Matthew's Weblog » Security

Voting Machine ‘Security’

Matthew — Wed, 20 Aug 2008 23:20:35 +0000

A truly illustrative but terrifying comic…

Wishful Security Thinking

Matthew — Wed, 17 Oct 2007 16:23:32 +0000

A friend of mine, Bill, found out that his password had been mailed to him in plaintext from his ’shiny, new 401k’ and he wrote about the disconcerting experience of a financial services company being careless with security. Having worked in a financial services company, I can only say that the troubles he encountered are not that bad… you should have seen some of the sausage in the factory I worked in.

That said, Bill violated a crucial rule of security and he needs to learn it as much as the Schwab folks need to learn their own lessons:

Never, never, never depend on someone else to provide your security.

Bill “used one of his common passwords”… and you shouldn’t have any of those. A common password is a common vulnerability, especially because you can’t know how companies will protect your passwords or your data — as he unfortunately learned. To avoid this, you can use a desktop application (such as the free Password Safe, originating from Bruce Schneier’s Counterpane Labs) or a browser plug-in (such as Password Hasher or Secure Login or any of the other 48 listed on the addons site) or the Mac’s built-in Keychain app so you can generate random passwords and never, never reuse them. Personally, I’ve been using Password Safe for years.

He also offers great tips for websites to make their applications more secure, like not asking for really constant, common, data like mother’s maiden name. The other option is to not answer with an expected response. Mother’s maiden name? Istanbul. Honeymoon location? Jones. And so on…

Never trust someone else’s security.

Technorati Tags: security, password, firefox

Plugins to investigate

Matthew — Thu, 16 Aug 2007 17:11:30 +0000

Comprehensive Wordpress Plugin Database with Plugins Tracker

AskApache htaccess password builder

and then some tips on WP security:
drop version string
block viewing of plugins/themes folders
and htaccess (see link above)

whoops, almost forgot Lorelle’s mention of a theme security scanner… which is this security scanner here.

Technorati Tags: wordpress, security

Enterprise Mac usage

Matthew — Wed, 15 Aug 2007 20:06:15 +0000

Here’s a great writeup on some of the enterprise management options for Mac environments… if you thought only Windows could be centrally coordinated, this is a very interesting insight into the tools available.

Technorati Tags: mac, enterprise, configuration

An appropriate response to ‘terrorism’

Matthew — Thu, 12 Jul 2007 01:32:39 +0000

in an article from Slate: The West is still Winning. This is why fake security mumbo-jumbo bothers me so much.

Bank login insecurity

Matthew — Wed, 16 May 2007 23:15:18 +0000

A Microsoft blogger describes a clear example of why, when you’re trying to build secure transactions, you keep all interactions secure. That means the screen where you type in your password as well as the actual application.

TJ Maxx security breach may push retailers?

Matthew — Tue, 08 May 2007 23:25:14 +0000

It’s nice to see that there are columns being written about the TJ Maxx security breach and its repercussions. The more companies who are actually held responsible for their sloppy work should finally begin to reward those who are attentive to security…

Written in 1990…

Matthew — Wed, 04 Apr 2007 17:19:56 +0000

…but fully applicable today. Papers, please. A sign of the times, truly despicable to a thinking public. Thank someone’s higher power we don’t have a thinking public to argue with these imbecilic laws.

I’m feeling sick.

via Schneier.

Technorati Tags: democracy, identity, security

Man-in-the-middle made easy

Matthew — Fri, 02 Mar 2007 01:01:33 +0000

New twists to leaving your access point in a default configuration… allowing crackers to decide what websites – real or imagined – you see by taking over your DNS DHCP settings. Interesting and scary.

Also something that could be examined would be how many APs can be managed by wardriving… then you even know pretty close to the address and name of your target.

Technorati Tags: security, wireless, access+point

Laugh or cry?

Matthew — Thu, 01 Mar 2007 01:30:47 +0000

Schneier writes about officials finding all kinds of things and thinking they are bombs and then blowing them up. I started laughing until I realized how sad it really is. I mean, how many real bombs are out there and can’t people use their brains to take a critical angle on these reports?

Technorati Tags: bombs, security, brains