Post by: Diana on February 02, 2004, 07:18:11 PM
I"m starting the thread in the hopes that it will grow over time. If it disappears from the main page, I may bring it back with new information now and then. For now, I'm going to post a couple of links for those who wish to read.
Article about the European Unions digital signature requirements for doing business there
Repost of link to GnuPG for personal sig info
see ya,
Post by: Diana on February 04, 2004, 12:02:02 AM
by T. Ranalli
White Paper in PDF, provided by SANS
It's not Mac specific, but the info is good anyway
Post by: Highmac on February 04, 2004, 01:33:48 AM
Post by: Diana on February 04, 2004, 05:30:17 AM
It's pinned! Thank you Highmac, I would never have thought to ask...and another thanks to the person who pinned it. I'll try to add to it regularly. Anyone who want to add something is welcome, them more the better.
Post by: Diana on February 04, 2004, 09:30:45 AM
Learn what they are, what they are for and how to disable them if you need to.
Two excellent tutorials to get you started.
http://www.cookiecentral.com/ccstory/
http://www.junkbusters.com/ht/en/cookies.html
Post by: Mayo on February 04, 2004, 04:09:01 PM
Post by: Diana on February 10, 2004, 08:26:16 PM
(quote)
Phishing attacks are reaching a point of sophistication where even the most Internet-savvy user could be fooled, said the Anti-Phishing Working Group (APWG) on Wednesday....
...
Jevans said that for less sophisticated users, the safest method of accessing their bank's or ISP's Web site is to type in the URL: "For a consumer right now, type in the Web address by hand. That is the best way," he said.
(/endquote)
ZDNet UK article
Besides typing a link in by hand, it may be wise to tell your ISP/Bank/Financial institution that you no longer wish to receive e-mail communications that contain account information. If an institution needs to communicate with you about your account, a better means would be for them to send you an e-mail that indicates you have a secure message waiting for you on their web site. If you type (or use a secure "favorite" link), to the site, then you will be presented with the secure message that you can read over the Secure Socket Layer (SSL) connection.
Remember too that these 'phishing' techniques aren't really new, they've just found a rebirth of sorts on the Internet. Don't give out personal/credit/banking information to anyone who calls you on the phone. Granted this isn't as prevalent as it once might have been, but it is still a problem. If someone calls you on the phone asking for account details. Ask for their name/employee ID and tell them you'll call them back. Look up the phone number yourself, (_Do Not Use One They Give You_), and call the company back. Verify that the person who called you really works there and has the authority to access the personal information in your account. IF it turns out to be a scammer who called, notify the institution and give them as many details as you can.
Post by: Diana on February 10, 2004, 08:38:18 PM
TiVo watchers are uneasy after Post-SuperBowl reports
Post by: Diana on February 11, 2004, 12:31:15 PM
Microsoft has released Remove Hidden Data Add-In Tool, which will remove data such as change tracking and comments from documents. The tool works with Microsoft Word, Excel and PowerPoint files for Office XP/2003.
Article at TheRegister
Microsoft download area
The big problem is that there are many people who haven't upgraded to this latest version where the tool works. And, this isn't specifically related to Macs, but there are probably many here who use Windows/MSOffice at work or have friends who do. Luckily, you don't have to be a hacker to learn how to remove this "metadata" from your Office documents. Go to office.microsoft.com and do a search for metadata. There are instructions for removing this trash from your documents without the above tool. Check your Office for Mac documents to make sure they don't also have the hidden data embedded in them.
Post by: Mayo on February 11, 2004, 06:04:37 PM
Regarding destroying CDs containing sensitive data...
I have conducted my own limited and very subjective experiments on how to permanently erase data from CDs that are being discarded. My Findings:
Burning CDs is smelly, possibly toxic and while undeniably effective a pretty disgusting way to do the job.
Zapping the CDs in a microwave is a relatively clean way to erase data. At least six seconds on full power (1000 watt microwave) seems to do the trick. I place the CDs with the silver/writeable layer facing up. The longer you zap, the more the silver layer disintegrates. Different brands of CDs require more or less time to do the same amount of damage. Keep in mind that the longer you zap, the more fumes that are produced.
