobile
they are. Unfortunately, this also makes them easy to lose. If you lose
an unprotected smartphone, anyone who finds it can access your personal
information, as well as information about others, and place calls at
your expense until you report the loss to your carrier. Use a strong
PIN, password, or passphrase to protect the contents of your handheld.
If your smartphone supports data encryption, we recommend that you use
it.

2. E-mail and Web: Most smartphones support e-mail and web browsing.
These services entail the same threats on a smartphone as they do on any
computer, including phishing attacks, malicious websites, infected
attachments, and scams. If you receive an e-mail that sounds too good
to be true or looks suspicious, do not respond to it or click on any
embedded links it contains. Limit your browsing to well-known and
trusted websites. Use SSL encryption (https://) for browsing and
webmail whenever possible.

3. Wireless Networks: Your smartphone may connect automatically to
wireless networks without your knowing it. Common sense says that if you
are connected to a public Wi-Fi hotspot, it's probably being used by
other people too, and someone could eavesdrop on your connection. Keep
optional network connections (e.g., Wi-Fi and Bluetooth) turned off
except when you are using them.

4. Applications: Install only the applications you need. The more
applications you install, the more potential vulnerabilities you add to
your smartphone. Download applications from trustworthy sources only.
Attackers can create malicious applications that appear legitimate but
are designed to infect your smartphone. Do not be in a hurry to install
a brand new application; wait a while until it has established a good
reputation.

5. Updating: Be sure to keep both your smartphone operating system and
your applications up to date. Doing so will help protect your smartphone
against known threats for which there are countermeasures.

6. Documentation: Read the documentation and terms of service for each
software application before you install it. They often require you to
grant permission to the vendor to collect, use, and sell personal
information about you, your use of the device, and your geographic
location.

7. Lost Smartphone: Attach an ID label to the back of your handheld with
your name, e-mail address, and an alternate phone number where you can
be reached. This increases the chances of your smartphone being returned
to you if you misplace it, for example, while you are going through
airport security. Many smartphones support a locater service that
queries the GPS on your handheld and pinpoints its geographic location.
Be sure to back up your smartphone; in a worst case scenario, you can
restore its contents.

8. Wiping: Remote wiping allows you to erase everything on your lost or
misplaced handheld to prevent your personal information from falling
into the hands of a bad guy. But be aware that your handheld will not
receive the wipe command unless it is connected to the network.

9. Disposal: Be sure to erase all personal information securely from
your smartphone before you dispose of it.

10. On the job: Before using your personal smartphone to access your
company's e-mail or other work-related online services, be certain that
this is permitted by your employer's policies and any regulatory
guidelines applicable to your industry.

***ADDITIONAL SMARTPHONE SECURITY RESOURCES***
NIST SP800-124 - http://preview.tinyurl.com/4urvel9
Smartphone Security - http://preview.tinyurl.com/4qu3rjj
Android - http://preview.tinyurl.com/m4xv3f
Blackberry - http://preview.tinyurl.com/48cg8pv
iPhone - http://preview.tinyurl.com/6q323p

***LEARN MORE***
Subscribe to the monthly OUCH! security awareness newsletter, access the
OUCH! archives, and learn more about SANS security awareness solutions
by visiting us at http://www.securingthehuman.org.

***********************************************************************

Copyright 2011 by the SANS Institute
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzer,
Carmen Ruyle Hardy
Email: mailto:ouch@securingthehuman.org
OUCH! Archives: https://www.securingthehuman.org/resources/ouch

OUCH! is published by the SANS Securing The Human program and is
distributed under the Creative Commons BY-NC-ND 3.0 license. Permission
is granted to distribute this newsletter as long as you reference the
source, the distribution is not modified and it is not used for
commercial purposes. For translating or more information, please contact
ouch@securingthehuman.org

Blog posted using Windows Live Writer

Cyber Security Tip ST06-003 - Staying Safe on Social Network Sites

2011-01-28T05:49:00.001-08:00

Cyber Security Tip ST06-003
Staying Safe on Social Network Sites

   The popularity of social networking sites continues to increase, especially
   among teenagers and young adults. The nature of these sites introduces
   security risks, so you should take certain precautions.

What are social networking sites?

   Social networking sites, sometimes referred to as "friend-of-a-friend"
   sites, build upon the concept of traditional social networks where you are
   connected to new people through people you already know. The purpose of some
   networking sites may be purely social, allowing users to establish
   friendships or romantic relationships, while others may focus on
   establishing business connections.

   Although the features of social networking sites differ, they all allow you
   to provide information about yourself and offer some type of communication
   mechanism (forums, chat rooms, email, instant messenger) that enables you to
   connect with other users. On some sites, you can browse for people based on
   certain criteria, while other sites require that you be "introduced" to new
   people through a connection you share. Many of the sites have communities or
   subgroups that may be based on a particular interest.

What security implications do these sites present?

   Social networking sites rely on connections and communication, so they
   encourage you to provide a certain amount of personal information. When
   deciding how much information to reveal, people may not exercise the same
   amount of caution as they would when meeting someone in person because
     * the internet provides a sense of anonymity
     * the lack of physical interaction provides a false sense of security
     * they tailor the information for their friends to read, forgetting that
       others may see it
     * they want to offer insights to impress potential friends or associates

   While the majority of people using these sites do not pose a threat,
   malicious people may be drawn to them because of the accessibility and
   amount of personal information that's available. The more information
   malicious people have about you, the easier it is for them to take advantage
   of you. Predators may form relationships online and then convince
   unsuspecting individuals to meet them in person. That could lead to a
   dangerous situation. The personal information can also be used to conduct a
   social engineering attack (see Avoiding Social Engineering and Phishing
   Attacks for more information). Using information that you provide about your
   location, hobbies, interests, and friends, a malicious person could
   impersonate a trusted friend or convince you that they have the authority to
   access other personal or financial data.

   Additionally, because of the popularity of these sites, attackers may use
   them to distribute malicious code. Sites that offer applications developed
   by third parties are particularly susceptible. Attackers may be able to
   create customized applications that appear to be innocent while infecting
   your computer or sharing your information without your knowledge.

How can you protect yourself?

     * Limit the amount of personal information you post - Do not post
       information that would make you vulnerable, such as your address or
       information about your schedule or routine. If your connections post
       information about you, make sure the combined information is not more
       than you would be comfortable with strangers knowing. Also be
       considerate when posting information, including photos, about your
       connections.
     * Remember that the internet is a public resource - Only post information
       you are comfortable with anyone seeing. This includes information and
       photos in your profile and in blogs and other forums. Also, once you
       post information online, you can't retract it. Even if you remove the
       information from a site, saved or cached versions may still exist on
       other people's machines (see Guidelines for Publishing Information
       Online for more information).
     * Be wary of strangers - The internet makes it easy for people to
       misrepresent their identities and motives (see Using Instant Messaging
       and Chat Rooms Safely for more information). Consider limiting the
       people who are allowed to contact you on these sites. If you interact
       with people you do not know, be cautious about the amount of information
       you reveal or agreeing to meet them in person.
     * Be skeptical - Don't believe everything you read online. People may post
       false or misleading information about various topics, including their
       own identities. This is not necessarily done with malicious intent; it
       could be unintentional, an exaggeration, or a joke. Take appropriate
       precautions, though, and try to verify the authenticity of any
       information before taking any action.
     * Evaluate your settings - Take advantage of a site's privacy settings.
       The default settings for some sites may allow anyone to see your
       profile, but you can customize your settings to restrict access to only
       certain people. There is still a risk that private information could be
       exposed despite these restrictions, so don't post anything that you
       wouldn't want the public to see. Sites may change their options
       periodically, so review your security and privacy settings regularly to
       make sure that your choices are still appropriate.
     * Be wary of third-party applications - Third-party applications may
       provide entertainment or functionality, but use caution when deciding
       which applications to enable. Avoid applications that seem suspicious,
       and modify your settings to limit the amount of information the
       applications can access.
     * Use strong passwords - Protect your account with passwords that cannot
       easily be guessed (see Choosing and Protecting Passwords for more
       information). If your password is compromised, someone else may be able
       to access your account and pretend to be you.
     * Check privacy policies - Some sites may share information such as email
       addresses or user preferences with other companies. This may lead to an
       increase in spam (see Reducing Spam for more information). Also, try to
       locate the policy for handling referrals to make sure that you do not
       unintentionally sign your friends up for spam. Some sites will continue
       to send email messages to anyone you refer until they join.
     * Keep software, particularly your web browser, up to date - Install
       software updates so that attackers cannot take advantage of known
       problems or vulnerabilities (see Understanding Patches for more
       information). Many operating systems offer automatic updates. If this
       option is available, you should enable it.
     * Use and maintain anti-virus software - Anti-virus software helps protect
       your computer against known viruses, so you may be able to detect and
       remove the virus before it can do any damage (see Understanding
       Anti-Virus Software for more information). Because attackers are
       continually writing new viruses, it is important to keep your
       definitions up to date.

   Children are especially susceptible to the threats that social networking
   sites present. Although many of these sites have age restrictions, children
   may misrepresent their ages so that they can join. By teaching children
   about internet safety, being aware of their online habits, and guiding them
   to appropriate sites, parents can make sure that the children become safe
   and responsible users (see Keeping Children Safe Online for more
   information).

   Related information
     * Socializing Securely: Using Social Networking Services
     _________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

Produced 2006, 2009, 2011 by US-CERT, a government organization.

Note: This tip was previously published and is being re-distributed
to increase awareness.

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST06-003.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.

Blog posted using Windows Live Writer

Ouch! January 2011

2011-01-25T12:48:00.001-08:00

SECURELY DISPOSING OF COMPUTERS AND OTHER STORAGE DEVICES

OUCH!
January 2011
Security Awareness Newsletter for Computer Users
A publication of the SANS Securing The Human program
http://www.securingthehuman.org

***********************************************************************
SECURELY DISPOSING OF COMPUTERS AND OTHER STORAGE DEVICES

Download, share, and distribute this newsletter in .pdf format.
http://www.sans.org/newsletters/ouch/issue/201101.pdf

***********************************************************************

This month we discuss how to safely dispose of your computer. You may
not realize that when you delete private information from your hard
drive, the sensitive data is actually still there.

The Ouch! team would like to welcome and thank Mr. Rob Lee as our guest
editor. Mr. Lee is head of the SANS forensics program and maintains the
SANS forensics blog at http://computer-forensics.sans.org.

***THE PROBLEM***

Eventually, every computer system gets replaced. Regardless of whether
you discard, recycle, repurpose, donate, or sell your old computer, take
steps to ensure that sensitive information stored on your system has
been permanently obliterated - an essential security measure known as
"sanitizing" the media. News stories about confidential information and
trade secrets being snatched up from secondhand computers are common and
troubling. That's because completely deleting or destroying the
information stored on your hard drive is more complicated than you would
think, and recovery of that data by a third party can be easier than you
would expect.

Over the course of its life just about every computer system, whether
it was used for business and/or personal use, has probably contained
information that could be considered personal or confidential. Identity
thieves and other criminals love to get their hands on that data and can
often find it easily by examining used computers, disk drives, USB
sticks, mobile phones, memory cards, etc., readily found in the trash
or purchased in the open marketplace for pennies on the dollar.

Just because you didn't intend to save personal data on your hard drive
does not mean there is none on it. Simply browsing the web can result
in your hard drive storing data that can be pieced together to reveal a
great deal of information about you.

***WHAT DOES NOT WORK AND WHY***

- -Deleting Files
Simply deleting a file, in most operating systems, is analogous to
entering a library and removing a book's index card from the card
catalog. If you search the catalog (your disk directory), the book (your
file) appears not to be there because you no longer see its name.
However, if you wander around in the stacks (perform a low-level search
of your disk), you'll probably find the book (your file) intact, sitting
right where it should be on the shelf (your disk). And, your file will
usually remain intact until another one just happens to overwrite the
portion of your disk occupied by your first file. If you have a large
disk with a lot of empty space, overwriting might not happen for a very
long time or at all.

- -Reformatting Your Disk or Deleting Disk Partitions
Both are only slightly better than deleting files, and both are still
far from secure. Using the library analogy, these strategies are
comparable to destroying the card catalog and removing the books from
the shelves, tearing out the pages, and scattering them on the floor.
The information in the books - what's left of them - is still there and
can be recovered in whole or in part. Even if you install a new
operating system on top of your old one, you can still recover many of
your previous system's files.

