mSecure – A Great Password Manager

Our friend Carol, helped find this gem of a program. mSecure is a nice password manager program from mSeven software. This program will store you information and sync with their servers. It uses the ultra-secure 256-bit blowfish encryption to protect personal information such as account numbers, usernames, passwords and more. It is available to Windows, Mac, Android and iDevice users. Here are some important features –

It will not store your password on their servers – staff does not have access to your account and cannot reset your password.

If you forget your password, you lose access to your stored data and have to start over again. You can set a password hint to help you remember your password.

If someone tries accessing your account, i.e. after stealing your phone or computer, you can set mSecure to destroy your data after a set number of attempts. This will prevent password crack software from trying indefinitely.

Auto-lock features to close the program, preventing people from seeing your data even after an initial login.

It allows you to back up your encrypted data to SD or via email. Again, the data is encrypted by your personal password so no one can gain access to it.

mSeven Software is based in the US, ensuring they conform to privacy laws and the data is stored in the USA (they are located just outside Portland, OR)

We ran through some different tests and scenarios and I appreciate Carol’s help in determining just how safe the data stored with this company really is. Check out their web page and if you are in the market for a great password manager, give it a try – http://msevensoftware.com/

White Hackers – the system really works (and pays!)

Much has been said about technology companies paying a bounty for white hackers – hackers who help find and correct security flaws in software. HP pioneered this practice years ago and not much has been said recently about the practice. It was nice to see Google highlighting the practice and reporting on the payments they have made for their Chrome browser’s flaws. Here’s a recent article about it and how much you can earn for each flaw you find… http://bit.ly/jYxu2O

How To Keep Malware Off Your Smartphone

Last month Google flipped its remote kill switch to zap 58 malicious Android apps that had been downloaded onto 260,000 Android phones. Google was able to eliminate the apps without phone owners’ assistance.

Google determined that the apps stole a phone’s unique identification number and could use that information to access other personal data. The company removed the malicious applications from Android Market, suspended the associated developer accounts, and contacted law enforcement about the attack.

Apple, RIM and Microsoft have similar remote-kill capabilities for devices running their respective operating systems. But a kill switch is not enough for SmartPhone users: the cow is out of the barn once malicious apps have been downloaded and penetrate the defense system of the operating system.

Google discovered a vulnerability in older versions of the Android operating system ― 2.2.1 or older ― and in this case, that includes around 99 percent of the Android phones currently in use.

Hackers routinely exploit older versions of software. Just last week Microsoft launched a site, the Internet Explorer Countdown, urging the millions who are stubbornly clinging to Internet Explorer 6 to upgrade to IE8, an updated version of the popular browser that is far more secure than its predecessors.

Whether its browser software, application software or an operating system on your computer or mobile phone, you should have the most recent version available to provide the best protection.

How to update your mobile OS – Smartphone users may be less familiar with processes to update their phone’s operating system, which is complicated by policy differences between cell phone providers, mobile operating system makers and phone manufacturers.

The free iOS 4.3x update for iPhones, iPads and iPods was released last month and updated twice this month and can be downloaded in iTunes. It includes new features such as a personal Wi-Fi hotspot, iTunes home sharing and new camera effects as well as numerous security features.

The Android ecosystem is more complicated because of the number of devices by different manufacturers that have become available since the launch of the first Android phone, the HTC Dream, in October 2008. Android is the leading mobile platform in the U.S. with a 31 percent market share as of January 2011, according to comScore. RIM ranked second with a 30 percent market share, followed by Apple with 25 percent and Microsoft at eight percent.  Like computers, the more popular platforms attract more cybercriminals who want the biggest bang for their hacking dollar.

Android 2.3 or Gingerbread is the most recent version of the operating system. However, just because a phone is new to the market doesn’t mean it has the latest OS. For instance, Samsung released its Nexus S in December 2010 with Android 2.3, but Motorola’s Atrix 4G was released just last month and runs Android 2.2 (Froyo). Updates are issued at the carrier’s discretion and depend on whether or not the phone is compatible with the upgrade, something that depends on the manufacturer.

