Sep
11
Eircom Exposes Its Broadband Customers to Serious Security Risks
Filed Under Computers & Tech, Security on September 11, 2007 | 28 Comments
I had heard complaints from people in the past that Eircom didn’t seem to do the whole security thing properly at all. I guess I just hopped they’d have sorted themselves out by now. They haven’t. I’m not sure if it’s down to incompetence or just not caring about their customers, but, in my book there are no valid excuses for leaving your customers exposed. Eircom have chosen to give their customers a wireless router. This makes things a lot simpler for the customer since it means they don’t have to go messing around with cables and such, but it potentially opens them up to significantly higher security risks. In the relationship between an Internet Service Provider (ISP) and a customer, the ISP must be the one on top of security issues. The average broadband customer cannot realistically be expected to be a security expert. Customers can only be expected to follow instructions from their ISP, and they have every right to assume that these instructions will not expose them to serious risks. Having gone through the process of setting up Eircom broadband for my grandfather last weekend I can tell you they are totally failing to protect their users by instructing their customers to set up their networks in a way that is highly insecure.
[tags]Eircom, Broadband, Ireland, Security, WEP[/tags]
Aug
22
SSH Agent – Simple Yet Secure SSH Keys On OS X
Filed Under Security, Computers & Tech, System Administration on August 22, 2007 | 6 Comments
If, like me, you spend a lot of time using SSH you’ll probably like the idea of being able to log in to servers without a password. If you really want this you can do it by setting up a SSH key pair with an unencrypted private key. This works, it lets you log in to your servers without a password. HOWEVER, it’s a simply disastrous idea from a security point of view. The only reason I don’t do this is because the idea of an unencrypted private key scares the bejeesus out of me. Hence, I still dutifully type my SSH password each time I connect to a server, and each time I check something in to source control. I’ve been keeping an eye out for a simple solution for a while but hadn’t been actively thinking about it for months. That is until I came across Dave Dribin’s blog post Putting the “S” Back Into SSH this morning. Dave rightly points out that there is a solution, ssh-agent
, the problem is it’s a command-line tool and by all account not the simplest one to use. So, what’s obviously needed is a nice GUI for ssh-agent
. Dave initially thought he’d found the solution in the program SSHKeychain. SSHKeychain is more of a proxy for ssh-agent
than a GUI for it though, and Dave soon discovered that it has it’s fair share of problems. So, in the end, I didn’t decide to use SSHKeychain. However, the post inspired me to have another go at finding a solution. Also, the reference to ssh-agent
sparked a vague memory in the back of my head of an OS X GUI for something to do with SSH that had the word ‘agent’ in its name.
[tags]SSH, SSH Keys, ssh-agent, OS X, Apple[/tags]
Aug
1
A Glut of Mac Related Updates
Filed Under Computers & Tech, Security on August 1, 2007 | 2 Comments
I’m not really sure what the collective noun for releases is so I’m using glut 🙂 Anyhow, I seem to have done nothing but update stuff in the last 24 hours. First FireFox and Thunderbird from Mozilla, then an Airport patch and an OS X security update from Apple, then a new Mac RDP client from Microsoft, and finally, an updated version of JellyfiSSH. Apart from the last two these are all security updates. I don’t have much I want to say about the security updates but I do just want to mention two important fixes which seem to be included. Firstly, there is a patch for mDNSResponder which should plug the hole which the rumoured Mac worm which was never released supposedly used. Secondly, there are a few patches for SAMBA so it looks like the SAMBA flaws I recently gave off to Apple for not patching promptly have finally been patched. Mind you, the descriptions on the Apple site are none too clear so I’m not really certain these updates really fix either of these holes. Anyhow, the real reason for this post is to have a look at the new RDP client from MS and the update to JellyfiSSH.
[tags]Apple, OS X, Security, JellyfiSSH, Microsoft, RDP[/tags]
Jul
30
Apple’s Complacency Threatens OS X Security
Filed Under Computers & Tech, Security on July 30, 2007 | 14 Comments
I regularly have a go a Microsoft for not patching vulnerabilities quickly enough. The recent shambles with the animated cursor flaw proves that MS still have a long way to go in terms of security. However, they are a not alone. Apple have a definite advantage over MS when it comes to security, they have built OS X on top of the very robust and security conscious FreeBSD distribution of Unix, while MS are building on the shoddy foundation that is DOS and early versions of NT. A lot of current Windows vulnerabilities lie in this very old code, the Animated Cursor flaw being a good recent example. However, Apple are being complacent. They seem to be drinking too much of their own cool-aid and are acting as if OS X really is immune from attack. It is of course not immune, and with Apple TV and the iPhone now also running OS X it’s becoming a bigger target every day. When vulnerabilities are reported Apple have to respond promptly, unfortunately the current SAMBA flaw in OS X proves they are not doing this.