- -Encrypting Disks or Files
Encryption is an excellent anti-theft measure and legally required for
certain types of data, such as patient or cardholder information. If
your device is lost or stolen, disk or file encryption is often your
last line of defense against the bad guys. However, because your
information is only hidden from view, this protection is only as strong
as your password and encryption method. A weak password will expose your
data to risk regardless of how your information has been encrypted, and
almost all encryption schemes can be cracked with sufficient time and
effort.

***WHAT DOES WORK AND WHY***

There are really only two ways to obliterate your data permanently.
(National Institute of Standards and Technology -
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf)

- -Physically Destroying the Device
You can use heat, a strong magnetic field, shredding, pulverizing, and
other violent methods that may require special tools and/or safety
precautions. Many office document shredders are powerful enough to chew
up CDs, DVDs, and floppies, which is a perfectly good way to dispose of
your removable media and their contents securely. However, your hard
disk drive might turn out to be much tougher to flatten or break than
you'd expect.

- -Securely Wiping Magnetic Drives
This is an effective method of sanitizing a re-writable storage device
(such as a disk drive). You use a special software tool to overwrite
every bit and byte on your disk so your original information cannot be
read or recovered. There are several issues to consider as you prepare
to wipe your computer's hard drive or other storage devices.

Back up data you want to keep.
Once you start the wiping process, there is no turning back.

Use a specific program.
Secure wiping requires a special-purpose program, often found on a
bootable CD or available via download. Refer to the list below. The
program may present a question or two on-screen about how rigorous you
want the process to be, as well as a point-of-no-return warning ("Are
you REALLY sure?").

Set aside sufficient time.
Expect a secure wipe to take at least several hours, particularly on
older systems and large hard drives.

Consider rules and regulations.
Although it used to be necessary to overwrite a disk multiple times with
varying random patterns to ensure complete data obliteration, one time
is sufficient to wipe your information. That said, industries that deal
with confidential information routinely, such as health care, finance,
defense, etc., should consider state and/or federal laws, industry
guidelines, and company policies that precisely dictate how devices must
be sanitized. (National Institute of Standards and Technology -
http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf)

Inspect before disposing.
Regardless of which method and process you select, inspect your
sanitized media afterward to ensure that all information has been made
unreadable.
Have questions?
Consult IT at the office or your computer support provider.

***FREE WIPING TOOLS***
Advanced Method:
ATA Secure Erase (Linux/DOS) - https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Alternative Methods:
DBAN (any operating system) - http://www.dban.org/
SDelete (Windows) - http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx
Disk Utility (OS X) - http://support.apple.com/kb/TA24002?viewlocale=en_US
Linux - Use the built-in dd, wipe, and shred tools.

***WHERE TO RECYCLE***
After sanitizing your old computer, consider donating it to a charitable
organization that may be able to give it a new life. The links below
will help you donate, recycle, or discard your equipment in an
environmentally-responsible manner.

TechSoup Stock - http://www.techsoup.org/stock/productdonor.asp?cg=lnav
ecosquid - http://www.ecosquid.com/client/index.jsp
e-Stewards - http://e-stewards.org/certification-overview/

***LEARN MORE***
To subscribe to the monthly OUCH! security awareness newsletter, to
access the OUCH! archives, or to learn more about SANS security
awareness solutions, please visit us at http://www.securingthehuman.org.

***********************************************************************

Copyright 2011 by the SANS Institute http://www.sans.org)
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzer,
Alicia Beard, Carmen Ruyle Hardy
Email: mailto:ouch@securingthehuman.org

OUCH! Security Information Service:
http://www.sans.org/newsletters/ouch/updates/

OUCH! Archives: https://www.sans.org/newsletters/ouch

Permission is hereby granted for any person to redistribute this
publication in whole or in part to any other persons as long as the
distribution is not part of any commercial service, product or
promotion. We request that redistributions include attribution for the
source of the material.

Blog posted using Windows Live Writer

Our top 10 security stories of 2010 - From Microsoft Security Newsletter

2010-12-23T18:57:00.001-08:00

About this newsletter
Microsoft Security for Home Computer Users is a monthly newsletter bringing security news, guidance, updates, and community resources directly to your inbox. If you would like to receive more technical security information, see the Microsoft Security Newsletter.

Blog posted using Windows Live Writer

Now THIS is a Rant

2010-12-20T18:22:00.001-08:00

If the government – be it Federal or State – needs any ideas on how to spend stimulus money, here’s one: SIDEWALKS!

Today I saw a woman pushing a small child that was in a wheelchair. Since someone must have thought that sidewalks were a waste of money, she had to struggle pushing that wheelchair across GRASS. No sidewalks in sight. Governments should be ashamed of themselves. Put in sidewalks. Everywhere. And while you’re at it – why not some bike lanes? Maybe less people would drive if they could safely ride a bike. I know I would.

Blog posted using Windows Live Writer

Cyber Security Tip ST07-001 – Shopping Safely Online

2010-12-20T06:59:00.001-08:00

National Cyber Alert System
Cyber Security Tip ST07-001

Shopping Safely Online

   Online shopping has become a popular way to purchase items without the
   hassles of traffic and crowds. However, the internet has unique risks, so it
   is important to take steps to protect yourself when shopping online.

Why do online shoppers have to take special precautions?

   The internet offers a convenience that is not available from any other
   shopping outlet. From the comfort of your home, you can search for items
   from countless vendors, compare prices with a few simple mouse clicks, and
   make purchases without waiting in line. However, the internet is also
   convenient for attackers, giving them multiple ways to access the personal
   and financial information of unsuspecting shoppers. Attackers who are able
   to obtain this information may use it for their own financial gain, either
   by making purchases themselves or by selling the information to someone
   else.

How do attackers target online shoppers?

   There are three common ways that attackers can take advantage of online
   shoppers:
     * Targeting vulnerable computers - If you do not take steps to protect
       your computer from viruses or other malicious code, an attacker may be
       able to gain access to your computer and all of the information on it.
       It is also important for vendors to protect their computers to prevent
       attackers from accessing customer databases.
     * Creating fraudulent sites and email messages - Unlike traditional
       shopping, where you know that a store is actually the store it claims to
       be, attackers can create malicious websites that appear to be legitimate
       or email messages that appear to have been sent from a legitimate
       source. Charities may also be misrepresented in this way, especially
       after natural disasters or during holiday seasons. Attackers create
       these malicious sites and email messages to try to convince you to
       supply personal and financial information.
     * Intercepting insecure transactions - If a vendor does not use
       encryption, an attacker may be able to intercept your information as it
       is being transmitted.

How can you protect yourself?

     * Use and maintain anti-virus software, a firewall, and anti-spyware
       software - Protect yourself against viruses and Trojan horses that may
       steal or modify the data on your own computer and leave you vulnerable
       by using anti-virus software and a firewall (see Understanding
       Anti-Virus Software and Understanding Firewalls for more information).
       Make sure to keep your virus definitions up to date. Spyware or adware
       hidden in software programs may also give attackers access to your data,
       so use a legitimate anti-spyware program to scan your computer and
       remove any of these files (see Recognizing and Avoiding Spyware for more
       information).
     * Keep software, particularly your web browser, up to date - Install
       software updates so that attackers cannot take advantage of known
       problems or vulnerabilities (see Understanding Patches for more
       information). Many operating systems offer automatic updates. If this
       option is available, you should enable it.
     * Evaluate your software's settings - The default settings of most
       software enable all available functionality. However, attackers may be
       able to take advantage of this functionality to access your computer
       (see Evaluating Your Web Browser's Security Settings and the paper
       Securing Your Web Browser for more information). It is especially
       important to check the settings for software that connects to the
       internet (browsers, email clients, etc.). Apply the highest level of
       security available that still gives you the functionality you need.
     * Do business with reputable vendors - Before providing any personal or
       financial information, make sure that you are interacting with a
       reputable, established vendor. Some attackers may try to trick you by
       creating malicious websites that appear to be legitimate, so you should
       verify the legitimacy before supplying any information (see Avoiding
       Social Engineering and Phishing Attacks and Understanding Web Site
       Certificates for more information). Attackers may obtain a site
       certificate for a malicious website to appear more authentic, so review
       the certificate information, particularly the "issued to" information.
       Locate and note phone numbers and physical addresses of vendors in case
       there is a problem with your transaction or your bill.
     * Take advantage of security features - Passwords and other security
       features add layers of protection if used appropriately (see Choosing
       and Protecting Passwords and Supplementing Passwords for more
       information).
     * Be wary of emails requesting information - Attackers may attempt to
       gather information by sending emails requesting that you confirm
       purchase or account information (see Avoiding Social Engineering and
       Phishing Attacks for more information). Legitimate businesses will not
       solicit this type of information through email. Do not provide sensitive
       information through email, and use caution when clicking on links in
       email messages (see the paper Recognizing and Avoiding Email Scans for
       more information).
     * Check privacy policies - Before providing personal or financial
       information, check the website's privacy policy. Make sure you
       understand how your information will be stored and used (see Protecting
       Your Privacy for more information).
     * Make sure your information is being encrypted - Many sites use SSL, or
       secure sockets layer, to encrypt information. Indications that your
       information will be encrypted include a URL that begins with "https:"
       instead of "http:" and a padlock icon. If the padlock is closed, the
       information is encrypted. The location of the icon varies by browser;
       for example, it may be to the right of the address bar or at the bottom
       of the window. Some attackers try to trick users by adding a fake
       padlock icon, so make sure that the icon is in the appropriate location
       for your browser.
     * Use a credit card - There are laws to limit your liability for
       fraudulent credit card charges, and you may not have the same level of
       protection for your debit card. Additionally, because a debit card draws
       money directly from your bank account, unauthorized charges could leave
       you with insufficient funds to pay other bills. You can further minimize
       damage by using a single credit card with a low credit line for all of
       your online purchases.
     * Check your statements - Keep a record of your purchases and copies of
       confirmation pages, and compare them to your bank statements. If there
       is a discrepancy, report it immediately (see Preventing and Responding
       to Identity Theft for more information).
     _________________________________________________________________

Authors: Mindi McDowell, Monica Maher
_________________________________________________________________

Produced 2007, 2008 by US-CERT, a government organization. Terms of use
US-CERT

Blog posted using Windows Live Writer

SANS Ouch! Vol. 7 No. 11 – November 2010

2010-12-01T09:13:00.001-08:00

                             OUCH!
                         November 2010
    SANS Institute Security Newsletter for Computer Users
***********************************************************************
Get security advice online at http://www.sans.org/newsletters/ouch/updates/
Browser Safety
Patches and Updates Roundup
***********************************************************************
[Editor's Note: (Wyman) The publication of the November OUCH! was
delayed. We apologize for any inconvenience this may have caused.]

What is a web browser? Everybody uses a web browser to access the
Internet. That fact alone makes the web browser a tempting target for
Bad Guys who want to take over your computer and use it for their own
nefarious purposes by installing malicious software, or "malware."

Why is important for me to know about malware? In the past, a user had
to take some specific action, like opening an email attachment, for
their computer to become infected with malware. Lately, simply visiting
a website can cause your computer to become infected. This type of
"drive-by download" is accomplished using features built into web
browsers that allow them to run scripts. Scripts are really small
computer programs that normally do useful things, like display a video,
allow you to choose from a menu and maintain a shopping cart, among
others. Unfortunately, scripts can also be used to install malware on
your computer without your knowledge or consent.

What can I do to keep my browser safe? We have assembled a variety of
measures and tools that you, the computer user, can use to make your web
browsing experience safer by limiting the impact of scripts and helping
you to avoid potentially harmful websites.

How much will it cost? All of the suggestions can be implemented at no
cost.

What's the downside? We will look at how each recommendation can
negatively impact your browsing experience.

General Browser Security Tips
Keep your browser up-to-date. The Bad Guys are constantly identifying
new vulnerabilities and weaknesses in browsers and browser makers are
constantly releasing updates to fix them. Running the latest version of
your browser ensures that you have the benefit of the latest security
technology. If you have concerns or questions about upgrading or run
into a compatibility problem, contact IT at the office or your computer
support provider.