It's actually rather neat...as the silver layer heats up it creates crackling blue lightning-like effects on the surface of the CD, just like in Star Trek.
CDs so treated don't appear to be readable at all and are just spit-out
by a computer. At least that is what my 7300 does when presented with a freshly-nuked CD...My microwave seems to suffer no ill effects but you know what is coming next: you do this at your own (and your microwave's) risk!
Post by: Diana on February 11, 2004, 06:46:14 PM
I would consider your post to be right in line..
Dealing with data that is old/outdated/no longer needed is very important...especially if it could be used against you.I find myself questioning my own topic title. I see security all tied up with privacy so even though the topic would seem to be security, personal privacy is also a valid topic.
As the poor Windows people don't even seem to understand, allowing those awful viruses to infect a computer leads to personal loss of privacy, including identity theft. Think secure, keep your data your own, and protect your privacy. In this since I'm not advocating you lock yourself in your house and refuse to wave at the neighbors,
I'm only pointing out that as we if we forget security..(locking our doors), the thieves will arrive and steal not only physical objects, but personal/private data. These thieves come in many disguises..marketing companies, spammers, unscrupulous businesses and even governments...and their modes of operation don't always look as suspicious as they should...(see TiVo operation above) I've always wanted to nuke a CD just to see what would happen, I may have to do it when I'm ready to buy a new microwave..current one is 18+ years old and I'm not ready to kill it..
Post by: Mayo on February 12, 2004, 11:10:30 AM
QUOTE
I would consider your post to be right in line.. Dealing with data that is old/outdated/no longer needed is very important...especially if it could be used against you
This morning I was thinking about how many times I have heard someone say that they don't have anything "really important" on their computers, so why should they be concerned about the security of their data?
I wonder what these people actually DO on their computers? Do they never use e-mail? Or connect to the Internet? Don't any of these people own a copy of Quicken? Do they only play solitaire and work on the next Great American Novel that never actually gets submitted to a publisher?
When I first started my computer journey I wrote all my passwords and log-in IDs on a sheet of paper and kept it in a filing cabinet. Within a year or so I must have had log-in info for at least twenty websites. The information was more or less accessible depending on whether it had been written at the start of a day or very late at night... The variety of penmanship, writing implements (pen, ink, crayon) and positions on the paper would have no doubt been of interest to a student of psychology.
Sure, the file was kept in a lockable file cabinet when it wasn't on my computer desk. The operant word here is "lockable," not "locked."
Now I have a single program on my Mac that contains ALL my online passwords (68 as of this morning...), plus credit card and social security numbers and other essential personal data. It makes dealing with the online world Oh So Much Easier, and you can bet your booties that its automatic encryption feature is activated. And the password that opens that encrypted file isn't written down anywhere and is totally different than any of the passwords secreted away in Web Confidential.
I don't know what other people backup on their computers (you DO backup, don't you???) but I tend to backup...The Important Files, natch. Yesterday I was doing some office cleaning (coming back from a bout with a bug...so I was taking it easy) and I found myself looking at a small stack of outdated backup CDs. Hence, my little microwaving experiment...
All future CD backups will be encrypted; in the past I encrypted only certain files. The easy portability of CDs makes me want a little tighter lock on those babies.
Computers should make life EASIER. That's the theory behind all this expensive gadgetry, let's not forget that... And yet I know people who won't keep sensitive information on a computer because they think that it is less safe than in a file on their desk. I thought that the main advantage of a computer is the easy management of information?
Or maybe most people just forget how much sensitive information they really do have on their beloved Macs...
So encrypt those files and do whatever else seems prudent and repeat the following mantra after me...
What, Me Worry?
Post by: Diana on February 16, 2004, 09:03:07 PM
I realize that again this isn't a Mac-specific or even a Mac-possible issue, but if we all learn and tell our Windows friends, we'll make progress.
