STE WILLIAMS

Apple’s OS X 10.9, better known as Mavericks, is officially out.

The burning question for OS X fans everywhere, of course, is, “Should I or shouldn’t I?”

The positive spin is that the $29 fee Apple has charged for previous OS X “dot releases” has vanished.

Just like the uplift from Windows 8 to Windows 8.1, shifting from Mountain Lion (OS X 10.8) to Mavericks is free.

The negative spin is that since this is a dot release, there might just be more to go wrong than in a point release – just like happened in the uplift from Windows 8 RT to Windows 8.1 RT, which caused trouble for some early adopters.

→ In my vocabulary, a major release would be OS X to OS XI, a dot release something like 10.8.5 to 10.9, and a point release 10.8.4 to 10.8.5.

Will Mavericks go wrong if you install it right away?

Industry veteran and former Naked Security colleague Graham Cluley, for example, is dead keen on staying away – so much so that he’s even retweeted himself (I didn’t know you were allowed to do that) to tell us so.

Graham still seems to think it needs beta testing.

Digital lifestyle site Lifehacker also warns you to stay clear, saying without giving data that Mavericks “suffers from a speed decrease” (you or I would probably just have written that it was slower), and calling it “imperfect.”

Mind you, the site also says, with doubly ironic orotundity, that “you should have no trouble work under the new OS without trouble.”

I’d love to tell you that Graham is just being a scaredy-cat and Lifehacker merely stirring, but I can’t – and not for want of trying.

It’s just that at 5.29GB, over a mobile network, I’m still waiting for the Mavericks installer to download itself.

There is one thing that neither Graham nor Lifehacker took into account, however, and that’s the fact that Mavericks (the first OS X release not named after a type of cat) is a security upgrade, too.

OS X 10.9 as a security update

In fact, the list of security fixes is, to me, the most interesting part of 10.9.

If you’re looking for Remote Code Execution vulnerabilities, or RCEs, you won’t be disappointed – you’ll find several.

There’s a fix for dealing with “a format string vulnerability [that] existed in Screen Sharing Server’s handling of the VNC username.” (CVE-​2013-​5188.)

There’s a patch for curl, the web download utility, apparently sorting out multiple vulnerabilities including some that could lead to RCE. (CVE-​2013-​0249 and CVE-​2013-​1944.)

And there’s even a fix for an RCE hole in the kernel itself, caused by incorrect bounds checking, which implies that there was an exploitable buffer overflow. (CVE-​2013-​3954.)

But there are other important operational fixes, notably for security features that gave a false sense of security, because even when turned on, they didn’t always work.

Here are some examples:

• The OS X application firewall had a bug so that applications to which you thought you’d blocked network traffic might nevertheless receive it.
• Apple’s application sandbox could be bypassed by software that it was supposed to have locked down.
• Safari’s Reset function didn’t always clear your session cookies, which could leave you logged in to sites you wouldn’t expect.
• The display’s lock screen didn’t always stop window contents from appearing on top of it.
• The lock screen sometimes didn’t activate after the interval you had chosen.
• You could sometimes return from hibernation mode without needing a password.
• Random numbers weren’t always random. (Or, to quote Apple’s own delightful oxymoron, “under unusual circumstances, some random numbers may be predictable.”)
• The Mail app would sometimes detect that secure password exchange was possible when configuring a connection, but then fail to use it.
• The “Require an administrator password to access system preferences with lock icons” setting wasn’t always honoured.

Mavericks also includes a brand new release of Safari, version 7, that includes a raft of security fixes published to pre-Mavericks users as Safari 6.1.

In short, it sounds to me as though Mavericks is probably an update you do want to get, though I can’t put my hand on my heart yet and say, “She’ll be right.”

I’m still waiting for that 5.29GB to turn up.

While that’s happening, I’m sorting out my backups – always a good idea anyway – and installing the 50MB Safari 6.1 update on my Mountain Lion system.

And, I hasten to add, I’m getting ready to make a copy of the Install OS X Mavericks.app package out of the /Applications folder as soon as the download finishes, so I never need to download it again

If you’re an Apple fan, where do you sit on Mavericks?

Keen on new features, and willing to wait for 10.9.1?

Or keen on security and ready to update right away?

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/cuz_XleY5MM/

Information security has become such a booming business that it seems there is a conference somewhere in the world every single week.