[tags]SAMBA, OS X, Security, Apple[/tags]
May
31
What Happened to Journalistic Standards on the Web?
Filed Under Security, Computers & Tech on May 31, 2007 | 3 Comments
It’s hot news in the mac world today that Apple have not yet patched Windows File Sharing (Samba) on the very latest OS X. This is unforgivable since they released a security update this week and a fixed version of Samba has been available for weeks now. That was the blog post I wanted to write this evening but before I did I wanted to read the actual Symantec advisory that I see quoted all over the place. Surely, if there was any proper journalism on the web all online articles referencing the advisory should contain a link to it so people can read it themselves? None that I have found do. So, I went to the Symantec site to see if I could find it there. Not a hope. I used Google to try to find the original everyone is quoting. No joy. I don’t feel comfortable reporting on what Symantec supposedly said in an advisory based on second-hand information. Others on the web don’t seem to be as picky as me. Shame really.
[tags]journalism, standards, symantec, usability, Mac World[/tags]
May
13
A Look at the NoScript FireFox Add-on
Filed Under Computers & Tech, Security on May 13, 2007 | 2 Comments
I have been warning of the dangers of JavaScript on the web for quite some time now (see related articles at the bottom of this article). I have also always said it is unrealistic to expect people to turn JS off completely. Hence, my advice has been the same, use FireFox, and use the NoScript add-on. However, I’ve never actually done a proper review of NoScript, until now.
May
11
More DRM Insanity
Filed Under Computers & Tech, Security on May 11, 2007 | 1 Comment
The company Media Rights Technology (MRT) are suing Apple, Microsoft, Real and Adobe under the DMCA (Digital Millennium Copyright Act) because they won’t use their technology. The DMCA makes software designed to circumvent copy protection illegal. It all hinges around MRT’s X1 SeCure Recording Control software which, according to them at least, is effective against the ripping of streaming media. MRT’s court case is based on the fact that these companies have been “actively avoiding the use of MRT’s technologies”. MRT are now claiming that because of this refusal to use their software these companies software is designed to facilitate piracy and therefore illegal. This is obviously totally laughable and if the American courts have even an ounce of sense left it will get thrown out of court. However, it is a dangerous case because if it wins it will mean that the DMCA makes DRM compulsory. This is also an interesting attempt to build a monopoly for MRT through legal action. Their business must really be suffering if they have to resort to abusing the DMCA to force companies to use their software. One has to ask what legal standing they have to even bring this case. This has the potential to set some very dangerous precedents. Lets hope common sense wins out in the America legal system for once.
[tags]DRM[/tags]
Apr
24
Time to Secure Your Browser
Filed Under Computers & Tech, Security on April 24, 2007 | 1 Comment
What started off as a hack of a MacBook Pro at a security conferences has now been revealed to be a hack exploiting a vulnerability in the way Quicktime talks to Java. What does this mean? It means that this is not just an issue for Mac users, Windows users are vulnerable too! Thankfully the solution is simple, turn off Java (not JavaScript) in your web browser.
Apr
3
Apple Puts It’s Money Where It’s Mouth is – iTunes To Go DRM Free
Filed Under Computers & Tech, Security on April 3, 2007 | 7 Comments
I’m in my parents place this week and out here in the heart of Ireland broad band is not available. I find dialup so frustrating that I generally don’t bother even going online. So, I managed to miss Apple’s big announcement till now. For those of you on another planet (or deprived of broad band like me) Apple and EMI announced on Monday that they would start selling high quality DRM free music on iTunes. The price is the same for albums but more expensive for individual tracks. Since the quality is higher and the files are DRM free that seems fair enough to me. I just hope this experiment goes well. I really want this to be the start of a whole new era for digital music, the end of the failed experiment that is DRM.
[tags]DRM, EMI, Apple[/tags]
Mar
25
PasswordVault2Go – A Great Shareware Tool
Filed Under Security, Computers & Tech on March 25, 2007 | Leave a Comment
Passwords are an annoying fact of life in our modern electronic world. If you’re any sort of regular computer user you’re going to start building up quite a collection. You could use the same user name and password for everything, but that’s very insecure. Also, you often don’t have a choice of user name, or you can run into very restrictive password policies, either way it’s unlikely you’ll manage to get the same user name and password everywhere even if you tried! Remembering the details for things you log in to every day is never the problem. It’s the passwords for the things you only use a few times a month or even a year that cause the problems. Saving passwords in browsers can help a bit but it makes things even worse when you try to use another computer and of course your browser isn’t going to be any help when it comes to remembering your domain password at work or your FTP password for that website you only update every few months. On top of all your passwords you also have software registration codes to keep track of and your browser certainly isn’t going to help you with that. Inevitably you end up getting locked out of sites or services and having to re-buy software you’ve bought before because you can’t find your registration key.
[tags]PasswordVault, PasswordVault2Go, Lava Software[/tags]