Spammers Exploit High-Speed Connections
Hopefully these articles will stick around as this thread ages. If someone notices that they are disappearing, please let me know and I'll start archiving them myself
see ya,
Post by: Diana on February 17, 2004, 02:38:12 PM
-- How to Safeguard Your Computer on a Budget (Windows)
This tutorial examines the possibilities of your computer being infected and what you can do to fix the problem and set your computer up so as to prevent future attacks without having to spend a fortune.
http://www.wired.com/news/infostructure/0,...7,62222,00.html
Post by: Diana on February 18, 2004, 01:20:04 PM
Bluetooth enabled phone users at risk
Security issues are being raised in many corners. The last lines of the article seek to ease fears, but remember, very few foresaw early on the Internet as it is today, fewer still were worried about spam/viruses and other baddies just a couple of years ago. Keep up on these issues even as they relate to PCs and all your mobile devices. When fixes are available, be sure to apply them as your situation requires.
Post by: pendragon on February 21, 2004, 06:16:27 AM
A most worthwhile read me thinks...
http://www.macdevcenter.com/pub/a/mac/2004...0/security.html
Harv
Post by: Diana on February 23, 2004, 09:13:40 AM
Lostpassword.com
For this to work, you must have set your system or a program to remember passwords.
The problem I see is this: If you leave your computer alone and unlocked for others to use, they can download this free utility in seconds/minutes..(it's very small)..and procede to uncover passwords. It could also be put on a floppy/usb/memory stick and installed very quickly.
This shows yet again how important your passwords are, and even more so the importance of physical security for your machine. It is best if you don't use programs...even the browser...to remember your passwords/logins for you. Granted some passworded areas aren't especially sensitive...(your favorite browser start page for example), but NEVER use the same passwords across multiple sites and NEVER EVER allow your banking password to be the same as your instant messenger password...(examples all). Best practice would be to keep all those most important passwords in your head, don't let anything remember them for you. That makes this utility less useful...and dulls both edges of the blade.
*grin...sorry to keep making this Windows-centric, but I know some here run PCs and Macs.
Post by: Diana on February 24, 2004, 07:13:45 AM
Here are some links with stories and cautions.
Teen from Eatonville, WA - No checking account or credit cards but ID stolen anyway.
Story about how Penn State is combatting ID theft for their students
U of Penn practices
Good practice:
Use good passwords that are changed often and never written down
Shred all ATM and credit card/bank receipts
Never reveal personal info over the phone or online
Check your credit card statements monthly and credit reports yearly
Make front and back photocopies of all documents in your wallet/purse. Keep these photocopies in a safe/locked place
Post by: Diana on February 24, 2004, 07:44:19 AM
Think again
How lenders are abetting the ID thieves
and here is a good PDF Whitepaper from Security Focus
Attitudes towards privacy study
Post by: Diana on February 24, 2004, 07:56:01 AM
Privacy issues
http://edocket.access.gpo.gov/2004/04-3496.htm
-- Computer Matching Between DOJ, IRS
IRS will provide tax payer addresses to the DOJ for initiation of prosecution of debtors using computer matching
http://edocket.access.gpo.gov/2004/04-3793.htm
Post by: Diana on February 24, 2004, 08:02:26 AM
http://www.smallbusinesscomputing.com/news...cle.php/3313751
There are so many facets to this stuff..
We all need to learn about our own personal privacy issues, but also we need to be watchful of how others use or abuse our privacy. Businesses both large and small are in a position to learn and know more about each of us that we ever imagined. Business owners should be aware of their requirements under the law too, especially as the awareness of these issues rises. Don't get caught unprepared.
Post by: Epaminondas on February 28, 2004, 10:27:24 PM
GnuPG currently seems to be oriented toward MacOS 10.3 users, but not toward MacOSs prior to MacOS 10.3.
Any suggestions for a good ...PG program for Mac OS 9.x?
Thank you,
Epaminondas
Post by: Mayo on February 29, 2004, 01:06:54 PM
1. We have permanently opted-out from being included on all preapproved credit offering mailing lists utilizing the Equifax, Experian, Innovis and Trans Union databases. We may continue to receive notices from companies that do not use consumer data to compile lists, but I can tell you that we went from receiving many such offers to almost none in the month since we took this action. If you are tired of receiving a multitude of preapproved credit card offers, this should be the first thing on your to do list.