Back in the day we saw big hackerish announcements twice a year, during Black Hat and the Chaos Communication Congress. Now it is happening everywhere, all the time.

Last week at the Hack in The Box conference in Malaysia, researcher Vladimir Katalov made some rather bold claims about the security of Apple’s iCloud backups and iCloud document storage.

It must first be noted that more than six months after launch, Apple has still only introduced two-factor authentication in a handful of countries. I was not able to test all of these claims as it is not yet available in Canada.

In his talk, “Cracking and Analyzing Apple’s iCloud Protocols”, Katalov showed how Apple’s optional two-factor authentication is selective in its application, even where it is available.

First, two-factor is optional. This is true for most services, but I would like to see someone begin making it mandatory.

Passwords are just too vulnerable and unfortunately two-factor has become the bare minimum for cloud services if you don’t want others accessing your information.

Second, but more importantly, Apple’s two-factor authentication only applies to three specific applications of your Apple ID:

• Making a purchase in iTunes/App Store.
• Managing or changing your Apple ID.
• Working with Apple’s technical support team.

Notice how it is inclusive, rather than exclusive. These are the only things protected and nothing else is guaranteed or indeed, included.

What Katalov discovered is that iCloud backups and iCloud documents are not protected by the two-factor system and that they are stored on Microsoft Azure and Amazon AWS cloud services.

Additionally, while the files are stored encrypted, the encryption keys are stored with the files. . . rendering the encryption largely worthless. It also means that Apple can disclose the contents of iCloud stored files on request of law enforcement and governments if they are required to.

Katalov demonstrated that by simply acquiring the Apple ID and password of another user, whether they have enabled two-factor authentication or not, he can download their iPhone/iPad/iPod backups and documents from iCloud and see their pictures, music, emails, contacts, documents, presentations, spreadsheets or anything else without the victim being alerted.

Most users likely assume that by enabling two-factor authentication they are protecting their iCloud data from being stolen if their password is guessed, get infected with a keylogger or are phished. That is true for making an App Store purchase, but all bets are off for iCloud.

Furthermore, iPhone backups can be restored to any device with just the password. If I am able to acquire your Apple ID, I can download everything on your phone to mine. You will get a warning email after the fact, but arguably that is too little too late.

Katalov’s research shows that Apple has only half implemented their two-factor technology and has chosen convenience over actual security. Hopefully his shining a light on the problem will prompt some action from Apple to close these holes.

Follow @chetwisniewski

Image of a apple with an arrow through it courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CHpSapkBuyI/

5 ways to reduce advertising network latency

IT security biz Tripwire warns that a critical security vulnerability in some Netgear storage devices is going unnoticed by users, partly because the vendor has downplayed its importance.

Writing on his company blog, Tripwire researcher Craig Young says although Netgear issued a patch for its RAIDiator firmware in July to squash the serious bug, a Shodan scan of internet-connected devices suggests that “the bulk of [Netgear] ReadyNAS deployments have not yet installed the update.”

Out of a scan of 2,000 ReadyNAS installations, Young says 73 per cent have failed to install the relevant patch. He told Threatpost: “There’s a lot of room for people to get burned on this,” since it would be easy for hackers to reverse-engineer the patch to discover the ins and outs of the programming blunder and exploit it.

The problem is, since Netgear didn’t highlight the security implications of its 4.1.12 and 4.2.24 firmware releases, users have stuck with version 4.2.23. This, Young said, includes a serious flaw in the Frontview HTTPS web-management interface.

This vulnerability allows an attacker to execute malicious software without authentication, he said: “An unauthenticated HTTP request can inject arbitrary Perl code to run on the server. Naturally, this includes the ability to execute commands on the ReadyNAS embedded Linux in the context of the Apache web server.”

Since Frontview is the main interface, it can’t be disabled, and Young added that an attacker can leap from Frontview to another Netgear utility, RAIDar, to identify all other ReadyNAS devices connected to the same network.

“If you are running ReadyNAS and you have not already updated, it is imperative that you do so ASAP, especially if your ReadyNAS web interface is one of the thousands that are directly accessible from the public internet”, Young wrote.

The Netgear 4.2.24 patch is available here. ®

ioControl – hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/23/netgear_users_missing_old_patch_tripwire/

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

A US district court has ruled that anyone calling themselves a “hacker” loses their Fourth Amendment protections against unreasonable searches and property seizures.