Be careful about browser plug-ins. Plug-ins are browser extras--small,
downloadable programs that add functionality to your browser. When you
browse to a website, you may receive a message onscreen that in order
to work with the site, you have to download and install a browser
plug-in. "Just click here." But think before you click. Remember that
any software you install will need to be updated, and may contain
security vulnerabilities. Do you know that this website and the plug-in
are trustworthy? If you don't know or aren't sure, don't click. Do you
really need that plug-in? The fewer plug-ins you have installed, the
safer your browser will be.

Check that your browser and plug-ins are up-to-date. Qualys has
published a website that will do a quick check on your browser to help
you identify common security issues. Visit
https://browsercheck.qualys.com/ and install the plug-in (Yes, this
one's safe!). Then click the "Scan Now" button. Note that Javascript is
also required. An onscreen report tells you whether or not your browser
and commonly installed plug-ins are up-to-date and provides you with a
convenient way to update any found to be out-of-date.

Consider using Web of Trust (WOT). The Web of Trust is a cooperative
venture that warns users of potentially dangerous websites. When you do
a Google search, a circular indicator will appear next to each search
result that has been rated by the service. Red indicates a site that is
probably dangerous, yellow a potentially dangerous site, and green a
site that is probably safe to use. Once you've logged in to a website,
the same indicator appears in the title bar of the browser. Keep in mind
that WOT ratings are based on votes cast by members of the Internet
community, and while not necessarily authoritative, can provide useful
information about websites to avoid. More information:
http://www.mywot.com/

Tips for Internet Explorer
Microsoft's Internet Explorer (IE) is one of the most commonly used
browsers. Protect your computer by running the latest version whenever
possible. Right now that's IE8. If upgrading to IE8 is not possible,
here are some tips for improving the security of IE7.

1. Prevent Data Execution (DEP): Bad Guys exploit vulnerabilities in
IE to infiltrate your computer with malware masquerading as data.
Microsoft has published a "Fix It" site to turn on Data Execution
Prevention (DEP) for IE7 at
http://support.microsoft.com/kb/2458511#FixItForMeAlways
Click the button marked "Enable the application compatibility database."
Note: The DEP fix is not needed for IE8 and later versions.
Ease of implementation: Moderate
Impact on browsing: Minimal

2. Turn on the Phishing Filter: Microsoft includes a Phishing Filter in
IE that detects when a website is not exactly what it appears to be. If
the site you are visiting is on the list of reported phishing websites,
IE will display a warning web page and a notification on the address
bar. From the warning web page, you can continue or close the page. If
the website contains characteristics common to a phishing site but isn't
on the list, IE will notify you in the address bar that it might be a
phishing website.
You can turn on the Phishing Filter from the Tools menu in IE.
More Information:
https://www.microsoft.com/mscorp/safety/technologies/antiphishing/at_glance.mspx
Ease of implementation: Moderate
Impact on browsing: Minimal

3. Increase IE Security Settings: The Internet Options menu in IE
contains a Security tab that gives you a great deal of control over the
behavior of IE when you visit a website. The default setting of
"Medium-high" for the Internet Zone will prompt you before downloading
any content that IE assesses as unsafe. By changing this setting to
"High," you can effectively block all scripts from running on any web
page you visit. While this is the safest possible setting, it can
severely impact the performance of a website. To allow scripts to run
on sites you trust, you can add them to the Trusted Sites Zone, one site
at a time or whole domains at once using a wildcard (*). For example,
entering http://*.sans.org would allow you to browse the entire SANS
website without any prompts.
More Information: http://support.microsoft.com/kb/174360
Ease of implementation: Difficult
Impact on browsing: Severe

Tips for Firefox
The comments and suggestions below relate specifically to Firefox 3.6,
the current version. The security suggestions below take the form of
"Add-ons" that are downloaded and added to Firefox using the Tools menu.

1. NoScript: This add-on blocks scripts from running in Firefox. When
you visit a website that wants to run scripts, NoScript will display a
warning at the bottom of the screen, and give you the opportunity to
allow scripts to run on a temporary or permanent basis. Not allowing the
scripts to run can severely impact the performance of many web pages.
After you have used NoScript for a while, it will learn about the web
pages you visit frequently and will not be as "pesky."
More information: http://noscript.net/
Ease of implementation: Moderate
Impact on browsing: Moderate to severe

2. HTTPS Everywhere: You are probably familiar with HTTPS from using
encrypted secure sites like those for online banking. Many websites
offer some limited support for encryption over HTTPS, but make it
difficult to use. HTTPS Everywhere attempts to make a secure connection
to many of the most popular sites on the Internet even if you don't
specifically ask for it. If it fails to make a secure connection, it
defaults to an unencrypted HTTP connection and your browser continues
to function as if nothing had happened.
More information: https://www.eff.org/https-everywhere
Ease of implementation: Moderate
Impact on browsing: Minimal

3. Adblock Plus: Adblock Plus is an extension for Firefox, Thunderbird,
and several other applications with the primary goal of removing
advertisements. It works by comparing ads that are about to be displayed
with a set of filters that describe undesirable advertising. When you
install Adblock Plus, it sets up a subscription to a basic set of
filters that will meet the needs of most users. Many additional sets of
filters are available for your use.
More information: http://adblockplus.org/en/
Ease of implementation: Moderate
Impact on browsing: Moderate

*****************************************************************
Patches and Updates Roundup

Operating Systems & Applications

Windows & PC Office: http://update.microsoft.com &
http://www.microsoft.com/security/updates/bulletins/201011.aspx

Mac Office:
http://www.microsoft.com/mac/help.mspx?CTT=PageView&clr=99-0-0&ep=7&target=ffe35357-8f25-4df8-a0a3-c258526c64ea1033

OS X: http://support.apple.com/kb/HT1338

iPad: http://www.ehow.com/how_6256127_update-restore-apple-ipad.html

iPhone, iPod & iPod touch: http://support.apple.com/kb/HT1414

iPod: http://support.apple.com/kb/HT1483

Windows Adobe Reader:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
OS X Adobe Reader:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh

Flash Player: http://get.adobe.com/flashplayer/

Firefox: http://www.mozilla.com/en-US/firefox/update/

Safari: http://www.ehow.com/how_2033324_update-safari.html

Opera: http://www.opera.com/

Chrome: http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414

Java: http://www.java.com/en/download/manual.jsp

Windows iTunes: http://www.ehow.com/how_2016273_update-itunes-pc.html
OSX iTunes: http://www.ehow.com/how_2016270_update-itunesmac.html

Security Suites

Symantec:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2002021908382713

Norton:
http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95

McAfee: http://www.mcafee.com/apps/downloads/security_updates/dat.asp

Kaspersky: http://www.kaspersky.com/avupdates

AVG: http://free.avg.com/us-en/download-update

Panda: http://www.pandasecurity.com/homeusers/downloads/clients/

PC Tools:
http://www.downloadatoz.com/pc-tools-internet-security/smart-update.html

BitDefender:
http://www.bitdefender.com/site/view/Desktop-Products-Updates.html

Avast: http://www.avast.com/download-update

Webroot: http://support.webroot.com

Trend Micro:
http://esupport.trendmicro.com/Pages/How-to-update-Trend-Micro-Internet-Security-Pro-2010.aspx

Microsoft Security Essentials:
http://www.microsoft.com/security/portal/Definitions/HowToMSE.aspx

***********************************************************************
Copyright 2010, SANS Institute (http://www.sans.org)
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzer,
Alicia Beard, Alan Paller
Email: OUCH@sans.org
OUCH! Security Information Service: http://www.sans.org/newsletters/ouch/updates/
Download the formatted version of the OUCH!: https://www.sans.org/newsletters/ouch
Permission is hereby granted for any person to redistribute this in
whole or in part to any other persons as long as the distribution is not
being made as part of any commercial service or as part of a promotion
or marketing effort for any commercial service or product. We request
that redistributions include attribution for the source of the material.

Blog posted using Windows Live Writer

Cyber Security Tip ST05-018 - Understanding Voice over Internet Protocol (VoIP)

2010-11-16T06:17:00.001-08:00

Cyber Security Tip ST05-018
Understanding Voice over Internet Protocol (VoIP)

   With the introduction of VoIP, you can use the internet to make telephone
   calls instead of relying on a separate telephone line. However, the
   technology does present security risks.

What is voice over internet protocol (VoIP)?

   Voice over internet protocol (VoIP), also known as IP telephony, allows you
   to use your internet connection to make telephone calls. Instead of relying
   on an analog line like traditional telephones, VoIP uses digital technology
   and requires a high-speed broadband connection such as DSL or cable. There
   are a variety of providers who offer VoIP, and they offer different
   services. The most common application of VoIP for personal or home use is
   internet-based phone services that rely on a telephone switch. With this
   application, you will still have a phone number, will still dial phone
   numbers, and will usually have an adapter that allows you to use a regular
   telephone. The person you are calling will not likely notice a difference
   from a traditional phone call. Some service providers also offer the ability
   to use your VoIP adapter any place you have a high-speed internet
   connection, allowing you to take it with you when you travel.

What are the security implications of VoIP?

   Because VoIP relies on your internet connection, it may be vulnerable to
   many of the same problems that face your computer and even some that are
   specific to VoIP technology. Attackers may be able to perform activities
   such as intercepting your communications, eavesdropping, taking control of
   your phone, making fraudulent calls from your account, conducting effective
   phishing attacks by manipulating your caller ID, and causing your service to
   crash (see Avoiding Social Engineering and Phishing Attacks and
   Understanding Denial-of-Service Attacks for more information). Activities
   that consume a large amount of network resources, like large file downloads,
   online gaming, and streaming multimedia, may affect your VoIP service.

   There are also inherent problems to routing your telephone over your
   broadband connection. Unlike traditional telephone lines, which operate
   despite an electrical outage, if you lose power, your VoIP may be
   unavailable.   VoIP   services   may   also   introduce problems for
   location-dependent systems such as home security systems or emergency
   numbers such as 911.

How can you protect yourself?

     * Keep software up to date - If the vendor releases updates for the
       software operating your device, install them as soon as possible.
       Installing them will prevent attackers from being able to take advantage
       of known problems or vulnerabilities (see Understanding Patches for more
       information).
     * Use and maintain anti-virus software - Anti-virus software recognizes
       and protects your computer against most known viruses. However,
       attackers are continually writing new viruses, so it is important to
       keep your anti-virus software current (see Understanding Anti-Virus
       Software for more information).
     * Take advantage of security options - Some service providers may offer
       encryption as one of their services. If you are concerned about privacy
       and confidentiality, you may want to consider this and other available
       options.
     * Install or enable a firewall - Firewalls may be able to prevent some
       types of infection by blocking malicious traffic before it can enter
       your computer (see Understanding Firewalls for more information). Some
       operating systems actually include a firewall, but you need to make sure
       it is enabled.
     * Evaluate your security settings - Both your computer and your VoIP
       equipment/software offer a variety of features that you can tailor to
       meet your needs and requirements. However, enabling certain features may
       leave you more vulnerable to being attacked, so disable any unnecessary
       features. Examine your settings, particularly the security settings, and
       select options that meet your needs without putting you at increased
       risk.

Additional information

* Understanding Voice over Internet Protocol (VoIP) PDF
_________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

     Produced 2005 by US-CERT, a government organization.

     Note: This tip was previously published and is being
     re-distributed to increase awareness.

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST05-018.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit

http://www.us-cert.gov/cas/signup.html

Blog posted using Windows Live Writer

Microsoft ASP.NET Web Platform Firestarter Events

2010-11-09T06:59:00.001-08:00

Tuesday, November 30, 2010 9:00 AM - Tuesday, November 30, 2010 5:00 PM Eastern Time (US & Canada)
Welcome Time: 8:30 AM

Microsoft Tampa Office

5426 Bay Center Dr
Suite 700 Tampa Florida 33609
United States

ASP.NET Web Platform Firestarter Event ID: 1032457024

Thursday, December 02, 2010 9:00 AM - Thursday, December 02, 2010 5:00 PM Eastern Time (US & Canada)
Welcome Time: 8:30 AM

Renaissance Orlando at SeaWorld

6677 Sea Harbor Dr
Orlando Florida 32821
United States

ASP.NET Web Platform Firestarter Event ID: 1032457025

Blog posted using Windows Live Writer

Lovejoy "Glory Days" 2011 – UPDATE!

