blog trackingRealtime Web Statistics default Archives - Gregory D. Evans | Worlds No. 1 Security Consultant

Posts Tagged ‘default’

More than 100000 Wireless Routers have Default Backdoor

A recently reported flaw that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router isn’t necessary for some Arcadyan based routers anymore.<!– adsense –>
Last …

View full post on National Cyber Security » Computer Hacking

More than 100000 Wireless Routers have Default Backdoor

A recently reported flaw that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router isn’t necessary for some Arcadyan based routers anymore.<!– adsense –>
Last …

View full post on National Cyber Security » Computer Hacking

New Bill in the UK wants internet to be censored from porn by default

Baroness Howe of Idlicote most definitely seems to be thinking of the children, but is this a sensible approach?

At the start of this month, she was granted the first reading of her private member Bill on ‘online safety’ in the House of Lords.

The Online Safety Bill states that ISPs and mobile telcos should provide a porn-free internet connection by default.

Of course, an adult wants can choose to opt-in to the uncensored porn-permitted version, provided the site containing adult content has an 18+ verification system.

The Bill wants technology for filtering out porn to be provided at point of sale on every Internet enabled electronic device that can download content.

It also states that ISPs and telcos should provide clear information on ‘online safety’ defined as “the safe and responsible use of the Internet by children and young people on an electronic device.”

This proposal hasn’t exactly received a warm reception from industry, with trade body, the ISP Association arguing that “filtering by default will only reduce the degree of active interest and parental mediation, lull parents into a false sense of security and lead to over blocking. The question also arises of who decides what is pornographic and what is not?”

But wait a minute – haven’t we been here before? Yes, we have. Back in late 2010/early 2011, Tory MP Claire Perry called for ISPs to implement an opt-in system for porn with over 18-age verification.

Minister for Culture Ed Vaizey and parenting network Mumsnet indicated initial support for this idea.

But Mumsnet became concerned that filtering technologies might over-block, impacting, for example, its breastfeeding guidance.

Flash forward to last summer, when the Bailey Review on sexualisation and commercialisation of childhood was released, and we saw another wave of conservatism, with the Coalition refocusing on protecting kids from internet porn.

By last October, David Cameron was meeting the big four UK ISPs: BT, Virgin, Sky, and TalkTalk. It was decided a voluntary Code of Practice was the best route forward. A website, called ParentPort to allow parents to complain about inappropriate content on the internet was also launched.

Under the self-regulatory approach, BT and Virgin provided parental control software for computer-based filtering. Sky will have ‘active choice measures’ that require customers to opt out of parental controls.

TalkTalk went a bit further still, allowing customers to opt into a filtered network service where parents set the blacklists that filter and block content, including porn.

It was found TalkTalk’s filters didn’t actually work very well. For instance, it failed to block one of the biggest porn sites in the world.

This is where we are now. To my mind, having government legislate in this way will only lead to confusion. Let the consumer choose. This is legal pornography, and having a blanket default of state sponsored censorship seems a wholly disproportionate and unnecessary approach to controlling access.

This got me to thinking about the issues for those who would decide to opt in to access pornography. In order to validate your age, you will need to provide identification and then be listed on a database as someone who has chosen to access porn.

The Information Commissioner Office has recognised the importance of protecting people who could be on the list, but ultimately the best way to protect this data is for it not to exist.

ISPs already provide technologies for parents wanting to control what their kids see and it is the parents’ prerogative to use these. To my mind, these seem to give enough flexibility and sufficient control for any concerned parents.

I think we need to protect the status quo that those who object to pornography opt-out of the general internet and can opt in to censored version, not the other way around.

With this being a private member’s bill, it won’t get anywhere until it gets government support. Thankfully, the Department of Culture, Media and Sport have already said they prefer the current flexible, self-regulation that benefits industry and consumers.

And this might be a nail in the coffin for this bill, so it can be buried in the graveyard of failed private member bills, where I think it belongs.

What do you think?

Take Our Poll

UPDATE, later on the same day… Well, I had hoped this condemnation from DCMS was the nail in the coffin and this Bill could be buried alongside other failed private member bills. That doesn’t seem to be the case.

A Parliamentary Inquiry Report into Online Child Safety was released today, chaired by Claire Perry. It mirrors many of the recommendations of the Bill and seeks a formal Government review on the opt in filter, rolling out ‘active choice’ measures, single account ‘one click’ filtering for all devices on the same internet connection, a single regulator for internet safety and even public wi-fi networks having a a default adult content bar. Clearly this issue is not going away any time soon.