The court in Idaho decided that a software developer’s computer could be seized without him being notified primarily because his website stated: “We like hacking things and don’t want to stop.”

The ruling [PDF] came down in a case brought by Battelle Energy Alliance against ex-employee Corey Thuen and his company Southfork Security.

Thuen, while working for Battelle, helped develop an application today known as Sophia, which fires off alerts if it detects industrial control equipment coming under electronic attack. Battelle – which was tasked with beefing up the computer security of US electricity plants, energy sources and other critical sites – wanted to license this technology, but Thuen hoped to open source the code, according to the plaintiffs.

Sophia, which had been in development since 2009, underwent testing in 2012 and attracted the attention of power companies.

Thuen left Battelle before setting up Southfork Security. According to Battelle, Southfork Security competed against other firms to license Sophia from Battelle before withdrawing in April 2013, a month before an outfit called NexDefense was awarded the right to negotiate an exclusive commercial licence.

Around the same time, in May 2013, Southfork Security began marketing a “situational awareness” program called Visdom that Battelle alleges is a knockoff of Sophia.

Battelle Energy Alliance sued Thuen, claiming that Visdom was based on stolen code, and accused Southfork and Thuen of copyright infringement, trade secret misappropriation and breach of contract, among other allegations, according to legal filings seen by The Register.

What elevates the case from a run-of-the-mill intellectual property dispute is that Battelle persuaded the court to allow it to seize Thuen’s computer to copy its files. The district court ruled that the programmer has the skills, as a “hacker”, to release the contested code publicly, and destroy any evidence, if he knew a seizure was imminent:

The court has struggled over the issue of allowing the copying of the hard drive. This is a serious invasion of privacy and is certainly not a standard remedy… The tipping point for the court comes from evidence that the defendants – in their own words – are hackers. By labeling themselves this way, they have essentially announced that they have the necessary computer skills and intent to simultaneously release the code publicly and conceal their role in that act. And concealment likely involves the destruction of evidence on the hard drive of Thuen’s computer. For these reasons, the court finds this is one of the very rare cases that justifies seizure and copying of the hard drive.

The plaintiff also obtained a temporary restraining order against Thuen and Southfork Security without a prior notice primarily because, again, the Southfork website declared “we like hacking things and we don’t want to stop”.

This statement was used to prop up the claimants’ argument that Thuen and Southfork “have the technical ability to wipe out a hard drive [and] will do precisely that when faced with allegations of wrongdoing”. That would seem to fall short of the usual legal test for granting a restraining order, that the defendants have “a history of disposing of evidence or violating court orders”, but the district court granted the restraining order nonetheless.

Battelle’s lawyers also raised national security concerns by arguing that releasing the Sophia utility as open-source code would hand strategic and vital information to wannabe power-plant hackers. Thuen and Southfork were not given the opportunity to appear before the court and contest this argument before the seizures were carried out and the restraining order on the business imposed.

A good overview of the whole contentious case so far can be found in a blog post by control system security consultancy Digital Bond. ®

ioControl – hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/23/hacker_loses_4th_amendment_rights_case/

Exploits and hacking tools in the mobile space will get ample airtime at next month’s first Black Hat Regional Summit in Brazil. Among the presenters: a researcher who developed an affordable, distributed mobile tracking network that could take advantage of weaknesses in the way mobile devices probe for Wi-Fi signals to keep tabs on users’ physical and digital movements and intercept data from their devices.

Unlike other similar systems of the past, this one didn’t depend on bulky laptops or large antennae, says the speaker, Daniel Cuthbert, COO of SensePost.

“We thought, could we build a framework that moved to more of a distributed, smaller sneaky surveillance-style approach?” he says. “We did it by making a couple of prototypes — our first was a Nokia N900 phone.”

The first prototype gave Cuthbert all of the capabilities he needed to run the surveillance project he calls Snoopy: It was a Linux-based device with an IEEE 802.11 adapter supporting packet injection and general Internet connectivity. And it was small enough to be spread around public places without attracting attention. The idea was to create a “dumb drone” out of the device so that it would take data collected from victim devices and push it to a central server using a VPN.

[Your organization’s been breached. Now what? See Establishing The New Normal After A Breach.]