2010-11-06T08:06:00.001-07:00

Tickets are on sale: Send an check or money order with a stamped-self addressed envelope to:

V. Ferraraccio
257 Ludington Street
Buffalo, NY 14206-1427

The tickets are $25.00 each includes Chicken B-Q, Beer, Pop, Cash Bar, Music.

Looking forward to seeing all of you again.

Due to the overwhelming response to the idea of a East Lovejoy, Buffalo, NY reunion – a larger venue was called for.

So the Lovejoy "Glory Days" 2011 will be held on July 23rd, 2011 at

Fontana's Grove on Clinton in West Seneca, NY !!

If you like more information on this, please write:

Lovejoy2011 at netein dot com

and someone on the committee will get back to you.

Looking forward to seeing old friends and making new ones!!

Blog posted using Windows Live Writer

Fresh Christmas Trees & Wreaths !!!

2010-11-05T14:54:00.001-07:00

If you will be purchasing a real Christmas tree and/or a wreath this year, please consider making your purchase through Boone High School Cross Country.

The net proceeds of any purchase you make go toward supporting various important aspects of the BHS Cross Country program and the goals and activities of the many awesome kids who run for the program.

Please find attached order form, which includes instructions for its use. If you're techie, you can find an alternative "online" version of it at Boone High School Cross Country. When completing the form, please reference Dustin Driskell as the “Salesperson/Runner”.

Whether you choose the hand-written option or the techie option, please forward one copy and your check to me at 3160 Carisudo Ct., Orlando, FL 32812.

Feel free to share with family & friends.

Thank you for your support!

AT&T U-verse Drops MORE Channels

2010-11-05T03:45:00.001-07:00

Statement from AT&T this morning on Facebook:

We’re very sorry to report that HGTV, Food Net, DIY Net, Cooking Chl & GAC were removed. We’ve been working for weeks to reach a fair deal, but they didn’t hold up to what had been agreed upon verbally, leaving us without the rights to these channels. We apologize that this has affected you. We want to keep these channels at a fair price 4 you. We’re making every effort to bring them back asap.

http://go-att.us/qr5n

Statement from Scripps this morning on Facebook:

Dear DIY Network Fans,

We are shocked and disappointed that AT&T U-verse has taken DIY Networkoff the air, along with your other favorite lifestyle networks – HGTV, Food Network, Cooking Channel and Great American Country. Their decision to drop DIY Network is particularly surprising considering we reached an agreement in principle with AT&T U-verse on the distribution fees we would receive for our networks well in advance of last month’s contract deadline.

This is something we worked hard to avoid. As John Lansing, head of our networks, explains, “We even offered an extension through year end to work out the final details of our agreement while allowing AT&T the rights to continue delivering DIY Network to you. Instead, AT&T stopped negotiating, took our family-friendly networks off the air, and left you without our must-see shows.”

The remaining issues involved AT&T U-verse’s demands to use our video – video that was created specifically for our networks and video that we own – in ways that go beyond our normal business practices. AT&T U-verse demanded unreasonably broad video rights for emerging media where business models have not even been established. Accepting their demands would have restrained our ability to deliver our programs to viewers like you in new and innovative ways.

Should AT&T U-verse decide to resume discussions, we remain committed to continue our good faith negotiations and bring back all our networks to AT&T U-verse customers.

We urge you to tell AT&T U-verse to keep your favorite networks, including DIY Network, by going here: http://bit.ly/9uDGrc or calling 1-800-288-2020.

Thank you for your support,

Jeffery at DIY Network

I for one have had it with AT&T – time to return to Bright House. At least they negotiate in good faith!

Blog posted using Windows Live Writer

SANS Ouch! Vol. 7 No. 10 – October 2010

2010-11-03T05:54:00.001-07:00

                                   OUCH!
                               October 2010
    SANS Institute Security Newsletter for Computer Users
***********************************************************************
Get security advice you can use at
http://www.sans.org/newsletters/ouch/updates/
Dirty Tricks and Larceny
Patches and Updates Roundup
***********************************************************************

Dirty Tricks and Larceny

[Editor's Note: (Wyman) This month we present an overview of why and how
the Bad Guys do it, what it's called, and what you can do to protect
your computer.]

Blackhats. Hackers who use their skills for explicitly criminal or other
malicious ends, such as writing malware (malicious software) to steal
credit card numbers and banking data or by phishing; a.k.a. the Bad
Guys.

Phishing. The practice of sending out fake email messages that look as
if they come from a trusted person or institution-usually a bank-in
order to trick people into handing over confidential information. The
emails often direct you to a website that looks like that of the real
financial institution. But it is a fake and has been rigged to collect
your personal information, such as passwords, credit card numbers and
bank account numbers, and transmit them to the Bad Guys.

Man-in-the-middle. An attack in which a criminal hacker intercepts
information sent between your computer and the website of your financial
institution and then uses that information to impersonate you in
cyberspace. The hacker is able to defeat even very sophisticated
security measures and gain access to your account.

Botnet. Botnets consist of large numbers of hijacked computers that are
under the remote control of a criminal or a criminal organization. The
hijacked computers-a.k.a. "zombies" or "bots" (short for "robots") -are
recruited using viruses spread by email or drive-by downloads. Worms are
used to find and recruit additional computers. The biggest botnets
consist of thousands and even millions of computers, most often
unprotected home computers.

Virus. A malicious program that usually requires some action on the part
of a user in order to infect a computer; for example, opening an
infected attachment or clicking on a link in a rigged email may trigger
a virus to infect your computer.

Drive-by Download. A kind of malware that installs itself automatically
when you visit a booby-trapped website. Symptoms of a drive-by download
include: your homepage has been changed, unwanted toolbars have been
added, and unfamiliar bookmarks appear in your browser.

Worm. Self-replicating malware that, for instance, hunts down
unprotected computers and recruits them for criminal or other malicious
purposes. Unlike a virus, worms do not require any action on your part
in order to infect your computer.

Fake Anti-Virus. Fake anti-virus software purports to be a helpful
program than can find and remove malware, but in fact it is malware--the
very thing that it's supposed to eliminate. After taking over your
computer, it pretends to do security scans, tells you it has found
malware, and then asks you to pay to have the non-existent malware
removed. Whether or not you pay, fake anti-virus is likely to install
more malware.

Whitehats. Hackers who use their skills for positive ends, and often for
thwarting blackhats. Many whitehats are security professionals who spend
their time identifying and fixing vulnerabilities in software that
blackhats seek to exploit for criminal or other malicious purposes.

Security suite. A set of software applications designed to protect your
computer that consists of anti-virus, anti-malware and a personal
firewall.

Anti-virus and anti-malware. Helpful software applications that scan
your computer for certain patterns of infection. The patterns they scan
for are the signatures, or definitions, of known forms of malware. Since
Bad Guys are creating new forms of malware continuously, it is important
that you keep your anti-virus and anti-malware definitions updated. See
the "Patches and Updates" section below.

Personal firewall. Software that monitors incoming and outgoing traffic
on your computer and checks for suspicious patterns indicating the
presence of malware or other malicious activity. A personal firewall
alerts you to these threats and attempts to block them. Like anti-virus
and anti-malware software, personal firewalls require frequent updates
to provide effective protection.

Updates. Security software relies on frequent updates in order to be
able to counteract previously undetected forms of malware. Consequently,
your computer may suffer a "window of vulnerability" between the time a
new form of malware is identified and the time when your security
software can block it or remove the infection. Set your security
software to update automatically.

Patches. Operating systems, like Windows and OS X, and software
applications, such as Internet Explorer and Firefox, may be found to
contain security flaws or holes that make your computer vulnerable to
attack. Their makers release patches to plug the holes. The fastest and
surest way to get these installed quickly is to use auto-updating via
the Internet. Some software applications require manual updating. See
the "Patches and Updates" section below.

Black Tuesday a.k.a. Patch Tuesday. On the second Tuesday of each month
Microsoft releases security patches for Windows, Internet Explorer,
Office and its other software products. You can have these installed
automatically using Microsoft Update. See the "Patches and Updates"
section below.

Auto-updating. A software tool built into Windows ("Microsoft Update")
and OS X ("Auto Update") and many other applications which can download
and install important security updates and patches for software
installed on your computer automatically. See the "Patches and Updates"
section below.

More information:
http://www.binaryfarm.com/jargon.html
http://besafe.more.net/sam/resources/jargon.pdf
http://ittraining.iu.edu/workshops/win_security/terminology.html

***********************************************************************
IS YOUR ORGANIZATION CONSIDERING STARTING AN AWARENESS PROGRAM or
looking for ways to improve an existing one? SANS "Securing the Human"
blog provides the latest updates, resources, and best practices to help
you plan, implement, and maintain effective security awareness programs.
http://www.securingthehuman.org/blog
***********************************************************************

Patches and Updates Roundup

Operating Systems & Applications

Windows & PC Office: http://update.microsoft.com &
http://www.microsoft.com/security/updates/bulletins/201010.aspx

Mac Office:
http://www.microsoft.com/mac/help.mspx?CTT=PageView&clr=99-0-0&ep=7&target=ffe35357-8f25-4df8-a0a3-c258526c64ea1033

OS X: http://support.apple.com/kb/HT1338

iPad: http://www.ehow.com/how_6256127_update-restore-apple-ipad.html

iPhone, iPod & iPod touch: http://support.apple.com/kb/HT1414

iPod: http://support.apple.com/kb/HT1483

Flash Player: http://get.adobe.com/flashplayer/

Firefox: http://www.mozilla.com/en-US/firefox/update/

Safari: http://www.ehow.com/how_2033324_update-safari.html

Opera: http://www.opera.com/

Chrome: http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414

Java: http://www.java.com/en/download/manual.jsp

Windows iTunes: http://www.ehow.com/how_2016273_update-itunes-pc.html
OSX iTunes: http://www.ehow.com/how_2016270_update-itunesmac.html

Security Suites

Symantec:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2002021908382713

Norton:
http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95

McAfee: http://www.mcafee.com/apps/downloads/security_updates/dat.asp

Kaspersky: http://www.kaspersky.com/avupdates

AVG: http://free.avg.com/us-en/download-update

Panda: http://www.pandasecurity.com/homeusers/downloads/clients/

PC Tools:
http://www.downloadatoz.com/pc-tools-internet-security/smart-update.html

BitDefender:
http://www.bitdefender.com/site/view/Desktop-Products-Updates.html

Avast: http://www.avast.com/download-update

Webroot: http://support.webroot.com

Trend Micro:
http://esupport.trendmicro.com/Pages/How-to-update-Trend-Micro-Internet-Security-Pro-2010.aspx

Microsoft Security Essentials:
http://www.microsoft.com/security/portal/Definitions/HowToMSE.aspx

***********************************************************************
Copyright 2010, SANS Institute (http://www.sans.org)
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Alicia Beard,
Alan Paller
Email: OUCH@sans.org
OUCH! Security Information Service: http://www.sans.org/newsletters/ouch/updates/
Download the formatted version of the OUCH!:
https://www.sans.org/newsletters/ouch
Permission is hereby granted for any person to redistribute this in
whole or in part to any other persons as long as the distribution is not
being made as part of any commercial service or as part of a promotion
or marketing effort for any commercial service or product. We request
that redistributions include attribution for the source of the material.

Blog posted using Windows Live Writer

From: Ellen Freidin of Fair Districts Florida

2010-10-30T13:45:00.001-07:00

This morning I woke up to emails from across the state telling me about blatant lies that are being spread by politicians about Amendments 5 and 6.

A Congresswoman in Central Florida sent an email (from her public Congressional account) which absolutely misrepresents the truth. She said that under current law “congressional districts must be drawn ‘fairly’, be ‘as equal in population as feasible’, and use ‘city, county, and geographical boundaries.’” She also said, “our state already uses fairness and natural geographical features as the primary tools to determining where district lines fall,” and claims that 5 and 6 will do away with these standards when in reality they will create them. She is telling people the reverse of the truth.

Blatant lies. Shame on her. This is a typical politician’s trick to try to confuse voters on the weekend before the election. The language of 5 and 6 will CREATE THESE STANDARDS FOR THE FIRST TIME!!!! You know that. I know that. But many voters still do not.