To check on the version currently running on your phone, go into your phone’s settings and select “About Phone”. Then select “System updates” to see if an update is available. Owners may also receive update notifications from their service providers.

Blackberry RIM  devices can be updated with the desktop software. Click on check for updates once you have the phone connected to your computer. Most phones will use version 6 the current software. Older phones will only be able to upgrade to version 5.

Smartphones running other operating systems can be checked in the same way. When an update is available, download it. Keeping systems and software up to date is one of the best ways to protect Internet-connected devices.

App safety

Further, each operating system has its own app marketplace: App Store in iTunes for iPhone, Android Market for Android phones, BlackBerry App World and Windows Marketplace for Windows phones. While the review and vetting process varies from one store to the next, no company has been immune from malware.

It’s best to wait a month or two before downloading an app that’s new to the community. After several months have passed, it’s likely a problem would have been reported and the app removed. You’re looking to make sure the app has been satisfactorily
used by a large number of users over a relatively long time.

Mobile antivirus solutions

Apple has not approved any iPhone antivirus solutions, but security analysts have warned that even approved iPhone apps could harbor malicious software. As a basic precaution, users should regularly clean the browser’s recent search history
and cache in “Settings – then Safari”. Again, be sure to clear your browsing history and your cache.

Alternately, you can look in the official app store serving your device. For instance, in Android Market, Lookout Mobile Security is the most frequently downloaded, rated and reviewed security app in the store. It includes malware protection, “find my phone”, backup and restore. The app is free and compatible with Android phones running 1.5 (Cupcake) or later.

Free Business Books Online

 This is a listing of sites that legally offer free books relating to business, for reading and listening (audio). All of these sites listed can legally distribute the content.

Business Books for Reading

2020ok (Business & Investing) has a large collection divided into many sub-categories.  I found many of the listings impractical, but there are probably some gems in there.  Most are available for download in pdf.  However, many link off site and have varying availability.

BesteBooksWorld has 755 free business ebooks and 186 free ebooks in its Marketing section for free download in pdf.

BookYards has 30 free business books available for download in pdf.  Interesting collection.

BucaroTecHelp has an interesting collection of free business books available for download in pdf.  These deal with internet business for the most part.  You do have to view their news feed to be able to download, but registration is not necessary.

BusinessBookMall has a large collection of books dealing with all facets of business for free download in pdf.

ChestofBooks has a small, but practical, collection of free books in its Business section available for online viewing.

eBookLobby has 37 free books in its Business & Investing section with varying availability in online viewing or download.

eBooksDirectory has 118 free books available in its Business & Investing section available for online viewing or download in pdf.

eBooksForAll has 60 free ebooks for download in pdf.  Interesting combination of old and new works.

ForgottenBooks has 160 books in its Business and Economics section for free download in pdf.

FreeBooksForAll has a fairly large and interesting collection of free books in its Business, Economics, Personal Finance & Computers section available for download mostly in pdf, with a few exceptions.

FreeOnlineBookStore has a number of interesting works in its business start up section available for free download in pdf.

GetFreeeBooks has an interesting collection of free business books available for download in pdf.  They are posted as blog entries, so you have to do some searching, but it is worth it.

GoogleBooks has a large collection under a search for “business” available for full view and download.  I am not sure all 582,000 are related to business, but the initial search results were.

HowTo has an interesting and practical collection of free business books available for online viewing.  Suggested by an anonymous poster.

InternetArchive has 4,963 free books available for download in varying formats in its Business section.

ManyBooks has 22 free business books available for download in a variety of formats.

MemoWare has 668 free business books available for download in varying formats.

MIT OpenCourseWare offers a large selection of business courses in its Sloan School of Management section.

OnlineComputerBooks  has six books in their Business category available for download in pdf.

WitGuides has a practical collection of 21 free books in its Business section and 35 other free books under Real Estate and Money.

Business Audio Books

LearnOutloud has 131 free audiobooks in its business section.  They are available in different ways, including online listening, MP3 or MP4 as many link to other sites.  An interesting collection.

OpenCulture has a few interesting audiobooks mixed in among some not so interesting in its Business section.  It also features some Business School Podcasts.