“So even if we lost a drone or it got stolen, it didn’t matter — without the data on the drone it was useless,” Cuthbert says.

Using a very old vulnerability found back in 2005 that enables an attacker to look at probe requests made by devices looking for Wi-Fi networks it had previously connected to, the drones could find probe signals constantly sent out by devices and start to collect MAC addresses and other information that would make it possible to develop profiles about the user who owns such devices. For example, by placing a number of drones in popular London Underground stations, Cuthbert was able to collect enough information to start physically tracking the whereabouts of users as they passed through the stations — tracking when they went to work and came home, and even where they lived.

“We listened out for all the probe requests, connected to them, and then used a Wi-Fi war-driving service like Wigle to see if we could do a profile on that user. If you did it over a period of two or three days, you could figure out where their home was, where their work was, and where some of the common places they’d go with their phone,” he says. The drones assume Wi-Fi was turned on, the phone was connected to Wi-Fi at home, and that the home address had been mapped by a Wigle volunteer, he added.

Taking things a step further, the drones could also be set up to impersonate a Wi-Fi access point already predefined in victims’ phones, so that when the probe request is made, a connection is automatically made to the malicious drone. This was done at Black Hat Las Vegas, a place where the majority of the crowd ostensibly should know better than to walk around with Wi-Fi turned on. And yet Cuthbert was able to use it effectively; once the devices were connected, it was possible for the drones to collect information about push notifications, email, social media, and more.

Whether it was physical or Internet traffic data, the Snoopy project was able to dive into it using Maltego to examine patterns for detailed analysis about the user’s behavior and habits online and in the real world.

According to Cuthbert, while many other projects have performed similar tasks in the past, Snoopy’s comprehensive approach should raise eyebrows about how much we trust a device that could become such an effective surveillance tool for those around us.

“I think the key thing that we got out of this was how trusting people were of their devices,” he says. “There’s a hell of a lot on your phone at the moment, and generally speaking you’re logged into a whole lot of services.”

He also says that a project such as Snoopy can make it possible to effectively commit mass attacks against phones and easily develop, for example, a mobile botnet quite easily.

“Imagine you wanted to build a botnet of mobile phones — we would go to a large area, we’d set up a fake AP that listened out for common APs that people connected to, and the nice thing is if you then wanted to drop malicious ads into all the HTML streams, or if you just wanted to run Metasploit, you can do that because everything is controlled from a central server,” he says. “So, whereas before [when] you wanted to attack a phone you had to do a man-in-the-middle on that phone, and it is a very manual process, here it’s very easy to attack a lot of phones at once.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/malicious-mobile-tracking-made-easy/240163042

To developers, advertising frameworks may just be another way to make money from their free application, but in at least one case–dubbed “Vulna” by security firm FireEye–the library has functionality that allows attackers to steal private data from a targeted phone and opens up vulnerabilities that could be exploited by hackers.

The library, which FireEye has declined to name until its developer fixes the problems, underscores the dangers that mobile users and their companies will increasingly face. As smartphones and tablets become an essential part of information workers’ toolsets, cybercriminals and digital spies have targeted the mobile devices to gain access to business data. Careful users who download mobile apps from well-vetted app stores are unlikely to encounter malware, but times are quickly changing and targeted attackers will focus more heavily on mobile devices, says Manish Gupta, senior vice president of products for FireEye.

“Fundamentally, we believe that hackers have no restrictions on what they use for an infection vector–they use what works, so mobile will be an increasing vector of choice,” he says.

While malware has not become as pressing a threat on mobile devices as on personal computers, Vulna is not the only mobile vector that FireEye has found inside business networks. In another case, the company found a mobile application designed to access a device’s calendar and turn on the phone’s microphone during meetings, Gupta says.

To be ready for the inevitability of mobile malware, companies need to put limitations on their users, says Chet Wisniewski, senior security advisor for software-security firm Sophos.

“When you allow those mobile devices to connect in, be very specific about what you are allowing them access to, don’t just throw them on the LAN with all your laptops and desktops,” he says. “We have too much of a habit in our LANs to allow devices, once they are in, to access everything.”

In addition, businesses should use mobile device management (MDM) software to limit users to only download apps from the major app stores. While the app stores, especially Google Play, have hosted malicious apps, Google, Apple and others do a good job of taking down any malicious apps, once they are found, Wisniewski says.