And there’s more. Several of our supporters have received “robo-calls” saying that if we pass Amendments 5 and 6, Florida will lose seats in Congress. What an ignorant whopping lie! Scare tactics. Plain and simple.

These politicians want to continue to use redistricting as their own political protection plan! They are desperate to stop the people from passing Amendments 5 and 6.

Not a single one of us can sit idle this weekend. We must reach out to everyone we know to tell them the truth, that a YES on 5 and 6 will create rules for politicians to follow to stop them from making backroom deals to favor themselves and their political allies.

Will you make 10 calls? (See below for what to say)

Will you send emails? (See below for text to cut and paste)

We must get the word out TODAY! People are voting. This is our only shot.

I know you care. Please help stop these slimy lies!

Ellen

Email or call script:

I am writing (calling) to urge you to vote YES on Amendments 5 & 6. These amendments will create rules for Tallahassee politicians that will stop them from making backroom deals to favor themselves and their political allies when they redraw their own and Congressional district lines.

Every single newspaper in the state has endorsed these amendments. They are backed by the League of Women Voters, the AARP and dozens of other civic organizations.

On this weekend before the election, politicians are up to their usual tricks. They are trying to spread lies about 5 and 6. But those politicians want to be able to continue their own political protection plan. Do not be fooled! Every newspaper in the state cannot be wrong! Please be sure to vote before Tuesday at 7 pm and PLEASE vote YES on 5 & 6.

Fair Districts Florida

Blog posted using Windows Live Writer

Four Seasons of Orlando Doesn’t Stand Behind Its Product

2010-10-08T14:17:00.001-07:00

We wonder how Four Seasons Of Orlando can sponsor the Celebration Town Center 2010 Octoberfest when it doesn’t stand behind its sunroom construction?

Our sunroom has leaked, off and on, since its construction in 2006. The sunroom itself is great. But where it was added to the house has leaked and still continues to leak.

What really galls us is the fact that they no longer return our calls & emails. The did not respond to inquiries from the Better Business Bureau. And calls from the corporate office to their office provide no resolution.

This is why we’ve resorted to blogging about our misfortune in the hopes of warning others in Central Florida NOT to do business with them.

The cost to repair the leaks? Around $2,500. No small change.

So avoid the following business:

Four Seasons Of Orlando
444 27th Street
Orlando FL 32806
(407) 423-0942

http://fso.fourseasonssunrooms.com/

Here’s our pictures:

View Full Album

Blog posted using Windows Live Writer

Technorati Tags: Four Seasons of Orlando,leaks,fail

Cyber Security Tip ST05-017 – Cybersecurity for Electronic Devices

2010-10-03T18:50:00.001-07:00

Cyber Security Tip ST05-017

Cybersecurity for Electronic Devices

When you think about cybersecurity, remember that electronics such as cell phones and PDAs may also be vulnerable to attack. Take appropriate precautions to limit your risk.

Why does cybersecurity extend beyond computers?

Actually, the issue is not that cybersecurity extends beyond computers; it is that computers extend beyond traditional laptops and desktops. Many electronic devices are computersâ€”from cell phones and PDAs to video games and car navigation systems. While computers provide increased features and functionality, they also introduce new risks. Attackers may be able to take advantage of these technological advancements to target devices previously considered "safe." For example, an attacker may be able to infect your cell phone with a virus, steal your phone or wireless service, or access the data on your PDA. Not only do these activities have implications for your personal information, but they could also have serious consequences if you store corporate information on the device.

What types of electronics are vulnerable?

Any piece of electronic equipment that uses some kind of computerized component is vulnerable to software imperfections and vulnerabilities. The risks increase if the device is connected to the internet or a network that an attacker may be able to access. Remember that a wireless connection also introduces these risks (see Securing Wireless Networks for more information). The outside connection provides a way for an attacker to send information to or extract information from your device.

How can you protect yourself?

* Remember physical security - Having physical access to a device makes it easier for an attacker to extract or corrupt information. Do not leave your device unattended in public or easily accessible areas (see

Protecting Portable Devices: Physical Security for more information).

* Keep software up to date - If the vendor releases updates for the

software operating your device, install them as soon as possible.

Installing them will prevent attackers from being able to take advantage

of known problems or vulnerabilities (see Understanding Patches for more information).

* Use good passwords - Choose devices that allow you to protect your information with passwords. Select passwords that will be difficult for thieves to guess, and use different passwords for different programs and devices (see Choosing and Protecting Passwords for more information). Do not choose options that allow your computer to remember your passwords.

* Disable remote connectivity - Some PDAs and phones are equipped with wireless technologies, such as Bluetooth, that can be used to connect to other devices or computers. You should disable these features when they are not in use (see Understanding Bluetooth Technology for more information).

* Encrypt files - If you are storing personal or corporate information,

see if your device offers the option to encrypt the files. By encrypting files, you ensure that unauthorized people can't view data even if they can physically access it. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.

______________________________________________________

Authors: Mindi McDowell, Matt Lytle

______________________________________________________

Produced 2005 by US-CERT, a government organization. Terms of use

US-CERT

Note: This tip was previously published and is being

re-distributed to increase awareness.

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST05-017.html

For instructions on subscribing to or unsubscribing from this mailing

list, visit http://www.us-cert.gov/cas/signup.html.

Blog posted using Windows Live Writer

SANS Ouch! Vol. 7 No. 9 – September 2010

2010-10-03T17:28:00.001-07:00

                              OUCH!
                          September 2010
     SANS Institute Security Newsletter for Computer Users
**************************************************************
Get security advice online at
http://www.sans.org/newsletters/ouch/updates/
The Big Four Browsers
- - The Buzz
- - Security Metrics
- - Recommendations
- - Security Tips
Patches and Updates Roundup
**************************************************************
The Big Four Browsers
[Editor's Note: (Wyman) This month we look at the buzz and some
measurable security merits of the Big Four browsers: Internet Explorer, Firefox, Chrome, and Safari. Browser Wars are a competition for market share. (1) The fighting is about speed, add-ons, graphics, and the user interface. Every now and then a pronouncement about security gets tacked on to the discussion, as an afterthought: "It's better, and safer, too."
Despite its second billing, your browser is the most likely pathway through which malware will attempt to enter your computer. It's important to use the latest version, keep it patched, and be judicious about the websites you visit.]

Internet Explorer
IE has the distinction of being the most patched browser in history. It's a dubious one perhaps, but any software application that's been around for 15 years and is still in daily use on 60% of all computers worldwide can't be all bad. (1)  IE has many reputations ranging from the stolid "enterprise browser," to a stodgy hodgepodge of stale
graphics and ho-hum functionality, to a typical Microsoft product riddled with security holes and bugs. Is IE's security "inherently flawed?" That's debatable. Certainly arguments about the security of IE's ActiveX vs. the-rest-of-the-world's Java have simmered-and occasionally flared up-for the last 13 years. But there's no debate that, thanks to IE's huge market share and unequaled longevity, IE users are the biggest target for malware and the Bad Guys.

Firefox
Mozilla products hold a special place in the hearts and minds of users who got to know email using Eudora and the Web using Mosaic or Netscape. For some, Firefox, Netscape's successor, is the non-profit, open-source, cross-platform, righteous opponent of Microsoft's corporate, monopolistic, propriety, Windows-only Internet Explorer. When Microsoft abandoned Internet Explorer for Macintosh in 2003, Mac users were
disenfranchised in one fell swoop; Firefox 1.1 and Safari came to their rescue. More urban legends surround Firefox than any other browser; there's a whole website dedicated to debunking Firefox "myths" (2). Firefox's market share grew rapidly in 2009-10 as it became the "other browser" of choice among Windows users (3).

Chrome
Chrome entered the browser competition in late 2008, ushered in by Google's trademark air of confidence and uniqueness, like a third party presidential candidate touching down in a traditionally Blue-Red state. Originally a Windows-only product, Google adopted an open-source strategy that made it possible (and legal) to incorporate components of Firefox and Safari into a stable Mac version which was released in May
2010. Chrome's market share, flat for the preceding eight months, began an upward trend at the same time that the Mac version was released (3). If Firefox is the "other browser," Chrome is the "other other browser," set apart by its spare, uncluttered user interface, and the promise of a different kind of user experience. Chrome's superior security has been
touted, but owing to its newness and relatively small market share, Chrome has not participated in the trench warfare of the Web yet on the same scale as the veteran IE and Firefox.

Safari
Safari is the only browser that began as a Mac-only product (in 2003). Today Safari is included in every version of OS X. The Windows version was not released until mid-June 2007 and has never been included in any version of Windows. Safari for Windows' market share remains at less than 1%, making it the least popular of the browsers mentioned here. This may explain why Apple's security support for Safari for Windows has
been so dismal. Safari 5.0 for Mac, on the other hand, is the most familiar and popular browser among Mac users. As with Internet Explorer and Windows, Firefox is the "other browser" among OS X users. Apple security support for Safari has improved since the release of Mac version 5.

Security Metrics
According to Symantec's April 2010 Internet Security Report (4), in 2009 IE garnered 45 reported security flaws, on par with the 41 flaws reported for Chrome, considerably out in front of Safari and its 94 flaws, and way ahead of Firefox's 169 flaws. Contrasting stats are available from US-CERT's National Vulnerability Database (5) which for a recent three-month period tallies 17 reported vulnerabilities for IE,
followed by Firefox with 20, Chrome with 40, and Safari with 51.

The appearance or emergence of browser flaws and vulnerabilities is inevitable. From a practical standpoint, what matters as much, if not more, is how quickly they get patched; that is, how long what the Symantec Report calls a "window of vulnerability" remains open. For 2009, that was on average less than 1 day for IE and Firefox, 2 days for
Chrome, and 13 days for Safari.

Recommendations
Kudos to Microsoft and Mozilla for responding quickly to vulnerabilities as they are discovered in Internet Explorer and Firefox, and for developing fast and effective ways to deliver patches to your computer automatically. Their makers have demonstrated consistent concern for your security and have a proven record of standing behind their products.

Brower Security Tips
- - The security of any browser can be undermined if you tinker with or turn off its security features, or browse the Web indiscriminately.
- - Keep your browser version up-to-date. New versions are free for the downloading. (6)
- - Security patches and updates are no substitute for installing and maintaining good-quality anti-virus or a multi-component security suite on your computer.
- - Keep your software firewall turned on.
- - If you are not sure about your firewall, or think your browser is acting funny, take a cautious approach and have it checked out promptly by IT at the office or by your computer consultant.

Notes
(1) http://www.netmarketshare.com/browser-market-share.aspx?qprid=0
(2) http://home.comcast.net/~SupportCD/FirefoxMyths.html
(3) http://www.netmarketshare.com/browser-market-share.aspx?qprid=3
(4) http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf
(5) http://web.nvd.nist.gov/view/vuln/search
(6) IE: http://www.microsoft.com/windows/internet-explorer/default.aspx
Firefox: http://www.mozilla.com/en-US/firefox/update/
Chrome: http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414
Safari: http://www.apple.com/safari/download/

**************************************************************
Patches and Updates Roundup

Operating Systems & Applications

Windows & PC Office: http://update.microsoft.com &
http://www.microsoft.com/security/updates/bulletins/201009.aspx

Mac Office:
http://www.microsoft.com/mac/help.mspx?CTT=PageView&clr=99-0-0&ep=7&target=ffe35357-8f25-4df8-a0a3-c258526c64ea1033

OS X: http://support.apple.com/kb/HT1338

iPad: http://www.ehow.com/how_6256127_update-restore-apple-ipad.html

iPhone, iPod & iPod touch: http://support.apple.com/kb/HT1414

iPod: http://support.apple.com/kb/HT1483

Windows Adobe Reader:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
OS X Adobe Reader:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh

Flash Player: http://get.adobe.com/flashplayer/

Firefox: http://www.mozilla.com/en-US/firefox/update/

Safari: http://www.ehow.com/how_2033324_update-safari.html

Opera: http://www.opera.com/

Chrome: http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414

Java: http://www.java.com/en/download/manual.jsp

Windows iTunes: http://www.ehow.com/how_2016273_update-itunes-pc.html
OSX iTunes: http://www.ehow.com/how_2016270_update-itunesmac.html

Security Suites

Symantec:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2002021908382713

Norton:
http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95

McAfee: http://www.mcafee.com/apps/downloads/security_updates/dat.asp

Kaspersky: http://www.kaspersky.com/avupdates

AVG: http://free.avg.com/us-en/download-update

Panda: http://www.pandasecurity.com/homeusers/downloads/clients/

PC Tools:
http://www.downloadatoz.com/pc-tools-internet-security/smart-update.html

BitDefender:
http://www.bitdefender.com/site/view/Desktop-Products-Updates.html

Avast: http://www.avast.com/download-update

Webroot: http://support.webroot.com

Trend Micro:
http://esupport.trendmicro.com/Pages/How-to-update-Trend-Micro-Internet-Security-Pro-2010.aspx

Microsoft Security Essentials:
http://www.microsoft.com/security/portal/Definitions/HowToMSE.aspx

**************************************************************
Copyright 2010, SANS Institute (http://www.sans.org)
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Alicia Beard, Alan Paller
Email: OUCH@sans.org
OUCH! Security Information Service: http://www.sans.org/newsletters/ouch/updates/
Download the formatted version of the OUCH!: https://www.sans.org/newsletters/ouch
Permission is hereby granted for any person to redistribute this in whole or in part to any other persons as long as the distribution is not being made as part of any commercial service or as part of a promotion or marketing effort for any commercial service or product. We request that redistributions include attribution for the source of the material.