Firefox: Slow Performing Add-ons

If Firefox has become slow and sluggish these add-ons could be the culprit.

From the Mozilla Add-ons page:

“Add-ons provide many useful features and functions, but they can also cause Firefox to become slower. Some add-ons can even slow Firefox to a crawl and make it difficult to use for regular web browsing. If you think add-ons might be the reason Firefox is lethargic, check the list below for some of the biggest bottlenecks. And remember, for best performance you should disable add-ons that you no longer use regularly.”

Here’s a recent list of add-ons that can cause Firefox to slow down. They are listed in order, with worst products first. For actual numbers on the degree of performance degradation check the current list at Mozilla – just follow this link:
https://addons.mozilla.org/en-US/firefox/performance/#addon-11

#1 Firebug
#2 SimilarWeb – Find the Best Sites on the Internet
#3 FoxLingo – Translator / Dictionary
#4 FoxyTunes
#5 Personas Plus
#6 FoxClocks
#7 Video DownloadHelper
#8 FastestFox – Browse Faster
#9 Feedly

 One additional item that can really slow Firefox down are Flash cookies. These cookies are persistent and use Adobe’s Flash to store their data in browsers. Flash cookies aren’t deleted when you delete cookies from Firefox (or other browsers for that matter). Firefox add-on Better Privacy can detect and delete these cookies in Firefox, but that leaves other browsers wide open.

There is a small utility called KFC (Kill Flash Cookies). It will delete any Flash cookies it finds and isn’t browser dependent. It’s a free download and works with Windows, Mac and Linux – you can get it here. http://ufridman.org/kfc.html

KFC is a stand-alone program, so it won’t install anything on your system. The download is a zip file, so you’ll need to unzip it on order to run it. KFC comes in either a command line or GUI version for all three operating systems.

More good news for Android based phones

Recent sales statistics show the Android based phones are more popular than iPhones. RIM’s Blackberry phone sales continue to decline. Read this article for a breakdown of the numbers: http://bit.ly/gX3O2y

Security Predictions for 2011

The year began with Google’s assertions that the Chinese government had attacked its servers. By the end of the year, the WikiLeaks release of U.S. State Department cables appeared to confirm that was true, thus redefining many people’s notions of the extent to which state-sponsored attacks and reconnaissance occur online and provoking furious debates over the freedom of information as well as the Internet.

In 2010, Stuxnet emerged from mysterious origins, proving that malware could have a physical, real-world impact. The volume of malware also continued to rise, as a seemingly nonstop wave of targeted attacks, spam, and botnets continued to target people’s personal financial details. In short, little was quiet.

With all that in mind, what’s in store for 2011? Here are 10 predictions from security experts – we will post their updates as they are released:

1) Smaller Botnets Muscle Up

In 2011, malware and botnets will get better, because they’re not going to get worse. While security researchers will keep finding innovative ways to combat botnets, “malware authors are finding new ways to evade detection and keep the money flowing,” according to a recent report from M86 Security.

Botnets remain too lucrative and pose too little risk to their operators to disappear. Indeed, botnet operators seem relatively immune to prosecution, especially if they’re based in Russia (and don’t attack Russians). Furthermore, despite some high-profile arrests and takedowns, for example of Lethic, Pushdo, and Bredolab, knocking botnets offline permanently seems difficult.

In fact if anything, the increased tempo of arrests will likely cause botnet creators to better hide their tracks, according to the M86 report.”We expect to see the command and control architectures become more and more layered and complex, making it difficult for security researchers and authorities to bring down the entire bot networks.”

2) DDoS Attacks Deny More With Less

Expect many current types of attacks to become more nuanced, including distributed denial of service (DDoS) attacks. Today, the majority involve brute force — overwhelming targeted data centers and carrier backbone links with traffic, at a rate of sometimes more than 50 Gbps, said Craig Labovitz, chief scientist at Arbor Networks.

But more pinpointed attacks are also growing more sophisticated and therefore more effective. “Service or application-level attacks may focus on a series of Web or API calls that force an expensive database transaction or calls to slow storage servers,” he said. In these cases, brute force isn’t required, but rather knowing how, when, and where to strike.