[Difficult times ahead for app markets as professional malware developers ramp their evasion techniques. See Distributing Malware Through Future App Stores.]

Companies should not stop at mobile device management either, says Patrick Foxhoven, the chief technology officer of cloud-security firm Zscaler.

“If you want visibility into what apps are on the devices and what communications are coming from the devices, and you don’t want to manage the device, then you need to do security through the network,” he says.

Zscaler, which uses its security-proxy approach to detect malicious traffic, allows companies to avoid the sticky questions of trying to manage an employee-owned device and instead allows the business to focus on the part of the infrastructure that belongs to them: The network and the data.

Yet, attackers can use encryption to get around such network-based defenses, says FireEye’s Gupta. The company’s virtual machine allows companies to analyze potentially malicious files and programs to catch malware. Rather than try to catch the attacks on the networks, FireEye–which announced a new service aimed at mobile devices–waits for the program to take a suspicious action. Companies need to find the threats, and that requires analyzing the applications that employees are downloading to their devices, he says.

In another malicious mobile app, for example, the user has to reach level 17 in a game before the malicious payload executes, says Gupta.

“You have to play the game,” he says. “A static-analysis environment would not detect it, and if you are in dynamic-analysis mode, you would have to get it to execute the entire execution space.”

Whichever approach a company decides to take, they should consider the question of mobile malware soon, he argues. While mobile attacks are just starting to take off, attackers will increasingly investigate the possibilities, and companies need to be prepared.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/mobile/catching-mobile-malware-in-the-corporate/240163044

Soon after iOS 7 came out, a pair of holes in the lockscreen were outed and then quickly fixed in iOS 7.0.2.

It turns out that Apple didn’t fix future problems of this sort proactively, because the just-announced iOS 7.0.3 closes three more locked-phone holes.

The three bugs this time deal with similar problems to those patched in 7.0.2:

• Another flaw in the emergency call feature, where hitting the call button at a carefully-planned moment lets you call any number, not just 911 or your local equivalent.
• A passcode lockout bypass, so that crackers can continue trying passcodes even after the phone decides they’ve had too many goes and locks them out.
• Access to the Contacts pane even when the phone is locked.

Interestingly, the bug fix for the emergency call problem is described as follows:

A NULL dereference existed in the lock screen which would cause it to restart if the emergency call button was tapped while a notification was being swiped and while the camera pane was partly visible. While the lock screen was restarting, the call dialer could not get the lock screen state and assumed the device was unlocked, and so allowed non-emergency numbers to be dialed. This issue was addressed by avoiding the NULL dereference.

If you are experiencing déjà vu, you should be, because you’ve seen this before, in the iOS 7.0.2 security notes:

A NULL dereference existed in the lock screen which would cause it to restart if the emergency call button was tapped repeatedly. While the lock screen was restarting, the call dialer could not get the lock screen state and assumed the device was unlocked, and so allowed non-emergency numbers to be dialed. This issue was addressed by avoiding the NULL dereference.

As we explained last time, NULL pointers (references to memory addresses) can’t be dereferenced – that makes no programmatic sense, since a NULL pointer is, as a matter of definition, one that doesn’t point anywhere.

When a progam tries to dereference NULL, it’s almost impossible to determine what the programmer intended – who knows what memory location was supposed to be used instead? – so the operating system has little choice but to terminate it.

→ A NULL pointer usually means an uninitialised variable, or a memory allocation error, denoted with the special value NULL, that has been ignored. In the former case, you’re trying to use memory without even trying to allocate it first; in the second, you’re trying to use memory that you requested but never actually received.

So, correcting the NULL dereference wasn’t the wrong thing for Apple to do, but it clearly wasn’t enough to deal generically with this sort of lockscreen flaw.

When iOS 7.0.2 came out, we offered the following observations:

• You can argue that Apple should make other software wait while the lockscreen is restarting, because of the key security function it performs.
• You can argue that Apple should code things to fail closed: if the lockscreen software doesn’t know or can’t tell you whether the phone is locked or unlocked, treat it as locked, for security’s sake.

Of course, that’s easier said than done, because mobile phone regulators pretty much mandate some sort of bypass mechanism in a phone’s lockscreen.

That’s so emergency calls can be made any time the phone is powered up and in contact with the network. (You can even make 911 calls without a SIM card, for example).

