World-Shaker

via xkcd: Authorization

The Copy Editor: Pro tips from social engineering hackers →

cnnmoneytech:

I’ve spent much of the past two days watching Defcon’s social engineering “capture the flag” contest, and — wow. Every cybersecurity worker should have a chance to observe a social engineering pro at work. It’s like a free theatre performance, but with a scary undertow of…

I strongly recommend clicking through. This was a fascinating (and kind of scary) article.

One Simple Thing You Should Do Right Now to Keep Hackers From Destroying Your Digital Life →

Imagine if you turned on your computer and found your entire digital life was wiped: years of photos, emails, documents—gone. That happened to Wired writer Mat Honan last weekend, when hackers broke into his most important accounts. But it could have probably been prevented if he’d done one thing: Enabled “two-factor authentication” on his Gmail account.

First, go here and enable two-factor authentication before you even read this. I know, two-factor authentication sounds sooooo boring. And it is, compared to the nightmare Honan went through.

Go do this right now.

Public Wi-Fi: How to Connect Safely →

An outstanding overview:

Connecting to public Wi-Fi is not as simple as selecting an open Wi-Fi, and can be dangerous if you do not know what you are doing. Instead, you must realize that there are safety factors that must be considered before you can proceed to merrily surf your way through the Internet. That does not mean, however, that if one follows the required safety procedures they must forego their journey through cyberspace. Additionally, to most of us using computers today, we are aware that the majority of these rules pertain to Microsoft Windows laptop computers, which are perpetually the target of hackers and, as a result, are known to be sieves when it comes to computer viruses and malware. However, just to be safe, Apple’s iOS and Google’s Android users may also wish to follow some of these rules.

View high resolution

cnet:

The complete guide to password security (and why you should care)

The No Pie Rule for Dropbox Services

This post on Google Drive’s Terms of Service caused a bit of a stir yesterday, as well as some thoughtful replies. The best reply (in my mind) came from tiffanyb. I’ve quoted her response below because it was that good:

These two quotes actually say the same thing. It’s just that the part where Dropbox enumerates what rights they need to provide the service is cut out of the quote, and included in Google’s. 

In order to operate a service in which your files are hosted remotely in order for you to gain access to them from anywhere in the world, the company providing the service actually DOES have to do things that are legally considered creating derivative works, public performance, reproduction, etc. 

For example, you can’t run a redundant, always-availabe service like Dropbox without copying the files uploaded to it across multiple redundant servers, to say nothing of backups. Making it available via the Internet? That’s public performance. Compressing/optimizing the bits you upload to make them faster to deliver? Legally, that’s a derivative work.

The real, substantial difference is that since Google runs a whole raft of services, what’s covered under the umbrella of “for the purpose of providing the services” is a lot broader than it is with Dropbox, which really only does one thing.

Dropbox-like services can be extremely useful for educators, Google Drive included. It’s hard to explain to non-users just how awesome it is to have something automatically synced between all your computers and mobile devices, while still being available anywhere via the web. The ability to share those documents and folders makes these services even better. You have plenty of compelling options out there. But I want to stress one rule we use in my department:

Always follow The No Pie Rule

The No Pie Rule is actually spelled “No PII,” which stands for “No Personal Identifying Information.”The reason my team can’t use a service like Dropbox for more advanced document sharing is their inadequate encryption setup.

It’s complicated, but the gist is that if your data is kept in a metaphorical locked box (cue Al Gore), ideally you should be the only one with the key. Instead, Dropbox keeps the only copy of your key. This means if someone steals the key from Dropbox, they have access to all your data (another explanation here). That’s not good if you have anything in there that’s FERPA sensitive, for example.

Dropbox has been hacked in the past (both Dropbox and Facebook had a recent security issue with iOS and Anroid devices). So have other, similar services. The problem is that some users store sensitive and inappropriate material in their synced folders. In general, avoid:

• Anything that would lead to a FERPA violation
• Anything that HR would freak out about
• Anything that could lead to your identity being stolen (this includes copies of tax forms, receipts for online purchases, and even monthly budgets; yes, people have put these things in Dropbox)

In other words: If you’re using a Dropbox service, No Pie!

