Online Safety

Posted on January 24, 2012 by J4vv4D

A couple of weeks ago, I ran a highly unscientific survey on twitter. Asking what advice would people give to children about security.

The response was overwhelmingly in favour of educating them to be cautious online, not trust people and generally be paranoid.

Other comments were more along the lines of teaching them not to click on suspicious links in emails or visit sites like 4chan.

Anyway, taking the leading topic of not trusting people online I thought it would be a good idea to make it into a PSA style video. Like most of my video’s it turned out different to how I initially envisioned it to be and hence it’s a lot darker and more serious than my previous offerings.

Note that the intention isn’t to say that the internet is full of paedophiles and that’s the only threat you should be worried about. But rather, it applies equally to adults as well as children and for many reasons. You have fraudsters who want you to forward them your bank account details so that you can receive a lottery winning, or dodgy marketing companies trying to harvest your information so they can sell on.

In a nutshell, it’s better to be paranoid online and be careful of who you share information with.

 

Posted in Uncategorized | Leave a comment

Forgotten Passwords

Posted on January 23, 2012 by J4vv4D

What do you do when a user forgets their password. There are a number of different approaches that can be taken. For an internal user within an organisation, it usually means having to phone up the helpdesk. But where an application is public-facing, running a helpdesk is usually cost-prohibitive therefore, self-service functionality is provided.

The challenge when allowing a user to self-service is that you could potentially open up a number of avenues for attack.

For example, error messages displayed on the screen can indicate if a user is valid or not. Which would make it quite easy for an attacker to script a variation of usernames and get responses to build up a list of valid ID’s.

The approach I’ve seen used quite well in a number of instances to allow a user to reset their password if they’ve forgotten it, is to ask some qualifying questions to establish the authenticity of the user. Then email them a unique tokenised URL to their registered email address. You can increase security by giving the URL a fixed life of a few hours and ensuring it can only be used once.

Finally, once a user has clicked through the URL and successfully changed their password, email them a confirmation of successful password change.

Posted in Security, Video | Leave a comment

Selling FUD

Posted on January 17, 2012 by J4vv4D

Some security professionals, be they consultants or vendors have made a healthy living by selling off the back of fear, uncertainty and doubt. This short video is a tribute to all the FUD’sters out there.

Posted in Security, Video | Leave a comment

Don’t encrypt passwords

Posted on January 13, 2012 by J4vv4D

Encryption passwords is bad. Try hashing them with a little bit of salt on top. Confused about the terminology – maybe i can clear your confusion with the use of a shoe, a box and a pen & paper.

Posted in Security, Video | 1 Comment

Secore.Info

Posted on January 9, 2012 by J4vv4D

Whilst Girl-Cynic is recovering from her chicken-pox, Marisa Fagan kindly dropped by from across the pond to talk about secore.info

You can stalk Marisa on twitter, www.twitter.com/dewzi

Posted in Security, Video | Leave a comment

Happy New Year!

Posted on December 29, 2011 by J4vv4D

Hope you all have a great year ahead of you and despite how bad things may seem, you can always tap into your inner child and have some fun!

Posted in Video | Leave a comment

New Year Resolutions

Posted on December 29, 2011 by J4vv4D

New Years is nearly upon us and we all like making resolutions that we know we probably won’t keep.

January will see all the gyms hand out 3 month free contracts which the masses will sign up to and by February tumbleweed will be blowing across the treadmills.

Plus we’re pretty lame and aren’t very good at choosing our own resolutions.

Therefore, I’ve come up with a genius plan. I want to ask YOU to pick MY new year resolutions. Say whatever you want, drop me an email, leave a comment on the website, Facebook, Twitter, Linkedin, Google + or carrier pigeon.

Go crazy, tell me I need to include more security content in my video and blog. Or maybe you want better quality entertainment. Perhaps the colour scheme on the blog is painful to your eyes and you want it changed. Maybe you want to see me drop some annoying habit I have like starting off every sentence with the word “So”.

I’ll pick the most common ones and in January publish the list that I agree to.

However, there are strings attached. If you want to propose a new years resolution to me, you too should ask someone, even if it’s only one person, to write down a few resolutions for you. If I know you well enough, I’ll even throw some your way.

Giving feedback to others where you want them to change isn’t always easy. Maybe this way we can get others to change around us so that they don’t annoy us as much. Heavens knows that’s a lot easier than changing ourselves Smile 

Let the games begin.

Posted in Uncategorized | Leave a comment