Feet graphic courtesy of ShutterStock
Adult signs image courtesy of ShutterStock

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FXOhlt9VlZQ/

View full post on National Cyber Security

Google search domains to get HTTPS by default

The steady roll-out of SSL for the world’s most popular websites continues with the news Google’s global search domains including google.co.uk are finally to get HTTPS encryption by default over the coming weeks.

The company turned on HTTPS by default for its global .com domain in October, which now works for all users while signed into Google services, before which secure searching had to be conducted through a special site few would have heard of, https://encrypted.google.com.

Even once turned on, users outside the US wanting to access the HTTPS feature would have had to manually specify the .com domain (which some know is encrypted), or the equivalent local domain (which many don’t) or change the default search engine in their browser, which few do.

Once implemented, the new setting will make that unnecessary although all users will still need to be signed into a Google service to access HTTPS search.

Twitter turned on https by default only three weeks ago after making the security an opt-in option last year. Facebook offers https in its security settings but is not engaged by default.

If SSL offers an important layer of security, why would companies not turn it on by default?

The main reason is that requires that the company can handle the encryption overhead at data centre level, no mean feat when millions of concurrent users are accessing a service. That adds complexity and expense, hence HTTPS’s slow journey towards being becoming standard.

For Google users, encrypted search means that visited sites can see that a user has landed from Google, but not the search term entered. It also shields this data while using unsecured WiFi.

The impetus to get https turned on without the need for user interaction dates from the appearance of easy-to-use sniffing software such as Firesheep, a proof-of-concept research tool used to point out the weakness of Twitter and Google to eavesdropping when used on open wireless connections without SSL turned on.

Article source: http://rss.feedsportal.com/c/270/f/3551/s/1d3a6087/l/0Lnews0Btechworld0N0Csecurity0C33427280Cgoogle0Esearch0Edomains0Eget0Ehttps0Eby0Edefault0C0Dolo0Frss/story01.htm

View full post on National Cyber Security » Computer Hacking

Twitter enables HTTPS by default

Twitter has enabled secure hypertext transfer protocol (HTTPS) for all its users by default, meaning that traffic on the micro-blogging site is now encrypted, providing better protection against man-in-the-middle attacks.

HTTPS keeps the session cookie encrypted throughout the log-in session, preventing the information from being intercepted. Twitter, which made opt-in HTTPS available to users for the first time last March, said that it is particularly important to use the encrypted protocol when accessing Twitter over an unsecured Internet connection, like a public Wi-Fi hotspot.

“HTTPS is one of the best ways to keep your account safe and it will only get better as we continue to improve HTTPS support on our web and mobile clients,” said Twitter in a blog post.

Users still have the option to turn off HTTPS through the Account Settings page.

The move was welcomed by security firm Sophos, which said that using public Wi-Fi hotspots to access Twitter without enabling HTTPS could allow a hacker to “sniff your session cookie”. This means they could post tweets as you, or read your private direct messages.

“Don’t imagine that sniffing session cookies from unencrypted connections is rocket science,” said Graham Cluley, senior technology consultant at Sophos. “Tools such as Firesheep have made it child’s play in the past for anyone to access the Twitter or Facebook account of someone close by if they haven’t taken the right precautions.”

Cluley pointed out that actor Ashton Kutcher’s Twitter account was hacked during the brainbox TED Conference last year. The hacker accessed Kutcher’s account over an unencrypted Wi-Fi connection and posted pro-SSL graffiti in his name.

Google became one of the first major web communication companies to adopt HTTPS across its sites in January 2010. The Google Plus social network has there for had HTTPS turned on since launch.

In the case of Facebook, however, HTTPS is still disabled by default, despite giving users the option to enable it a year ago.

Meanwhile, research published by the Electronic Frontier Foundation last year showed that the SSL certificate system that underpins web security is far from trustworthy. Ultimately, this means that users may not be able fully trust HTTPS connections. However, until schemes like DNSSEC come online to prevent website spoofing, they have no choice but to do so.

Article source: http://rss.feedsportal.com/c/270/f/3551/s/1cb270c9/l/0Lnews0Btechworld0N0Csecurity0C33380A50A0Ctwitter0Eenables0Ehttps0Eby0Edefault0C0Dolo0Frss/story01.htm

View full post on National Cyber Security » Computer Hacking

HTTPS enabled by default – nice one Twitter!