That makes it hard to implement a lock screen “in reverse” – in other words, so that the phone is only unlocked when the lockscreen software is running, not the other way around – and it probably explains Apple’s reluctance to make big changes in the way the lock screen works for what is just a point release of iOS.

The flip side of that, if it’s true, is that iOS 7.0.3 ought to be uncontroversial, due to making only modest code changes inside the operating system.

In other words, if you are keen on security, you may as well make sure you grab this update as soon as you can, if your phone hasn’t done it for you already.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jomQBT9qgyc/

My last post about two-factor authentication (2FA) got me thinking about another post for National Cyber Security Awareness Month (NCSAM).

While the last one dealt mostly with the ‘S’ in NCSAM, this one will also bring in a good measure of ‘A’.

My wife recently went back to work after spending a considerable amount of time away to look after our children.

With her work and home IT needs now converging on our family network, this got me thinking about security in a whole new way.

For over a decade now I’ve been responsible for maintaining security resources and advising Sophos customers and partners about security best practices.

I also do a fair bit of public speaking for Sophos on emerging threats and protection strategies and am always in contact with IT professionals and end users.

What I haven’t done so well is make sure that those closest to me get the same benefit from my experience.

While I practice what I preach, it occured to me that my family doesn’t get the equivalent level of attention.

The old adage about the cobbler’s kids came surging to mind.

So here’s a checklist of what I did.

Getting started

The first step was to get a laptop and configure it with all the necessary tools.

My wife works for a company that provides online services and is fortunate to work from home most of the time.

It also means that she spends a considerable amount of time online and handling potentially sensitive information.

The company is a small start-up, so she is mostly on her own when it comes to providing and securing these tools.

The basics

Since she is comfortable with computers, but by no means an expert, I went with the sensible option of Windows 7 Ultimate with Microsoft Office and Chrome.

→ This isn’t an endorsement for the security, usability or performance of Chrome over any other browser. It was simply the browser she was most accustomed to and I didn’t want to change too many things all at once.

This combination makes my job much easier when it comes to off-the-shelf hardware, general availability of tools, patching and compatibility of software.

And of course, I also made sure that the laptop was running up-to-date anti-virus software.

Encryption

With all the software installed, it was time to think about disk encryption.

I chose BitLocker because it gives me full disk encryption built into the operating system.

(Linux and Mac users have similar built-in options in the form of cryptsetup and FileVault2.)

If you plan on having any sensitive information on a portable device, I highly recommend that you encrypt it.

File storage and sharing

Next we looked at ways to securely share and store files in the cloud.

I’ve been using ownCloud for some time so I created an account on my server for my wife.

The benefit of ownCloud is that it allows me to control how and where the files are stored.

It also serves as a handy way to back up her files automatically by using the sync client, and works equally well on a smartphone.

If you prefer to use some of the available free cloud services for file storage and portability, make sure you understand how it’s all secured and consider adding your own layer of encryption as well.

Awareness

Then came the end-user training.

This is where we talked about the benefits of complex passwords and using different passwords for every site you interact with.

(Enjoy this video? Check out the SophosLabs YouTube channel.)

Like many users, my wife at first balked at the concept of different (and complex) passwords for every site.

However, she’s been using a password manager, in her case, LastPass, for some time, so choosing new and secure passwords was easy.

The password manager also made adding two-factor authentication relatively painless.

Securing the network

Let’s not forget about the network.

At home, we use the free Sophos UTM Home Edition which looks after our firewall needs as well as providing web and email filtering, intrusion prevention and a VPN (virtual private network) for secure remote access.

Wi-Fi

Since we’re talking networks, I should mention that our home wireless network is also set up with security in mind.

I have nearly 20 devices that require connectivity, and although I I still use wired Ethernet for some devices, for others, Wi-Fi is my only choice.

With that in mind I selected WPA2 Personal for my security mode with a 20 character passphrase.

Sure, it’s long and complex but I only had to enter it once on each device – the device are good at remembering it so I don’t have to.

Smartphone protection

I also encrypted my wife’s smartphone too, and ensured she had better than a four-digit passcode to unlock it.

After all, she receives work and personal email on this device.

While I was at it, I installed the Google Authenticator app so we could add two-factor authentication to all of her social media sites – especially Facebook and Twitter, which she uses both for work and for play.

