CanSecWest provides security lessons

Interesting to see some of the results of CanSecWest.  Within “seconds” Safari/MacBook fell, and the others were soon to follow.  The  Safari attack was, of course, planned beforehand to execute flawlessly.

I have heard it said that ‘obscurity does not equal security.’  There are two sides to that.  One (obivously) is that you can’t assume you’re secure simply because you’re obscure.  But the flip side of that is this: while no system is truly secure, many systems are ignored by ‘street security analysts’ (in part) due to a low ROI.

So what’s the point?  I think part of the point is that every system can be exploited – even ones that aren’t market giants.  And while this is true, most security/obscurity concepts are very basic.  So be safe out there.  Here’s a brief list for starters (add more in the comments, readers!)

– Keep A/V software installed and updated (especially on a Windows system).  Use only one A/V system.  Geeks disagree as to the best A/V program, but I personally recommend Kaspersky or AVG.  If you need a free system, try AVG or Avast!, but Kaspersky is worth the money.

– Don’t use cracked software.  I’m not saying I think it’s ethical to exploit users by overcharging them for a piece of software (nor will I say that it’s ethical to pay nothing for the same software).  I’m just saying that many people who are willing to exploit a major software company by cracking their software are also willing to exploit you.  There are plenty of totally legal and reputable downloads out there (Linux distros, freeware, music released under the Creative Commons License, etc).  But be prepared to suffer if you download the shady stuff.

– Secure your wireless network (that one’s for my neighbors).  It’s not really that hard.  Or pay me $50 to do it for you.  It’s worth it.

– Keep all your software patched.  This is basic stuff, but it’s important.

– Stay off of questionable Web sites.  Think before you click.

– Don’t click links in dubious emails that read like they were written by a fourth grader.  Don’t even bother responding to them.  If you need to get to an important Web site, make sure you know what the official URL is, and use only that URL.  Don’t be afraid to contact a company directly to verify the authenticity of any communication you receive which claims to be from them.

– Remember that your bank/credit card lender/PayPal/MySpace won’t ever ask for any kind of account information, including your PIN, SSN, or password via email.  Along that line, most businesses which require you to have an important financial account will almost always contact you via regular mail if your account status is in jeopardy.  If you receive an email stating that your account is in bad standing or requires an update to your information, DON’T use the contact information in the email.  Contact the company, but use contact information you KNOW is good (like through their official website or literature), and ask about the email.  99% of the time, they are false, but know how to contact the company in the other 1% of instances.

– Just maybe, consider one of the less pervasive OSes out there.  Ubuntu is a good one for former Windows users, and it runs pretty well on the x86 (Pentium-type computer – your typical PC).  Mark and I have both posted (he more than I) about how relatively simple Ubuntu is to install and run, even as a second operating system.  Look through the archives for some of those posts about Wubi and the like.

Something else you might consider is running Ubuntu as a second OS to use mainly when you’re on the Web, especially if you do financial transactions on the Web.  Many of the exploits out there are based on drive-by downloads (as in the ones used in CanSecWest), and you’re less likely to be exploited on the Web if you’re running Linux/Firefox.  Not necessarily less ABLE to be exploited, just less likely.  Because even though obscurity doesn’t equal security, obscurity does equal … well, obscurity – you aren’t an easy target if you’re obscure.  Sounds lame, but it’s true.

Explore posts in the same categories: Culture/Technology, Security

Tags: , , , ,

You can comment below, or link to this permanent URL from your own site.

2 Comments on “CanSecWest provides security lessons”

  1. mrosedale Says:

    I would echo using Ubuntu, if you are really nervous about a website you might try booting off of the live ubuntu CD. Nothing bad could happen to you in the case. You browse to the website do your business and when you reboot everything is gone.

    Also the wifi network. You must have it secured. Where I live now there are 20 or so networks within reach of my house. One is unsecured and I am pretty sure running everything as default. If I wanted to I could just sit in my livingroom and sniff all the traffic. Of course I am a little more careful about my wifi now that I am living in Boston than before (MIT hacking contests and such) 🙂

  2. bfpower Says:

    Yeah, I agree about wireless security. It’s too easy to sign onto the network named “NETGEAR” and do illegal things. And the thing is, if there is something illegal happening, the owner of the service is responsible, even if they didn’t perform the action (I believe. Correct if I’m wrong).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: