Facebook over SSL

  January 28, 2011 - 8:57 pm |
2 Comments

A few months ago I mentioned the firesheep extension for Firefox. This is a nifty/scary little critter that does some potentially scary stuff with respect to your social networking accounts.

Back when I wrote that post I mentioned one good way to protect yourself is to ensure you’re using SSL (https) when browsing the vulnerable sites.

This week the Facebook blog announced a new security option to force SSL when visiting your Facebook pages.

Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the “Account Security” section of the Account Settings page.

Sadly, it isn’t on by default, but it is very simple to turn it on – I encourage all Facebook users to do so – especially if you’re using Facebook while “on the go” via open wireless networks. But even if you’re not using wifi, it is still a good practice to follow.

One welcome side-effect? FB chat now works over SSL. Up until this release, that never worked for me.

Secunia PSI Updated

  December 29, 2010 - 6:48 pm |
2 Comments

Secunia PSI V2One of my favorite [consumer] security applications got an update a bit over a week ago. Secunia PSI is now up to version 2.0. Same great features, but now it offers even more.

Now it doesn’t just tell you what’s out of date or vulnerable – it offers to download and install the updates for you. And that’s exactly why you want to install this on your “technically challenged” friend and family PCs.

Secunia aims to solve this problem with the Secunia Personal Software Inspector (PSI) 2.0 featuring automatic updates that are truly automatic. Truly in the sense that, if the user prefers, the Secunia PSI 2.0 can install most security updates without requiring the user to download, run, or otherwise perform manual actions to patch their PC.

Pretty cool stuff.

One note though. When I first installed the 2.0 version it seemed to be stuck in a never-ending scan-and-report loop. Fortunately, after the next reboot it was just fine and has been well behaved ever since.

Ubuntu 10.04 Netbook Setup

  November 20, 2010 - 8:45 pm |
3 Comments

Ubuntu 10.04 NetbookOver the past year I have developed quite a fondness for Ubuntu 10.04 Netbook edition. Most of my laptops dual-boot it and my wife runs it full time on her little IBM Thinkpad X40. The Netbook edition works great on the 12” or smaller monitors.

Thinkpad x40I briefly tried Ubuntu 10.10. Netbook but very quickly removed it. Let’s just say that I really really didn’t like it and leave it at that.

When I setup a 10.04 Netbook edition there are a few steps I do each and every time. Figured I could take a moment and jot down some of the steps to save me some time next time around.

Firstly, the 10.04 download link can be found here: http://releases.ubuntu.com/10.04/ (courtesy of jacevesl via Twitter). Grab the Netbook live CD iso and burn it to PC or USB – the Universal USB Installer makes creating a bootable USB stick very simple.

I’m not going to cover the install here. Just boot it and run the installer directly or boot in “Live CD” mode, play around a bit and then run the installer application. If dual-booting be sure to pay attention to some of the early steps and don’t smoke your other installed OS!

Once installed, connect to your network and run the Update Manager to get current. Reboot while making the obligatory “this is just like MS Windows” comment… sorry, couldn’t resist.

The default screensaver time is at 5 minutes. This drives me batty. So the next stop is to System (left menu) and then Screensaver. I usually slide the idle timer up to around 60 minutes. Up to you if you want to keep the “Lock screen when screensaver is active” or not.

Now I head back to the Favorites menu and clear out everything except Firefox and Ubuntu Software Center. Just right-click and “remove” to get rid of the others.

For a terminal I like to install Guake Terminal. I just fire up the afore-mentioned Ubuntu Software Center and type it into the search field and then click Install. Once that finishes, head to Accessories and start it up. That’ll put the guake icon up in the top bar. Click to get your terminal and then right-click for Preferences.  In the General tab I like to click “Hide on lose Focus.” Instant F12 access to a nifty little tabbed window terminal. Head to System -> Preferences -> Startup applications and check the box by Guake. Now it’ll autostart as well.

Now I have to clean up a bit. I don’t use the built-in IM and email stuff so the “indicator applet” isn’t necessary and just takes space. Fire up the Ubuntu Software Center again. Click on “installed software” in the left pane and search for indicator-me and indicator-messages (for some reason, sometimes that latter search just has to be “messages”). Lose ‘em both, log out and back in and admire the much more svelt toolbar.