Was it worth the trouble?

This was an interesting exercise, and well worth the time I spent on it.

My wife will undoubtedly be safer and more secure online; her employer’s data will be safer, too, thus spreading the benefits well beyond our own network.

It also provided me with a good checklist to go out and evaluate the security posture of my friends and family .

After all, if I’m going to provide them with technical support, I might as well make sure they’re standing on a good foundation.

Now, time to go explain elliptic curve cryptography to the kids!

Follow @John_Shier
Follow @NakedSecurity

Image of Wi-fi antenna thingy courtesy of Shutterstock.

Note: This article originally stated Mrs. Shier was using Windows 7 Professional, that was corrected to be Windows 7 Ultimate edition.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/42G97tFQKV0/

Ever since I first passed my driving test I realised how expensive motoring could be. Just buying a car and filling the tank with petrol took my entire childhood savings. Thankfully the yearly road tax and insurance costs weren’t too high.

Now though, as my own kids approach the age of theory tests and driving tuition, the costs have rocketed up.

The largest expense these days appears to be insurance. Just the other day I was looking at quotes with my eldest and we discovered that the most basic third party cover he could obtain would cost him six times the value of the car he was thinking of buying.

Its no wonder then that the vast majority of motorists will invest at least some time into acquiring the best value policy they can find.

In many ways, the advent of the internet has helped in this regard – comparison sites have sprung up, offering a multitude of insurance policies presented in a format that allows the cheapest deal to be quickly identified.

Likewise, social media posts and traditional classified adverts can also offer tempting deals for those who need cover.

Unfortunately, however, some youngsters have found that things are not always as they seem with such offers.

As the cost of car insurance rises against a backdrop of youth unemployment and stagnating wages, many young drivers have been tempted to pay large up front fees for policies which are significantly cheaper than other quotes they have been given.

Of course there is an adage that they should have considered before parting with their money – “if something sounds too good to be true… it probably is” – and that is very much the case with a form of car insurance fraud known as “ghost broking.”

The UK’s police insurance fraud unit has said that they are seeing an increasing number of such scams that particularly target younger drivers whose annual premiums are guaranteed to be on the large side and therefore will make the most profit for the criminals.

Offering significant savings, the ghost policies are actually worthless and could leave the purchaser open to six penalty points on their driving license for driving without insurance.

Additionally, should a driver who wrongly believes they are insured be unfortunate enough to be involved in an accident, they would quickly discover that any claims for vehicle damage or personal injury would have to come out of their own pockets.

The victims of ghost broking rarely know that their insurance policies are not valid, only discovering the truth after an accident or when stopped by the police.

Talking to BBC Newsbeat, one victim, Peter Townsend, said:

I went online. I was just having a browse about and a website came up where you fill in a form and they call you back.

This company called me back with quite a good quote, just short of £1,600, where the others were about £2,000.

After making an initial payment of £750 the 19-year-old felt he had got himself such a good deal that he decided to return to the same website a month later to obtain a quote for his sister.

Instead of the page he was expecting to see, he saw a blog warning that the original site was a scam. He rang the DVLA (Driver and Vehicle Licensing Agency) who told him that the insurance policy he had purchased was bogus and that he was in fact driving around uninsured.

Estimates suggest that over 20,000 drivers in the UK may be blissfully unaware that their current insurance cover is worthless, though with most victims of ghost broking being unaware that they have been conned it’s hard to get an accurate number for how many such policies may have been sold.

Earlier this month, 27 people were arrested in stings across the UK, suspected of being involved in ghost broking.

DCI Dave Wood, head of the Insurance Fraud Enforcement Department (IFED), said at the time:

The consequences for innocent motorists who fall victims to ghost brokers can be dire, so it is absolutely vital that drivers shopping for car insurance online, or through other means, question what they are being offered to ensure they get a real deal.

While it is understandable that young drivers will wish to save as much money as possible, especially on such expensive and necessary insurance cover, this is one area where it is vital not to get ripped off – the financial and legal consequences are far too severe to risk it.

If you are looking to take out a new insurance policy then make sure you do your homework and only buy from a reputable company.

If buying through the web please ensure that you proceed with caution. Only buy a policy from a company’s official site and do not be tempted by deals that look too good to be true. There is every chance that they are.