Lovejoy Buffalo New York 2011 Reunion

2010-10-03T16:40:00.001-07:00

Given the resounding success of 2009’s St. Agnes Class of 1968 Reunion, a Lovejoy wide reunion is

in the planning stage for 2011.

If you like more information on this, please write:

Lovejoy2011 at netein dot com

and someone on the committee will get back to you.

Technorati Tags: Lovejoy,Buffalo NY,Buffalo New York,Iron Island,Iron City,Reunion

Lovejoy, Buffalo NY, Buffalo New York, Iron Island, Iron City, Reunion

Blog posted using Windows Live Writer

Cloud Music

2010-09-18T10:54:00.001-07:00

Anyone out there get the iPhone App “Cloud Music” to actually PLAY music? I can connect to my Google Docs, see and access my music folder and music, but nothing plays. It just sits there, starring blankly back at me. Since their tech support is in Chinese, it’s not much help.

Right now, it’s a big fat #FAIL

Blog posted using Windows Live Writer

Cyber Security Tip ST05-015 Understanding Bluetooth Technology

2010-09-14T11:59:00.001-07:00

Cyber Security Tip ST05-015

Understanding Bluetooth Technology

Many electronic devices are now incorporating Bluetooth technology to allow wireless communication with other Bluetooth devices. Before using Bluetooth, it is important to understand what it is, what security risks it presents, and how to protect yourself.

What is Bluetooth?

Bluetooth is a technology that allows devices to communicate with each other without cables or wires. It is an electronics "standard," which means that manufacturers that want to include this feature have to incorporate specific requirements into their electronic devices. These specifications ensure that the devices can recognize and interact with other devices that use the Bluetooth technology.

Many popular manufacturers are making devices that use Bluetooth technology. These devices include mobile phones, computers, and personal digital assistants (PDAs). The Bluetooth technology relies on short-range radio frequency, and any device that incorporates the technology can communicate as long as it is within the required distance. The technology is often used to allow two different types of devices to communicate with each other. For example, you may be able to operate your computer with a wireless keyboard, use a wireless headset to talk on your mobile phone, or add an appointment to your friend's PDA calendar from your own PDA.

What are some security concerns?

Depending upon how it is configured, Bluetooth technology can be fairly secure. You can take advantage of its use of key authentication (see Understanding Digital Signatures for more information) and encryption (see Understanding Encryption for more information). Unfortunately, many Bluetooth devices rely on short numeric PIN numbers instead of more secure passwords or passphrases (see Choosing and Protecting Passwords for more information).

If someone can "discover" your Bluetooth device, he or she may be able to send you unsolicited messages or abuse your Bluetooth service, which could cause you to be charged extra fees. Worse, an attacker may be able to find a way to access or corrupt your data. One example of this type of activity is "bluesnarfing," which refers to attackers using a Bluetooth connection to steal information off of your Bluetooth device. Also, viruses or other malicious code can take advantage of Bluetooth technology to infect other devices. If you are infected, your data may be corrupted, compromised, stolen, or lost. You should also be aware of attempts to convince you to send information to someone you do not trust over a Bluetooth connection (see Avoiding Social Engineering and Phishing Attacks for more information).

How can you protect yourself?

* Disable Bluetooth when you are not using it - Unless you are actively transferring information from one device to another, disable the technology to prevent unauthorized people from accessing it.

* Use Bluetooth in "hidden" mode - When you do have Bluetooth enabled, make sure it is "hidden," not "discoverable." The hidden mode prevents other Bluetooth devices from recognizing your device. This does not prevent you from using your Bluetooth devices together. You can "pair" devices so that they can find each other even if they are in hidden mode. Although the devices (for example, a mobile phone and a headset) will need to be in discoverable mode to initially locate each other, once they are "paired" they will always recognize each other without needing to rediscover the connection.

* Be careful where you use Bluetooth - Be aware of your environment when pairing devices or operating in discoverable mode. For example, if you are in a public wireless "hotspot," there is a greater risk that someone else may be able to intercept the connection (see Securing Wireless Networks for more information) than if you are in your home or your car.

* Evaluate your security settings - Most devices offer a variety of features that you can tailor to meet your needs and requirements. However, enabling certain features may leave you more vulnerable to being attacked, so disable any unnecessary features or Bluetooth connections. Examine your settings, particularly the security settings, and select options that meet your needs without putting you at increased risk. Make sure that all of your Bluetooth connections are configured to require a secure connection.

* Take advantage of security options - Learn what security options your Bluetooth device offers, and take advantage of features like authentication and encryption.

__________________________________________________________

Authors: Mindi McDowell, Matt Lytle

__________________________________________________________

Produced 2005 by US-CERT, a government organization.

Note: This tip was previously published and is being re-distributed to

increase awareness.

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST05-015.html

For instructions on subscribing to or unsubscribing from this mailing

list, visit http://www.us-cert.gov/cas/signup.html.

Blog posted using Windows Live Writer

Cyber Security Tip ST05-014 - Real-World Warnings Keep You Safe Online

2010-08-25T17:55:00.001-07:00

Cyber Security Tip ST05-014
Real-World Warnings Keep You Safe Online

Many of the warning phrases you probably heard from your parents and
teachers are also applicable to using computers and the internet.

Why are these warnings important?

Like the real world, technology and the internet present dangers as well as benefits. Equipment fails, attackers may target you, and mistakes and poor judgment happen. Just as you take precautions to protect yourself in the real world, you need to take precautions to protect yourself online. For many users, computers and the internet are unfamiliar and intimidating, so it is appropriate to approach them the same way we urge children to approach the real world.

What are some warnings to remember?

* Don't trust candy from strangers - Finding something on the internet
does not guarantee that it is true. Anyone can publish information
online, so before accepting a statement as fact or taking action, verify
that the source is reliable. It is also easy for attackers to "spoof"
email addresses, so verify that an email is legitimate before opening an
unexpected email attachment or responding to a request for personal
information (see Using Caution with Email Attachments and Avoiding
Social Engineering and Phishing Attacks for more information).
* If it sounds too good to be true, it probably is - You have probably
seen many emails promising fantastic rewards or monetary gifts. However, regardless of what the email claims, there are not any wealthy strangers desperate to send you money. Beware of grand promises—they are most likely spam, hoaxes, or phishing schemes (see Reducing Spam, Identifying Hoaxes and Urban Legends, and Avoiding Social Engineering and Phishing Attacks for more information). Also be wary of pop-up windows and advertisements for free downloadable software—they may be disguising spyware (see Recognizing and Avoiding Spyware for more information).
* Don't advertise that you are away from home - Some email accounts,
especially within an organization, offer a feature (called an
autoresponder) that allows you to create an "away" message if you are
going to be away from your email for an extended period of time. The
message is automatically sent to anyone who emails you while the
autoresponder is enabled. While this is a helpful feature for letting
your contacts know that you will not be able to respond right away, be
careful how you phrase your message. You do not want to let potential
attackers know that you are not home, or, worse, give specific details
about your location and itinerary. Safer options include phrases such as
"I will not have access to email between [date] and [date]." If
possible, also restrict the recipients of the message to people within
your organization or in your address book. If your away message replies
to spam, it only confirms that your email account is active. This may
increase the amount of spam you receive (see Reducing Spam for more
information).
* Lock up your valuables - If an attacker is able to access your personal
data, he or she may be able to compromise or steal the information. Take steps to protect this information by following good security practices (see the Cyber Security Tips index page for a list of relevant
documents). Some of the most basic precautions include locking your
computer when you step away; using firewalls, anti-virus software, and
strong passwords; installing appropriate software updates; and taking
precautions when browsing or using email.
* Have a backup plan - Since your information could be lost or compromised (due to an equipment malfunction, an error, or an attack), make regular backups of your information so that you still have clean, complete copies (see Good Security Habits for more information). Backups also help you identify what has been changed or lost. If your computer has been infected, it is important to remove the infection before resuming your work (see Recovering from Viruses, Worms, and Trojan Horses for more information). Keep in mind that if you did not realize that your computer was infected, your backups may also be compromised.
     ______________________________________________________________
     Authors: Mindi McDowell, Matt Lytle
     ______________________________________________________________
Produced 2005 by US-CERT, a government organization. Terms of use
US-CERT
Note: This tip was previously published and is being
re-distributed to increase awareness.
Terms of use
http://www.us-cert.gov/legal.html
This document can also be found at
http://www.us-cert.gov/cas/tips/ST05-014.html
For instructions on subscribing to or unsubscribing from this
mailing list, visit http://www.us-cert.gov/cas/signup.html.

Blog posted using Windows Live Writer

SANS Ouch! Vol. 7 No. 8 – August 2010

2010-08-25T16:34:00.001-07:00

OUCH!

August 2010

SANS Institute Security Newsletter for Computer Users

***********************************************************

Get security advice online at http://www.sans.org/newsletters/ouch/updates/

Safer Online Selling

Patches and Updates Roundup

***********************************************************

Safer Online Selling

[Editor's Note: (Hoffman) "Caveat venditor" ("Let the seller beware!")
doesn't get heard nearly as often as its familiar counterpart. But the
unfortunate truth is that sellers, like buyers, are susceptible to many
kinds of online fraud. For the purposes of this article, let's assume
that the item for sale is a tangible object, rather than a service,
although many of the same good practices apply to both.] (1)

Before You Start...

Any advertisement of an item for sale tells the marketplace that you
possess something of value. The information in your ad, and others that
you have placed previously, may make it possible to deduce facts about
you, your economic status, or your other possessions that you have no
desire to reveal. (2) And that may make you a target for theft, making
it critical to give careful consideration to precisely what, how and
where you advertise.

Know Your Merchandise

Try to determine an item's fair value before you put it up for sale.
It's one thing to use online sales to clean out your garage or attic,
but be realistic about the value and condition of the items you wish to
sell. Just about anything is sure to be regarded as "collectable" by
someone. You can check other online ads easily to establish a baseline.
For items of exceptional value, an independent appraisal may be the best guide. Obtaining one may eat into your profit, but it will also help
speak to buyers with authority and might make you decide to keep the
item.

Know Your Sales Site

Each site has its own terms of use and terms of sale. If you use an
auction site, learn the rules for each type of auction and participate
only in those that you understand and are comfortable using. Never list
the same item simultaneously on multiple sites unless you're certain you
won't create a problem for yourself. Auction sites typically have an
implicit contract that obligates you to complete the sale once your
terms and price have been met by a bidder/buyer. This means you may not be able to arbitrarily decline offers from buyers who are prepared to
meet your terms and your price.

Know Your Buyer

Some online sales sites, such as Craig's List (3), favor local markets,
much like classified ads in newspapers. Others, such as eBay (4), are
global in their scope. The broader the market, the more likely it is
that you'll be shipping the items that you sell rather than asking the
buyers to pick them up. You may also have to deal with the complexities
of fluctuating exchange rates and international payments.