2. We contacted one of the big three credit reporting firms and submitted a fraud alert for both of our accounts. We used a toll-free number to begin the process. It costs nothing to do this, and a fraud alert initiated at one of the companies is automatically forwarded to the other two. The fraud alert temporarily halts any issuance of "instant credit" without confirmation via telephone, which effectively prevents the most common form of fraud associated with identity theft. The fraud alert does not impede getting credit, except for the verification requirement. Since we never use instant credit offers, it has no effect on us whatsoever.
People who submit a fraud alert also receive credit reports from the big three, free of charge...
3. The final step we are taking is to contact the big three (contacting only one may do the trick, but I sent letters to them all...) to place a seven-year fraud alert on our files. Technically, you have to state that you have been the victim of identity fraud, but instead I simply requested that the fraud alert be placed in our files, and that we would not be responsible for any credit issued in our names that was not verified by telephone.
Information on what to do and contact information can be found here.
Post by: sandbox on February 29, 2004, 01:33:23 PM
http://web.mit.edu/network/pgp.html
This Version= PGP Freeware v6.5.8 is MacOS 7.6.1+
Post by: Diana on March 03, 2004, 01:13:05 PM
ATMs being modified to skim your card data and collect your PIN
After you look at the pictures, see if you would be able to spot the adapter...I don't know that I could. So, I'm going to be pulling on the pieces parts to see if they come off or wiggle around now..
Oh..and for the skeptics like me...Snopes.com says it true.
Post by: Diana on March 12, 2004, 09:07:49 AM
It would probably be good to bookmark this one as the contents will be added to as stories/articles are published. Some will be familiar to those who are concerned, but the nice thing about this page is these articles, although published in other places as well, appear here altogether.
silicon.com's protecting your ID archive
Post by: Diana on March 15, 2004, 06:58:55 PM
Hackers use Google ...
Edit: YIKES!..thanks tons Mayo. I hadn't double checked that like I should..was reading the comments and musta copied the wrong URL. I fixed it here..not to take anything from Mayo's correction in the post below, but because I hate to leave my link wrong..
Thanks again Mayo.
Post by: Mayo on March 16, 2004, 10:01:28 AM
Post by: Diana on April 21, 2004, 10:11:33 AM
I haven't posted anything new here in a while, but I've run across some more good stuff now. I'm going to put in links covering several "topics" instead of creating multiple posts below this one.
A set of good links from Netscape about security basic including privacy, and personal digital certificates.
Understanding Security and Privacy
Here is an editorial about the new Google mail service
Free webmail at Google
I will not be signing up for Google mail, but I'm also going one further. I will not be emailing anyone that uses that service. Please very carefully consider that this service will not be secure so a business entity should not even consider this service for itself nor allow its personnel to do so.
Here is a futuristic look at privacy. Given your political mindset, you will either cringe or drool over the possibilities.
A Post-Privacy Future for Workers
and to show how predictions can come true, read this article as sent to me by my brother-in-law who was sent to Iraq as a reservist, but is now back in Virginia working for the army, still enlisted.
Onward Cyber Soldiers (this is a long one)
And here is a book that is receiving great reviews..(I haven't read it yet) about security for the non-techy person. I'm sure by now that my posts are overlapping in content, but if ever there is something old presented in a new way, it may teach to someone who still doesn't understand..
Invasion of Privacy! Big Brother and the Company Hackers (Edited to change URL to Amazon...much cheaper there than the first link I had, and I just ordered mine..