And there we go, the initial steps I do almost every time. The rest depends on how the machine will be used – alternate browsers, Dropbox, etc.

2010 Updates to Essential Apps

  November 13, 2010 - 9:18 pm |
8 Comments

My Essential Apps page was a bit due for an update so I’ve spent some time dusting it off this evening. I’ve removed a few things and added some others. What follows is sort of in a jumbled stream, but you can check out the Essential Apps page for the current goods.

I removed the Glasser Add-on for Firefox from the list. I lost interest in it at some point the in past year. Now I usually just find a persona that grabs my fancy and use that, instead. I also no longer use VeriSign’s OpenID Seatbelt Add-on. I use the Google OpenID stuff these days so no need for it. Finally, I also removed Google Toolbar from the list. Fast Dial and Xmarks replaced it nicely.

I added a couple Add-ons to the list. Namely Fast Dial and Xmarks. Together they keep my bookmarks all in sync and allow me to get to my most frequently visited sites quickly.

In the utilities section I removed Launchy. I don’t have that many XP machines around anymore and the few that I have are not primary devices. They tend to be more single-focused and Launchy just doesn’t play there.

Synergy and Synergy-plus merged back to Synergy and I updated the URL appropriately. If you find yourself with multiple computers on your desk you need this one.

I removed mRemote as I find myself mainly using Microsoft’s Remote Desktop Connection Manager exclusively these days. However, I recently heard about an mRemote fork (mRemoteNG) that I need to check out when I have a free moment.

I added CrashPlan as my favorite backup program.

In the Security section I removed AntiVir and ClamWin. Haven’t used either in the past year. Microsoft Security Essentials has been fine. While not exactly apps, I also added mention of OpenDNS and Untangle as they are big parts of my home security solution.

And finally, I added Visual Studio 2010 to the development section. Been doing a lot of little db utility apps and I’m loving the Visual Studio and .NET experience.

As always, if you feel there are apps or utilities that I should be using drop a comment.

Firesheeple

  October 31, 2010 - 9:55 pm |
2 Comments

I’m a bit late to the party, but have you heard about Firesheep yet? It is an interesting Firefox plugin that makes what used to take a few keystrokes very very easy.

After installing the extension you’ll see a new sidebar. Connect to any busy open wifi network and click the big “Start Capturing” button. Then wait.

As soon as anyone on the network visits an insecure website known to Firesheep, their name and photo will be displayed:

Double-click on someone, and you’re instantly logged in as them.

That’s it.

Chilling, yes?

The key there is “open wifi” network. Mostly (more on that down below).

See, too many sites have people log into their accounts using SSL but then let them use the site without necessarily staying with SSL. This allows you to get your HTTP cookie hijacked – also known as “sidejacked” – and if someone can snag that cookie they can become you on that site.

Brief note: Sidejacking is nothing new. I want to clarify that what makes Firesheep interesting is how easy it makes it.

Now I, personally, never use open wifi networks but this still has caused me to make a few changes to some of my saved bookmarks. For instance, I’ve updated all my Facebook bookmarks to be over SSL (changed them to https://www.facebook.com to be specific). (Facebook is just one example here, I’m not picking on them alone.) I’ve done the same for a few other key sites that I noticed were back to http after I signed in.

If I don’t use open wifi, why do I care? Two reasons really:

  1. While sidejacking is nothing new, Firesheep definitely makes it very easy to play with. The bar to entry is one the floor.
  2. If it works so well over open wifi I can’t help but wonder if it would work just as well with an ethernet hub. Suppose I put a hub on the office network between the firewall and the switches. Now, suppose I plug in my Firesheep equipped machine into that same hub. hey presto, I’m seeing all the traffic, just like open Wifi right? I have lots of old hubs – and I bet I’m not the only one.That scenario scares me a little.

If you can, run your traffic over SSL. While visiting your commonly used sites (that involve login credentials) see what happens when you change the http to an https. As Steve Gibson suggested in “Why Firesheep’s Time Has Come” (worth a read) you might consider the Firefox extensions of HTTPS Everywhere or Force-TLS.

A quick search for Chrome equivalents didn’t turn anything up so I’m open to suggestions there.

Oh, and if you have to use open wifi networks (Starbucks is often mentioned) and you have sites that don’t let you stay SSL you might be interested in FireShepherd. Kinda hardcore in a good way. [hat tip to Security Monkey on that one]