The major sales sites allow buyers and sellers to rate one another. When
considering an offer from a prospective buyer, consult the ratings given
to them by other sellers. Take what you read with a grain of salt, too.
You'll learn by experience to quickly spot raters who have a chip on
their shoulder. Don't hesitate to decline buyers who insist on payment
methods you're unwilling to accept, or who wish to impose terms and
conditions you're uncomfortable with. It's always best to state your own
terms, conditions, and acceptable forms of payment and shipping clearly
and up-front as part of your advertisement.

Accept Only Secure Methods of Payment

For smaller items sold in person, you might just have to get comfortable
with accepting cash. But in general, a third-party payment service
(e.g., PayPal (5), Amazon Payments (6) or Google Payments (7)) will make financial transactions easier and more attractive for prospective
buyers. These services transfer funds promptly and securely to your
account. The small fees that they charge outweigh the hassles of dealing
with bad checks and other problems. Choose payment services that are
members in good standing of organizations such as TRUSTe (8) or the
Better Business Bureau (9) and that have received positive reviews from
others. (10)

If you decide to accept personal checks, bank checks or money orders,
never release the item until all of the funds have cleared your bank
completely. Under no circumstances should you accept third-party checks, or those with amounts greater than the sale price. A common scam involves the buyer signing over a large third party check to the seller, departing with the item, and keeping the change. The unwary seller is left holding a worthless check that never clears. And the bank fee for attempting to deposit the bogus check will only add insult to injury. Never give out your bank account numbers or credit card numbers to a buyer.

Limit Your Exposure to Personal Risk

Before you put anything up for sale on the Internet, give careful
consideration as to how much personal information will be disclosed in
the process. Avoid posting your home address, land-line phone number,
or general-purpose email address. Most online sales sites will let you
create an anonymous email address. Don't advertise "best times" to call
you since it's a safe bet that there will be nobody home at the other
times. Including several good quality, unretouched photos of the for
sale items in your posting reduces the need for you to meet buyers in
person or let them into your home. However, if you ship items to the
buyer, consider using a post office box or mailing service to avoid
revealing your home address. If you must meet the prospective buyer in
person, do so in a safe, public and neutral location.

Be On Guard Against Phishing Attacks

Users of online sales sites and payment services are frequent targets
of phishing attacks. Reputable sites and services never send emails
requesting confirmation of your account numbers, login information or
other personally identifying information. Never reply to such emails,
and never click on any hyperlinks they may include. Always contact sales sites and service providers that you do business with using previously obtained and verified contact information and report any suspicious emails or other activity to them.

Keep Your Antivirus and Anti-malware Software Up-to-Date

Security software is a must, and all the more so if you are selling
online. One of the best ways to protect your computer is to avoid
opening email from unknown sources, but you'll be doing precisely that
once you've placed online advertisements. Spammers mine online sales
sites frequently for valid email addresses, so expect to see an increase
in your junk email. To avoid this, consider using a dedicated email
address for each of your accounts. If your Internet Service Provider
(ISP) or the sales site offers disposable email addresses, use them in
your ads and then disable them to cut off unsolicited emails after your
sale is complete. Another option is to use free email accounts, like
those provided by Gmail, Yahoo and Windows Live.

Secure Your Accounts

Protect your online sales and payment service accounts with unique
usernames and strong passwords. Make sure you haven't posted the answers to common security questions (such as where you were born, where you went to school, the make and model of your first car, etc.) on social networking sites.

Other Tips for New Sellers

* Always insure the items that you ship, and use methods that provide
you with proof of delivery.
* Once you know the buyer's location, use the shipper's website to
estimate shipping costs.
* Adjust your price to account for the fees imposed by the sales site
and payment service.
* Understand the dispute resolution policies and procedures used by your sales site and payment service. These sometimes give preferential
treatment to buyers or limit your appeals to binding arbitration.
* Consult your tax advisor. Your sales might be subject to sales and use
tax, income tax and/or capital gains tax.

More Information

http://www.microsoft.com/protect/fraud/finances/selling.aspx
http://www.microsoft.com/protect/fraud/finances/paying.aspx

The Federal Trade Commission https://www.ftccomplaintassistant.gov/ can help you research complaints against online sales sites and payment
services, or file complaints of your own.

Notes:

(1) Caveat lector: ("Let the reader beware!") Don't be surprised
if some of the advice presented here contradicts some of the advice
about "Safer Online Buying" presented in the June 2010 issue of the
OUCH! Buyers and sellers have different objectives, and occasionally
need to follow differing strategies in order to protect their property
and themselves.
(2) Selling a 40-foot sailboat trailer that is in "excellent condition"
but that you've "recently outgrown" suggests that you've bought a new
boat. Advertising "a shoe box containing 500 assorted baseball cards"
says that you're cleaning out the garage; no harm in that. But placing
ads several weeks apart for "rookie year" cards from famous players may tip-off a crook that you have a valuable collection.
(3) http://www.craigslist.org/
(4) http://www.ebay.com/
(5) https://www.paypal.com/
(6) https://payments.amazon.com/sdui/sdui/business/overview
(7) http://checkout.google.com/sell/?gsessionid=97lfeghkPUM
(8) http://www.truste.com/
(9) http://www.bbb.org/online/
(10) http://www99.epinions.com/

*************************************************************

Patches and Updates Roundup
Operating Systems & Applications
Windows & PC Office: http://update.microsoft.com &
http://www.microsoft.com/security/updates/bulletins/201008.aspx
Mac Office:
http://www.microsoft.com/mac/help.mspx?CTT=PageView&clr=99-0-0&ep=7&target=ffe35357-8f25-4df8-a0a3-c258526c64ea1033
OS X:
http://support.apple.com/kb/HT1338
iPad:
http://www.ehow.com/how_6256127_update-restore-apple-ipad.html
iPhone, iPod & iPod touch:
http://support.apple.com/kb/HT1414
iPod: http://support.apple.com/kb/HT1483
Windows Adobe Reader:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
OS X Adobe Reader:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
Flash Player:
http://get.adobe.com/flashplayer/
Firefox:
http://www.mozilla.com/en-US/firefox/update/
Safari:
http://www.ehow.com/how_2033324_update-safari.html
Opera:
http://www.opera.com/
Chrome:
http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414
Java:
http://www.java.com/en/download/manual.jsp
Windows iTunes:
http://www.ehow.com/how_2016273_update-itunes-pc.html
OSX iTunes:
http://www.ehow.com/how_2016270_update-itunesmac.html
Security Suites
Symantec:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2002021908382713
Norton:
http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95
McAfee:
http://www.mcafee.com/apps/downloads/security_updates/dat.asp
Kaspersky:
http://www.kaspersky.com/avupdates
AVG:
http://free.avg.com/us-en/download-update
Panda:
http://www.pandasecurity.com/homeusers/downloads/clients/
PC Tools:
http://www.downloadatoz.com/pc-tools-internet-security/smart-update.html
BitDefender:
http://www.bitdefender.com/site/view/Desktop-Products-Updates.html
Avast:
http://www.avast.com/download-update
Webroot:
http://support.webroot.com
Trend Micro:
http://esupport.trendmicro.com/Pages/How-to-update-Trend-Micro-Internet-Security-Pro-2010.aspx
Microsoft Security Essentials:
http://www.microsoft.com/security/portal/Definitions/HowToMSE.aspx

*************************************************************

Copyright 2010, SANS Institute (http://www.sans.org) Editorial Board:
Bill Wyman, Walt Scrivens, Phil Hoffman, Alicia Beard, Alan Paller
Email: OUCH@sans.org
OUCH! Security Information Service:
http://www.sans.org/newsletters/ouch/updates/
Download the formatted version of the OUCH!:
https://www.sans.org/newsletters/ouch
Permission is hereby granted for any person to redistribute this in
whole or in part to any other persons as long as the distribution is not
being made as part of any commercial service or as part of a promotion
or marketing effort for any commercial service or product. We request
that redistributions include attribution for the source of the material.

Blog posted using Windows Live Writer

Digeus System Optimizer 8.2 - UPDATE

2010-08-23T18:35:00.001-07:00

I tried out the Duplicate File check feature. It identified duplicate files very nicely, but didn’t delete any of those that I checked for deletion. So, I wrote their Technical Support. It’s been over three weeks and not a peep from them. So last week I wrote the rep that asked if I wanted to try out the software. Guess what – didn’t hear back from her yet.

I’m slowly starting to doubt this software and the company …

Digeus System Optimizer 8.2

Blog posted using Windows Live Writer

Cyber Security Tip ST05-013 Guidelines for Publishing Information Online

2010-08-23T06:41:00.001-07:00

Cyber Security Tip ST05-013

Guidelines for Publishing Information Online

Remember that the internet is a public resource. Avoid putting

anything online that you don't want the public to see or that you may

want to retract.

Why is it important to remember that the internet is public?

Because the internet is so accessible and contains a wealth of

information, it has become a popular resource for communicating, for

researching topics, and for finding information about people. It may

seem less intimidating than actually interacting with other people

because there is a sense of anonymity. However, you are not really

anonymous when you are online, and it is just as easy for people to find

information about you as it is for you to find information about them.

Unfortunately, many people have become so familiar and comfortable

with the internet that they may adopt practices that make them

vulnerable. For example, although people are typically wary of sharing

personal information with strangers they meet on the street, they may

not hesitate to post that same information online. Once it is online, it

can be accessed by a world of strangers, and you have no idea what

they might do with that information.

What guidelines can you follow when publishing information on the internet?

* View the internet as a novel, not a diary - Make sure you are

comfortable with anyone seeing the information you put online.

Expect that people you have never met will find your page; even if

you are keeping an online journal or blog, write it with the

expectation that it is available for public consumption. Some sites

may use passwords or other security restrictions to protect the

information, but these methods are not usually used for most

websites. If you want the information to be private or restricted to a

small, select group of people, the internet is probably not the best

forum.

* Be careful what you advertise - In the past, it was difficult to find

information about people other than their phone numbers or

address. Now, an increasing amount of personal information is

available online, especially because people are creating personal

web pages with information about themselves. When deciding how

much information to reveal, realize that you are broadcasting it to

the world. Supplying your email address may increase the amount

of spam you receive (see Reducing Spam for more information).

Providing details about your hobbies, your job, your family and

friends, and your past may give attackers enough information to

perform a successful social engineering attack (see Avoiding Social

Engineering and Phishing Attacks for more information).

* Realize that you can't take it back - Once you publish something

online, it is available to other people and to search engines. You can

change or remove information after something has been

published, but it is possible that someone has already seen the

original version. Even if you try to remove the page(s) from the

internet, someone may have saved a copy of the page or used

excerpts in another source. Some search engines "cache" copies of

web pages; these cached copies may be available after a web page

has been deleted or altered. Some web browsers may also

maintain a cache of the web pages a user has visited, so the original

version may be stored in a temporary file on the user's computer.

Think about these implications before publishing information - once

something is out there, you can't guarantee that you can completely

remove it.

As a general practice, let your common sense guide your decisions

about what to post online. Before you publish something on the

internet, determine what value it provides and consider the implications

of having the information available to the public. Identity theft is an

increasing problem, and the more information an attacker can gather

about you, the easier it is to pretend to be you. Behave online the way

you would behave in your daily life, especially when it involves taking

precautions to protect yourself.

__________________________________________________________

Authors: Mindi McDowell, Matt Lytle, Jason Rafail

__________________________________________________________

Produced 2005 by US-CERT, a government organization.

Note: This tip was previously published and is being

re-distributed to increase awareness.

http://www.us-cert.gov/legal.html

This document can also be found at

http://www.us-cert.gov/cas/tips/ST05-013.html

For instructions on subscribing to or unsubscribing from this

mailing list, visit

http://www.us-cert.gov/cas/signup.html.

Blog posted using Windows Live Writer

Cyber Security Tip ST05-012 Supplementing Passwords

2010-08-02T07:52:00.001-07:00

Cyber Security Tip ST05-012

Supplementing Passwords

Passwords are a common form of protecting information, but

passwords alone may not provide adequate security. For the best

protection, look for sites that have additional ways to verify your

identity.

Why aren't passwords sufficient?

Passwords are beneficial as a first layer of protection, but they are

susceptible to being guessed or intercepted by attackers. You can

increase the effectiveness of your passwords by using tactics such as

avoiding passwords that are based on personal information or words

found in the dictionary; using a combination of numbers, special

characters, and lowercase and capital letters; and not sharing your

passwords with anyone else (see Choosing and Protecting Passwords for

more information). However, despite your best attempts, an attacker

may be able to obtain your password.