)and finally, for anyone interested in actually participating in a Government panel concerning the RFID tags that are becoming prevalent, either because you are close to the meeting site or wish to travel there anyway, here is an open invitation to such a meeting:
Public Workshop: Radio Frequency Identification: Applications and Implications for Consumers; Notice
happy reading
Post by: kelly on April 25, 2004, 11:31:21 PM
MacInTouch Security Resources
http://www.macintouch.com/security.html
Post by: kelly on April 27, 2004, 11:28:35 AM
Online Fraud
http://www.macintouch.com/fraudreports.html
Post by: sandbox on May 25, 2004, 01:09:18 AM
http://daringfireball.net/2004/05/ounce_of_prevention
Diana, like every year at this time the Barnes & Noble Plastic cards roll in.
I was wondering what new Tech Books would interest me and I think you've found one!
Thank You!
Some recent clients have made me look at security in a whole new light, and from that twinkle I suspect that I should know a bit more than I do in this matter. I feel I depend on Earthlink far too much, although I really have no reason to question their work, so far, so good! Symantec software still serves me well but stillllllllllll.....
At a Party this weekend with some folks from the St. Pete Times & Tampa Trib I was informed that they have switch their email program to Lotus Notes since they use Panther on some of their computers and have experienced problems. I know nothing of Lotus Notes but I'm paying attention since I'm going to need to move into OSX =Panther/Tiger? when I can no longer use OS 9. A friend who runs the graphics department said he will never give up the security and ease of use in OS 9, his is the only department that has never had a problem! I asked "yah but how much mail could you do, don't you guys just sit around making pictures?"
He said, Nope we communicated everyday with all the seasonal Sports Teams around the world", "for an example" Who would have thunk? Here's a book for Macs
Post by: Diana on May 31, 2004, 11:10:06 AM
This is not computer related...but it is a tech/privacy issue.
I'm posting the whole article here, but it came from The Register
US lubes passports with RFID snake oil
By Thomas C Greene
Published Thursday 20th May 2004 13:36 GMT
Opinion As we reported recently, the US State Department will conduct a trial of biometric passports this Fall, with any eye toward moving to full production in 2005.
This scheme is supposed to help officials catch evildoers who are too thick to get biometric passports issued to themselves under false identities. It will, of course, be a great obstacle to knuckleheaded exploding-sneakers types like Richard Reid and loose talkers like Jose Padilla, although even moderately slick terrorists will not be affected.
Mug me, I'm rich
One of the more dubious aspects of the new regime is the so-called "smart chip," a spectacularly dumb RFID (Radio Frequency Identification) gizmo that might very well broadcast data indiscriminately to any device designed to receive it. There are several ways to design such a chip, and the preferred design, from a security point of view, would require the document and reader to be in physical contact. A passive chip can be read at a distance by a powered reader, but it doesn't have to be. However, it is likely, given the tech industry's lust for adding 'features' whether they're needed or not, that the chips will be readable from a distance. This would make it easier to move large herds of travelers through customs gates quickly, and it is likely to be pitched successfully on this basis.
Unfortunately, this would also make it easy for street criminals to scan crowds in search of naive foreigners likely to be in possession of decent quantities of cash, like Americans and Europeans, say. The RFID lobby has consistently neglected to address issues of personal safety when sensitive, identifying information is being broadcast secretly and indiscriminately by their nifty gizmos. Such electronic documents are a boon to street thugs looking for probably-rich tourists, and, more ominously, to sophisticated criminals and kidnappers.
Arrest me, I'm naughty
It's a minor blow to one's privacy when a packet of razor blades is chipped so that anyone with a reader can learn what brand you happen to like. But chipping personal documents such as ID cards and passports is tantamount to chipping people. A document that reveals your name, age, address, and more, that can be read from a distance without your knowledge by anyone for any reason, is a clear threat to personal safety, and, obviously, any semblance of privacy.
There is nothing, beyond a few laws that get weaker every year, to prevent overzealous Feds and similar government busybodies from setting up surreptitious readers, and performing silent, automated ID stops that one knows nothing about.
In a nightmare world quite conceivable after a few more terrorist atrocities, ID readers could be integrated with subway turnstiles, metal detectors, and scores of other daily nuisances and choke points. Data scanned could be sent to a database that is searched automatically for certain triggers. It might be some time before such intrusions become routine, but it is beyond doubt that the bureaucrats currently pushing the technology know perfectly well that this potential exists, and are secretly pleased by it.