Facebook And Dropbox Are Seriously Vulnerable To Hackers Right Now →

A motivated hacker could copy a plain text file off of your mobile device that would grant him access to your entire account.

The problem exists within the app itself — the sensitive data isn’t encrypted, it simply sits on your device in plain, readable form.

There’s no jailbreak required to get this data either. Using a free piece of software called iExplore, which lets you browse your iPhone as if it were an external hard drive, Wright was able to gain access to the text file.

How to Make Your Google Accounts More Secure →

Words to the wise, yo.

Apple iOS: Why it's the most secure OS, period →

In five major areas, Apple’s iOS has better security than desktop operating systems and matches or exceeds the security of its smartphone rivals. iOS has a strong set of security features, including:

• A sandbox isolates programs, and iOS’s memory organization makes exploitation more difficult.
• Applications that run on the iOS are vetted by Apple and can be removed if found to be malicious.
• Patches can be quickly applied to the iPhone and iPad to close security holes in the operating system.
• The software is regularly reviewed, especially its open source components.
• The platform has the advantage of attacker psychology — attackers still target smartphones far less than desktop systems.

Valuable, though technical read. I thought it was very interesting that even the CTO from Trend Micro agrees with the assessment that iOS is the most secure OS out there at the moment.

<Android-Apple Fanboy War via Reblog>

View high resolution

I didn’t know Facebook was doing this (and hope I don’t find out firsthand), but this is a really good idea.

(via Facebook Hopes To Make Its Help Section Go Viral)

Twitter finally receiving default HTTPS support →

Finally. I suggest you Twitter users go change this setting immediately.

For some time, users have been able to use Twitter via HTTPS by going to https://twitter.com. We’ve made it simpler for users to do this by adding the option to always use HTTPS.

To turn on HTTPS, go to your settings and check the box next to “Always use HTTPS,” which is at the bottom of the page. This will improve the security of your account and better protect your information if you’re using Twitter over an unsecured Internet connection, like a public WiFi network, where someone may be able to eavesdrop on your site activity. In the future, we hope to make HTTPS the default setting.

The Facebook Setting You Should Change as Quickly as Possible →

Facebook has at long last offered an option to use the encrypted “HTTPS” protocol, a feature it will begin rolling out today but won’t finish for a “few weeks.” You should check now if it’s available, and sign up as soon as it is enabled for your account. The performance overhead is minor—zippy Gmail, for example, uses HTTPS for everything—and it’s an important step to keep your Facebook account safe from being hijacked on an open or poorly secured wireless network.

By default, Facebook sends your access credentials in the clear, with no encryption whatsoever. Switching to HTTPS is important because a browser extension called Firesheep has made it especially easy for anyone sharing your open wireless network—at cafe or conference, for example—to sniff your credentials and freely access your account. One blogger sitting in a random New York Starbucks was able to steal 20-40 Facebook identities in half an hour. HTTPS solves this longstanding problem by encrypting your login cookies and other data; in fact the inventor of Firesheep made the software to encourage companies like Facebook to finally lock down their systems.

You can sign up for Facebook HTTPS by going to Account Settings and then selecting “Account Security,” third from the bottom. Then click under “Secure Browsing” — if it’s there. Facebook says everyone should have this by the end of the day, but in the meantime you might be missing the relevant option toggle.

"Users need to realise that these new features increase the attack surface on the Facebook platform, and make personal accounts all the more alluring for cybercriminals to break into,” said Sophos senior technology consultant Graham Cluley. “Facebook accounts will now be linked with many more people in the users’ social circles — opening up new opportunities for identity fraudsters to launch attacks,” he added in a press statement."

— Facebook messaging poses risks for users: watchdog - Yahoo! News

Private Info of 126,000 Students Exposed Online →

The names, social security numbers and drivers licenses of over 100,000 students and faculty of six Florida colleges were available online for five days earlier this summer. Affected people are still be notified by letter and warned to put fraud alerts on their credit, though there is no evidence yet that any of the information has been misused.

A software upgrade was responsible, according to the Florida state agency that caught the error, the College Center for Library Automation in Tallahassee. Tallahassee’s Leon County Sheriff’s Office is investigating.