If there are no additional security measures in place, the attacker may

be able to access your personal, financial, or medical information.

What additional levels of security are being used?

Many organizations are beginning to use other forms of verification in

addition to passwords. The following practices are becoming more and

more common:

* two-factor authentication - With two-factor authentication, you use

your password in conjunction with an additional piece of information.

An attacker who has managed to obtain your password can't do

anything without the second component. The theory is similar to

requiring two forms of identification or two keys to open a safe deposit

box. However, in this case, the second component is commonly a "one

use" password that is voided as soon as you use it. Even if an attacker is

able to intercept the exchange, he or she will still not be able to gain

access because that specific combination will not be valid again.

* personal web certificates - Unlike the certificates used to identify

web sites (see Understanding Web Site Certificates for more

information), personal web certificates are used to identify individual

users. A web site that uses personal web certificates relies on these

certificates and the authentication process of the corresponding

public/private keys to verify that you are who you claim to be (see

Understanding Digital Signatures and Understanding Encryption for

more information). Because information identifying you is embedded

within the certificate, an additional password is unnecessary. However,

you should have a password to protect your private key so that

attackers can't gain access to your key and represent themselves as

you. This process is similar to two-factor authentication, but it differs

because the password protecting your private key is used to decrypt the

information on your computer and is never sent over the network.

What if you lose your password or certificate?

You may find yourself in a situation where you've forgotten your

password or you've reformatted your computer and lost your personal

web certificate.

Most organizations have specific procedures for giving you access to

your information in these situations. In the case of certificates, you may

need to request that the organization issue you a new one. In the case

of passwords, you may just need a reminder. No matter what

happened, the organization needs a way to verify your identity. To do

this, many organizations rely on "secret questions."

When you open a new account (email, credit card, etc.), some

organizations will prompt you to provide them with the answer to a

question. They may ask you this question if you contact them about

forgetting your password or you request information about your

account over the phone. If your answer matches the answer they have

on file, they will assume that they are actually communicating with you.

While the theory behind the secret question has merit, the questions

commonly used ask for personal information such as mother's maiden

name, social security number, date of birth, or pet's name.

Because so much personal information is now available online or

through other public sources, attackers may be able to discover the

answers to these questions without much effort.

Realize that the secret question is really just an additional password

when setting it up, you don't have to supply the actual information as

your answer. In fact, when you are asked in advance to provide an

answer to this type of question that will be used to confirm your

identity, dishonesty may be the best policy. Choose your answer as you

would choose any other good password, store it in a secure location,

and don't share it with other people (see Choosing and Protecting

Passwords for more information).

While the additional security practices do offer you more protection

than a password alone, there is no guarantee that they are completely

effective.

Attackers may still be able to access your information, but increasing

the level of security does make it more difficult. Be aware of these

practices when choosing a bank, credit card company, or other

organization that will have access to your personal information. Don't

be afraid to ask what kind of security practices the organization uses.

___________________________________________________________

Authors: Mindi McDowell, Chad Dougherty, Jason Rafail

___________________________________________________________

Produced 2005 by US-CERT, a government organization.

Note: This tip was previously published and is being re-distributed

to increase awareness.

<http://www.us-cert.gov/legal.html>

This document can also be found at

<http://www.us-cert.gov/cas/tips/ST05-012.html>

For instructions on subscribing to or unsubscribing from this

mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

Blog posted using Windows Live Writer

SANS Ouch! Vol. 7 No. 7 – July 2010

2010-07-21T05:49:00.001-07:00

OUCH!

July 2010

SANS Institute Security Newsletter for Computer Users

***********************************************************

Get security advice online at http://www.sans.org/newsletters/ouch/updates/

Safer Social Networking

Patches and Updates Roundup

***********************************************************

Safer Social Networking

[Editor's Note (Wyman): The number of Facebook users has surpassed

400,000,000, dwarfing its sibling MySpace, and making it No. 1 of the

Top Ten social networking sites worldwide with a 55% market share. (1)

While the world has fallen in love with Facebook, its popularity is not

without problematic consequences. For example, psychotherapists and

Facebook users alike talk openly about being addicted to Facebook (2),

and a recent study suggests that 21% of women ages 18-34 get up to check Facebook in the middle of the night (3).

Articles about Facebook tips and tricks are proliferating (4), as are

lawsuits alleging, among other things, that Facebook's operators

misappropriate its users' personal information for commercial purposes

and change users' security and privacy settings arbitrarily. German

authorities are looking into Facebook's practice of saving information

about people who do not even use the site. (5) Facebook is illegal in

China (6), has been outlawed for blasphemy in Pakistan (7), taken Africa

by storm along with Colombia, Argentina, Venezuela, Mexico, and Chile

(8), and recently opened an office in Moscow (9).

Any online organization with nearly half a billion members worldwide is

bound to be the subject of curiosity, controversy and mythology, as well

as a too-good-to-pass-up target for hackers, crackers, spammers and

scammers. This month we offer some security tips for safer social

networking with special attention to Facebook.]

Think about how you want to use social networking. Facebook is an

all-purpose, come-as-you-are social medium. The community is gigantic,

and anybody with an email address can join. It's best to limit your use

of Facebook to sharing news, photos, music, videos, etc. casually with

friends and family. For business, consider using a service like LinkedIn

that caters specifically to professionals.

Follow the Golden Rule. Assume that the personal information and photos you display are available to everyone and anyone, not just to your friends.

Do not display your full birth date. Listing a full birth date - month,

day and year - makes you an easy target for identity thieves who can use it to obtain more of your personal information and potentially gain

access to bank and credit card accounts. Choose to show only the month and day, or even better, no birthday at all.

To protect children from online predators, do not post a child's name

in a photo tag or caption. If someone else does, delete it if you can,

or ask the member who owns the photo to remove the name.

Do not mention being away from home. Doing so is like putting a

"Nobody's Home" sign on your front door. Be vague about the dates of

your travel plans and vacations.

Restrict searches for your information. Find out what your options are

for restricting public searches. At a minimum, you should be able to

prevent your information from being searched for by anyone other than

your designated online friends.

Do not permit youngsters to use social networks unsupervised. Most sites limit membership to ages 13 and older, but children younger than that find ways to use them anyway. If there's a young child or teenager in your household using Facebook, an adult in your household should become one of their online friends and use their email as the contact for the account in order to monitor their activities.

Think about whom you are allowing to become your online friend. Once you have accepted someone as your online friend, they will be able to access a lot of information about you, including photographs and other material you have marked as viewable by your friends. Find out if and how you can remove a friend in case you change your mind about someone or discover they aren't who they claim to be.

Make sure you have an up-to-date web browser and comprehensive security software on your computer. This includes anti-virus, anti-spyware, anti-phishing, and a software firewall.

Adjust your privacy settings to help protect your identity. Facebook and

some other social networking sites provide options to protect you

online, but it's up to you to understand what they do and how to use

them, and to be aware that they change over time.

Set and review your privacy settings regularly. Familiarize yourself

with the site's current privacy policies. For example, with the latest

changes in May 2010, Facebook forces some of your information (e.g.,

your name, profile picture, gender and the networks to which you belong) to be publicly accessible.

Make only a cut-down version of your profile visible to everyone. Reveal

the rest of the information in your profile only to people you choose

to have as online friends.

Disable options, and then add them in one by one. If you are using a

social network just to keep in touch with people, consider turning off

the bells and whistles you don't need or use. Disable unfamiliar options

until you understand what they do and have decided that you do need and want them.

Join groups and networks cautiously. Assume that all members of a group will be able to see all of your information unless and until you

restrict access to it deliberately.

Understand what happens when you quit the site. It's usually easy to

deactivate your account, but some sites, like Facebook, will retain all

your information including pictures, friends, etc. even if you do. Find

out how you can delete all of your information. You may have to request that the operators of the site delete it for you. When quitting

Facebook, you must submit a deletion request, and that, too, comes with some gotcha's.

* There will be a delay of unspecified length between submitting your

delete request and the actual deletion.

* If you login to Facebook after submitting your request, your deletion

request will be cancelled automatically.

* There's no easy way to confirm that your deletion request has been

completed.

* Even after deletion, copies of your photos may remain on Facebook

servers for technical reasons.

More information: http://www.takesontech.com/?p=16952

http://www.facebook.com/security?v=app_7146470109

http://www.sophos.com/security/best-practice/facebook/

http://www.makeuseof.com/tag/the-complete-guide-to-facebook-privacy/

http://learn.linkedin.com/what-is-linkedin/

Notes: (1) http://www.marketingcharts.com/categories/social-networks-and-forums/

(2) http://www.cnn.com/2009/HEALTH/04/23/ep.facebook.addict/index.html

http://newsfeed.time.com/2010/07/08/its-time-to-confront-your-facebook-addiction/

http://blog.guruofnew.com/featured-home/seven-signs-you-may-be-ready-for-a-social-media-detox

(3) http://mashable.com/2010/07/07/oxygen-facebook-study/

(4) http://www.hongkiat.com/blog/20-facebook-tipstricks-you-might-not-know/

(5) http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=116330

http://www.betanews.com/article/Class-action-suit-in-Canada-only-the-latest-of-Facebooks-woes/1278621631

(6) http://www.utilitycomputing.com.cn/china/facebook-blocked-in-china

(7) http://www.asianews.it/news-en/Facebook-blocked-by-blasphemy-regulations-18452.html

(8) http://www.rnw.nl/africa/article/facebook-taking-africa-storm

http://www.examiner.com/x-30835-South-America-Headlines-Examiner~y2010m3d22-Facebook-increase-productivity-and-popularity-in-Latin-America

(9) http://en.rian.ru/world/20100409/158494575.html

***********************************************************Patches and Updates Roundup

Operating Systems & Applications

Windows & PC Office: http://update.microsoft.com &

http://www.microsoft.com/security/updates/bulletins/201007.aspx

Mac Office:

http://www.microsoft.com/mac/help.mspx?CTT=PageView&clr=99-0-0&ep=7&target=ffe35357-8f25-4df8-a0a3-c258526c64ea1033

OS X: http://support.apple.com/kb/HT1338

iPad: http://www.ehow.com/how_6256127_update-restore-apple-ipad.html

iPhone, iPod & iPod touch: http://support.apple.com/kb/HT1414

iPod: http://support.apple.com/kb/HT1483

Windows Adobe Reader:

http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

OS X Adobe Reader:

http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh

Flash Player: http://get.adobe.com/flashplayer/

Firefox: http://www.mozilla.com/en-US/firefox/update/

Safari: http://www.ehow.com/how_2033324_update-safari.html

Opera: http://www.opera.com/

Chrome: http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95414

Java: http://www.java.com/en/download/manual.jsp

Windows iTunes: http://www.ehow.com/how_2016273_update-itunes-pc.html

OSX iTunes: http://www.ehow.com/how_2016270_update-itunesmac.html

Security Suites

Symantec:

http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2002021908382713

Norton:

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=n95

McAfee: http://www.mcafee.com/apps/downloads/security_updates/dat.asp

Kaspersky: http://www.kaspersky.com/avupdates

AVG: http://free.avg.com/us-en/download-update

Panda: http://www.pandasecurity.com/homeusers/downloads/clients/

PC Tools:

http://www.downloadatoz.com/pc-tools-internet-security/smart-update.html

BitDefender: http://www.bitdefender.com/site/view/Desktop-Products-Updates.html

Avast: http://www.avast.com/download-update

Webroot: http://support.webroot.com

Trend Micro:

http://esupport.trendmicro.com/Pages/How-to-update-Trend-Micro-Internet-Security-Pro-2010.aspx

Microsoft Security Essentials:

http://www.microsoft.com/security/portal/Definitions/HowToMSE.aspx

***********************************************************

Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Alicia Beard, Alan Paller

Email: OUCH@sans.org

OUCH! Security Information Service: http://www.sans.org/newsletters/ouch/updates/

Download the formatted version of the OUCH!:

https://www.sans.org/newsletters/ouch

Permission is hereby granted for any person to redistribute this in

whole or in part to any other persons as long as the distribution is not

being made as part of any commercial service or as part of a promotion

or marketing effort for any commercial service or product. We request

that redistributions include attribution for the source of the material.

Blog posted using Windows Live Writer