Accordingly, attackers may spend weeks reconnoitering and identifying weak links, then unleash a highly tuned attack that is effective, yet may be barely noticeable. “Unlike massive DDoS traffic floods, application attacks can be far more subtle and may only register as increased load on servers or a precipitous drop in five minute real-time sales revenue charts,” said Labovitz.

3) Smartphones Trigger Data Breaches

Consumers will bring their 2010 holiday toys to work. Of course, when those “toys” include devices that can connect to the enterprise network and store sensitive information, organizations must take steps to either block or secure such devices.

The smartphone upside for the enterprise is that workers become more of “an always connected resource — juggling emails at 10 at night,” said Steve Vinsik, VP for integrated security at Unisys. “You’re going to be a little more productive, potentially,” without the IT department having to budget hundreds of dollars per device, per person. Meanwhile the benefit for workers — aka consumers — is they don’t need to juggle multiple devices. Plus they get to use their new toy at work.

The downside, however, is that historically when such devices are allowed to connect to the corporate network, little is done to secure them. Accordingly, said Patricia Titus, chief information security officer at Unisys, “security officers and professionals now must figure out how to address the new security challenges that arise as hundreds or thousands of these new devices and their associated applications are introduced into the enterprise infrastructure.”

Might it take a high profile disaster in 2011 to really jumpstart mobile device security? Already, many see mobile devices as a data breach disaster waiting to happen. “With just half a gig, you can have half a million data records that outline first name, last name, some contact information, emails. We saw that in the past with laptops, and similarly, lost laptops lead to a lot of data breaches,” said Rob Rachwald, security strategist at Imperva.

The difference with mobile devices, however, is that “it’s much easier to lose your cell phone than it is to lose a laptop,” he said. Accordingly, “some of the same issues that we’ve seen with data leakage in the past will be deja vu all over again.”

4) Hacking Gets Industrialized — More Effective, Less Expensive

Almost any software development firm or consulting outfit today relies on industrialization — offshoring highly technical, repetitive, or non-customer-facing project activities to a highly skilled but lower-cost region. Unsurprisingly, the same is already happening with hacking. “A big trend we predict for 2011 is the industrialization of hacking, with advanced persistent treats, and the government folks starting to use private sector tricks,” said Rachwald.

On the latter front, for example, 2010 saw at least two incidents where “governments apparently rented botnets to conduct large-scale attacks,” he said. In addition, the U.S. State Department cables released by WikiLeaks quoted a source with knowledge of Chinese government activities who said that the politburo had directed the late-2009 attacks against Google.

“What I thought was most interesting was how they described how the Chinese government goes about it. They don’t have a dedicated group of people. They hire cyber-mercenaries, if you like, to do what they want to do,” he said.

5) Social Networks Feel More Pain

Social networks are predicated on people liking and trusting each other — they’re meant to be online friendships, after all. But with social networks such as Facebook now recording 500 million users, and Twitter 200 million, these sites also provide an effective, one-stop-shop for attackers seeking to extract personal financial information or log-on credentials. “This is because there is more success and payoff in assuming the identity of someone a user knows,” according to M86 Security.

Arguably, attackers — not Facebook, Twitter, or their ilk — are winning the social networking security wars. “From recent cross-site scripting and cross-site request forgery attacks to the ‘likejacking’ attacks, increase in spam, and sensationalized headline applications on Facebook, cybercriminals are constantly tooling and retooling, finding ways to exploit the social networks,” said M86 Security. Expect this trend to continue in 2011.

6) Crimeware As A Service

In 2011, security experts predict that the cloud computing model — most famously applied by the likes of Salesforce.com and Amazon.com — will also become a go-to template for crimeware vendors.

To date, crimeware toolkits have lowered the barrier to entry to conducting online attacks, because they inexpensively automate many types of attacks; no computer science degree or coding acumen required.