Big assumptions
Unlike the RFID aspect of the new passport scheme, which will actually bring harm to people, the biometric obsession is basically a harmless, if rather expensive, folly. Superstitious faith in biometrics is touching, but the technology is no worse than what we've got at the moment. Of course, it's also no better.
Bogus credentials are easy to come by, so if biometrics are intended as a security measure, implementation is going to trip up only the thickest and laziest of attackers.
It is quite easy to forge a birth certificate (or obtain one belonging to someone who died in infancy, approximately one's own age), and use it to establish a series of foundation documents such as a Social Security card, a driver's license, and a passport, which, in turn, can be used to register for college, get a job, establish credit, obtain licenses, housing, services and utilities, and so on. These secondary documents will be founded on a lie, all right; but they will be perfectly authentic and can be used with ease to scam the system. This is because authenticity, rather than accuracy, is the standard on which documents are accepted.
Such documents tell other people where you live, where you went to school, whether you're qualified to drive, and so on. But they don't establish who you are. Nevertheless, they are used as if they did, and adding a biometric feature only reinforces the popular illusion that they actually identify people. In fact, biometrics merely establish ownership of the document in question, regardless of whether it tells the truth or not.
For example, my picture-ID driver's license tells you that someone claiming to be named Thomas Greene is qualified to drive an automobile, and that I (whoever I might actually be) am the rightful owner of the document that proves it. Assuming that the document is authentic, when I present it to you, you can safely assume that I'm a properly licensed driver, but no more.
Mark of the Beast
At present, it's impossible for any bureau to know that one is who they claim to be. The only near-foolproof way to establish identity would be through universal DNA profiling at birth. After a few generations, virtually everyone could be identified with certainty, so long as DNA identification and verification is required, cradle to grave, for all transactions such as obtaining a birth, marriage, or death certificate, establishing credit, opening a bank account, buying, selling or leasing real property, registering to vote, obtaining a driver's license or a passport, enrolling in school, registering for military service, employment, and so on.
To be effective, the data would have to be collected without fail from everyone issued a birth certificate, and be made widely and easily available to anyone who wishes to verify it. And it would have to be verified routinely, to minimize the chance that one could obtain any useful documents without DNA identification. But since this scheme is so repulsive, and so closely resembles the mark of the Beast prophesied in Revelation, it is doubtful that it could be implemented without tremendous, and possibly violent, opposition from the public. Unless terrorists should accommodate the change by nuking a major city or something equally hideous.
But until something truly Biblical happens to break down people's resistance to being branded by their governments, we're going to have to accept the fact that motivated people can and will alter their identities, and that biometrics can do nothing to prevent it. We may accept digitized fingerprints and face scans as the new standards, but they're no more effective at identification than the analog photos and signatures we use today. The flaws in the system will remain the same.
The problem is not biometrics, which represent only a waste of money that could be better spent. The chief problem is the RFID element, which invites myriad abuses of personal data by the evil-twin forces of criminal exploitation and government paternalism. ®
Thomas C Greene is the author of Computer Security for the Home and Small Office, a complete guide to system hardening, online anonymity, encryption, and data hygiene for Windows and Linux.
Post by: kelly on July 23, 2004, 10:47:16 AM
From MacInTouch.
http://www.macintouch.com/
"Notes and Tips
Eric Dubiel pointed out a very useful security guide, available in PDF format: Securing Mac OS X by Stephen de Vries:
Aimed at users in environments requiring stronger security controls in an operating system, making full use of the protection features offered in OS X. It would also be of use to system administrators wishing to enforce an organization wide desktop security policy for Mac OS X."
http://www.infosecwriters.com/texts.php?op...=display&id=190
Post by: kps on September 03, 2004, 08:08:03 AM
This article details just how easy it is to crack a WiFi network with some freely available tools on the internet. The author even used an iBook to do it.
I'm posting this for the sole purpose of education. If you worry about wardrivers or your neighbour stealing your internet connection, this will shed a lot of light on the situation.
WiFi Security Article
-----