Twitter announces that it has enabled HTTPS/SSL by default – a great step for protecting users’ privacy.HTTPS enabled by default – nice one Twitter!, Blog, Twitter, #HTTPS, default, enabled, nice

View full post on Naked Security – Sophos

View full post on National Cyber Security

Change default Apache port in XAMPP – Lucid Nerd Tutorial

How to change default Apache port in XAMPP. I this video I will cover how to change the default Apache port to help you solve any port confilcts you may have with XAMPP Server. LINKS: LUCID NERD LINKS: Subscribe: www.youtube.com Lucid Nerd Channel Page: www.youtube.com Lucid Nerd Blog: www.lucidnerd.wordpress.com Follow on Twitter twitter.com Facebook Page: www.facebook.com Google+ Page: Add us to your circles. plus.google.com Lucid Nerd on iTunes: itunes.apple.com Lucid Nerd Channel Description: The Lucid Nerd is a channel offering beginner computer tutorials covering everything form computer basics to web development and computer programming. VIDEO RELATED LINKS: Start – Stop Microsoft’s IIS : youtu.be XAMPP homepage: www.apachefriends.org Apache homepage: httpd.apache.org MySQL homepage: www.mysql.com PHP homepage: www.php.net REPEATED TAGS FOR SEO: Specific Tags: Apache Port XAMPP “Windows 7″ “Lucid Nerd” Tutorial MySQL PHP “AMP Stack” General Tags: “Lucid Nerd” “Computer Tutorials” “Computer How To’s” “Beginner Computer Tutorials” Computer Tutorials Beginner “Web Development” “Computer Programming” “Windows 7″ “Mac OSX” Educational Help

Article source: http://video.hackerjournals.com/?p=6131&utm_source=rss&utm_medium=rss&utm_campaign=change-default-apache-port-in-xampp-lucid-nerd-tutorial

View full post on National Cyber Security » Announcements

Avoid default installations

View full post on SANS Institute Security Awareness Tip of the Day

View full post on National Cyber Security

Doomed by default passwords




Recent hacks reveal that admins and vendors have fallen behind on protecting legacy systems

Follow @rogeragrimes

Many years ago, I was hired to penetration-test a customer’s IBM AS/400 system, and the system administrator admonished me for even trying. “AS/400s aren’t like cheap and insecure little PC systems,” he argued. “They’re built from the ground up to be secure.”

As he completed his last sentence, I logged into his system and took complete control of it. He had not changed the default account password. It had been left as is for almost 20 years. His system was contactable over the Internet, so I had to wonder, as his mouth dropped open, if I’d been the first to try the obvious.

[ Download Roger Grimes's "Data Loss Prevention Deep Dive" PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

This anecdote came to mind not long ago as I read about more SCADA (supervisory control and data acquisition) systems with hard-coded passwords. Legacy systems are often the culprit, but as the Stuxnet worm showed last year, even modern SCADA systems are vulnerable. More recently, a hacker going by the handle of prOF claims to have hacked into a South Houston waterworks SCADA system because it was easily findable on the Internet and had a 3-character password. Why is a public waterworks system using 3-character passwords? Why are there SCADA systems allowing 3-character passwords?

Legacy systems don’t get a password pass
Most vendors ship software and hardware with default admin logon names and passwords. The better vendors force users to choose a new password when logging in for the first time, require strong passwords, and force adequate password updates after that. The worst vendors have products with hard-coded administrative passwords that cannot be changed.

The risk posed by hard-coded passwords is nothing new — it’s No. 7 on the top 25 list of dangerous software errors. SCADA systems are more at risk for a couple of reasons: The SCADA industry, in general, is at least a few years behind the rest of the software industry in writing secure code, and SCADA systems often come with long depreciation schedules. Whereas organizations might upgrade office PCs every three to five years, they would usually keep the same SCADA system running for decades.

SCADA environments are full of devices and appliances with supposedly secure operating systems. However, when examined, most fall over just as easily as their comparable software counterparts. Most contain old versions of OSes (such as Windows 3.1 and NT) and software, with aged, publicly known exploits; they also tend to have easy-to-find security bypasses, cross-site-scripting vulnerabilities, or any other software programming error that might be made in software.

Article source: http://www.infoworld.com/d/security/doomed-default-passwords-180214?source=rss_security

View full post on National Cyber Security

E-mail is insecure by default because it is more like a postcard, not a sealed envelope

View full post on SANS Institute Security Awareness Tip of the Day

View full post on National Cyber Security

Get The New Book By Gregory Evans

Everyone Is Talking About!

Are You Hacker Proof?
$15.95

Find Out More, Click Here!