Now, according to M86 Security, “our research indicates that a shift is occurring whereby exploit kit developers have started to provide services,” as opposed to just selling crimeware applications. “For example, the NeoSploit and Phoenix exploit kits offer different malware services to their customers. With the NeoSploit kit, customers can purchase a specific Web server configuration that redirects victims’ requests to a Neosploit back-end server, which is apparently handled by the NeoSploit team.”

But don’t expect crimeware toolkits to die out. Rather, expect toolkit creators to add malware-as-a-service, providing their customers a bigger choice of attack capabilities.

7) Specialized Malware Moves Past PCs And Servers

Stuxnet highlighted how viruses can affect more than just PCs and servers, and Symantec predicts more of the same: “Specialized malware will move beyond PCs and servers, following the lead of the Stuxnet Trojan’s recent attack on programmable logic controllers.”

Where might the next attack happen? “Any technology that can be exploited for financial gain or influence will become a potential target,” said Symantec. Accordingly, attackers will likely target “the obvious targets like smartphones, to any number of less obvious — yet critical — systems like power grid controls or electronic voting systems.”

On the other hand, Stuxnet’s purpose wasn’t financial or influential, but rather — apparently — to wreck high-frequency drives used to refine uranium. Furthermore, security researchers estimate that the team behind Stuxnet had substantial backing, including a test environment that fully mirrored their target. In other words, Stuxnet may very well have been a one-off.

Accordingly, future Stuxnets would seem to be less of a concern for corporate IT departments than other types of threats. With obvious exceptions made for the odd CEO running a shadow offshore uranium enrichment program.

8 Insider Attacks Still Unstoppable

One 2010 lesson, thanks to WikiLeaks: Never underestimate the security risk posed by a malicious insider. But another lesson might be that it’s nearly impossible to prevent such attacks.

“Although sentiment has begun to shift, organizations have traditionally approached information security with a technological focus through investment in firewalls, network detection systems, and monitoring technologies,” said John D’Arcy, an information security expert at the University of Notre Dame. “However, these technologies are useless against the motivated insider who wants to damage the organization by leaking sensitive information.”

That said, many organizations could close more of their security holes, to at least mitigate the size of any breaches. For example, by December 2010, the Department of Defense — by its own estimate — could only track unusual patterns of access to sensitive information on 60% of its systems.

Hence this 2011 prediction: Expect more insider attacks, divulging new information. Notably, WikiLeaks has said it’s in possession of sensitive internal documents from a U.S. bank, believed to be Bank of America.

9) Government Security Gets A “Fraud Department”

Speaking of malicious insiders, given the embarrassing release of the State Department cables, expect U.S. bureaucrats to demand that their agencies’ networks remain locked down, at least until government information security experts better secure them and restrict access.

But will those efforts actually succeed? “Eventually they might be successful, but it’s a lot of work to get there,” said Impera’s Rachwald. “It’s the defender’s dilemma: you need to lock up everything, and the bad guy only needs to find one hole.”

On the other hand, for the government, “this is really going to help them take a look at how they look at file security,” he said. The issue isn’t just one of data classification, but also establishing identify, as well as each person’s normal document-retrieval usage patterns. Expect to see the government borrow a page from credit card issuers’ fraud departments. When data-usage patterns start to look unusual, it’s time to investigate.

10) Cyber War Vs. Online Protests, Censorship, Political Attacks

Stuxnet. Web site defacement. Operation Payback. What do they have in common? At one point or another in 2010, each was referenced — often by media outlets or bureaucrats — as a sign that cyber war was on the rise.

Whether or not that’s true, this very discussion highlights how security in 2011 will evolve. “While the Wikileaks and retaliatory attacks may not represent the start of ‘cyberwar,’ governments clearly view cyberspace as the battlefield of the future,” said Arbor Networks’ Labovitz. Furthermore, “the trend towards militarization of the Internet and DDoS used as means of protest, censorship, and political attack is cause for concern,” not least because it will continue to have an impact on corporate networks and data security.

Expect the “cyber war” debate to keep raging, along with all that it implies. “The world was a simpler place when DDoS was mainly driven by crime, Internet relay chat spats, and hacker bragging rights,” said Labovitz.

Welcome to 2011.