Follow @Security_FAQs
Follow @NakedSecurity

Image of young driver courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/LfDKIuo_hjI/

Apple’s OS X 10.9, better known as Mavericks, is officially out.

The burning question for OS X fans everywhere, of course, is, “Should I or shouldn’t I?”

The positive spin is that the $29 fee Apple has charged for previous OS X “dot releases” has vanished.

Just like the uplift from Windows 8 to Windows 8.1, shifting from Mountain Lion (OS X 10.8) to Mavericks is free.

The negative spin is that since this is a dot release, there might just be more to go wrong than in a point release – just like happened in the uplift from Windows 8 RT to Windows 8.1 RT, which caused trouble for some early adopters.

→ In my vocabulary, a major release would be OS X to OS XI, a dot release something like 10.8.5 to 10.9, and a point release 10.8.4 to 10.8.5.

Will Mavericks go wrong if you install it right away?

Industry veteran and former Naked Security colleague Graham Cluley, for example, is dead keen on staying away – so much so that he’s even retweeted himself (I didn’t know you were allowed to do that) to tell us so.

Graham still seems to think it needs beta testing.

Digital lifestyle site Lifehacker also warns you to stay clear, saying without giving data that Mavericks “suffers from a speed decrease” (you or I would probably just have written that it was slower), and calling it “imperfect.”

Mind you, the site also says, with doubly ironic orotundity, that “you should have no trouble work under the new OS without trouble.”

I’d love to tell you that Graham is just being a scaredy-cat and Lifehacker merely stirring, but I can’t – and not for want of trying.

It’s just that at 5.29GB, over a mobile network, I’m still waiting for the Mavericks installer to download itself.

There is one thing that neither Graham nor Lifehacker took into account, however, and that’s the fact that Mavericks (the first OS X release not named after a type of cat) is a security upgrade, too.

OS X 10.9 as a security update

In fact, the list of security fixes is, to me, the most interesting part of 10.9.

If you’re looking for Remote Code Execution vulnerabilities, or RCEs, you won’t be disappointed – you’ll find several.

There’s a fix for dealing with “a format string vulnerability [that] existed in Screen Sharing Server’s handling of the VNC username.” (CVE-​2013-​5188.)

There’s a patch for curl, the web download utility, apparently sorting out multiple vulnerabilities including some that could lead to RCE. (CVE-​2013-​0249 and CVE-​2013-​1944.)

And there’s even a fix for an RCE hole in the kernel itself, caused by incorrect bounds checking, which implies that there was an exploitable buffer overflow. (CVE-​2013-​3954.)

But there are other important operational fixes, notably for security features that gave a false sense of security, because even when turned on, they didn’t always work.

Here are some examples:

• The OS X application firewall had a bug so that applications to which you thought you’d blocked network traffic might nevertheless receive it.
• Apple’s application sandbox could be bypassed by software that it was supposed to have locked down.
• Safari’s Reset function didn’t always clear your session cookies, which could leave you logged in to sites you wouldn’t expect.
• The display’s lock screen didn’t always stop window contents from appearing on top of it.
• The lock screen sometimes didn’t activate after the interval you had chosen.
• You could sometimes return from hibernation mode without needing a password.
• Random numbers weren’t always random. (Or, to quote Apple’s own delightful oxymoron, “under unusual circumstances, some random numbers may be predictable.”)
• The Mail app would sometimes detect that secure password exchange was possible when configuring a connection, but then fail to use it.
• The “Require an administrator password to access system preferences with lock icons” setting wasn’t always honoured.

Mavericks also includes a brand new release of Safari, version 7, that includes a raft of security fixes published to pre-Mavericks users as Safari 6.1.

In short, it sounds to me as though Mavericks is probably an update you do want to get, though I can’t put my hand on my heart yet and say, “She’ll be right.”

I’m still waiting for that 5.29GB to turn up.

While that’s happening, I’m sorting out my backups – always a good idea anyway – and installing the 50MB Safari 6.1 update on my Mountain Lion system.

And, I hasten to add, I’m getting ready to make a copy of the Install OS X Mavericks.app package out of the /Applications folder as soon as the download finishes, so I never need to download it again

If you’re an Apple fan, where do you sit on Mavericks?

Keen on new features, and willing to wait for 10.9.1?

Or keen on security and ready to update right away?

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/AeMIywHJJU8/