BitCrazed
Exploring the wonderful world of technology and software development   RSS 2.0
Archive
<March 2010>
SunMonTueWedThuFriSat
28123456
78910111213
14151617181920
21222324252627
28293031123
45678910
Sponsors
Disclaimer
THE OPINIONS EXPRESSED
HEREIN ARE MY OWN AND DO NOT
NECESSARILY REPRESENT MY
EMPLOYER'S VIEWS.

© Copyright 2010 Richard Turner

Sign In
Statistics
Total Posts: 16
This Year: 0
This Month: 0
This Week: 0
Comments: 7
 Monday, January 07, 2008
Jeremy Clarkson's Bank Account Compromised!

Jeremy Clarkson, presenter of TV's "Top Gear" published his bank account details and home address in an article he penned for "The Sun", the UK's best-selling newspaper. Why? Because he wanted to illustrate his belief that the furore over reports of the loss of CD's containing a database of 25M people's personal details were much ado about nothing. He claimed:

"All you'll be able to do with them is put money into my account. Not take it out. Honestly, I've never known such a palaver about nothing"

Alas, this stunt has backfired on him! Clarkson subsequently wrote in his Sunday Times column that:

"I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account. The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again."

Clarkson, much chastened, had the good grace to admit that:

"I was wrong and I have been punished for my mistake.

He must be thanking his lucky stars that whoever managed to compromise his account didn't clean him out! Let this be a lesson to us all.

It is clearly all too easy for our identities to be abused and compromised and we should all take steps to do what we can to protect our personal identities.

Here are my top 5 suggestions on the absolute minimum steps we should all take to protect our personal identities:

  1. Shred paperwork. Don't just throw away paperwork with your name, address, telephone numbers, account numbers, balances, credit details, etc., SHRED THEMDocument shredders are not expensive and take just moments to make it much harder for malicious third parties to abuse your identity.
  2. Protect your passwords: Passwords are a pain to use and open us up to innumerable identity attacks such as phishing. However, until alternative identity exchange mechanisms such as Windows CardSpace establish a strong foothold, passwords are going to remain as the primary way we secure access to websites and online services. So we will need to more effectively manage our passwords. Key tips for password management:
    1. Don't re-use passwords: Avoid using the same password at more than one site. If your password is compromised once, you're open to much broader attack if your password is shared across several other sites. It's quite easy to choose a unique password and to augment it with some site identifier so that you can easily remember the password to use on a given site.
    2. Never write down your passwords, nor store them in an unsecured store (e.g. a spreadsheet on your laptop). If you must store your passwords, store them in an encrypted and/or password protected store, and rather than store the password itself, store a hint or reminder as to what the password is.
  3. Avoid passwords: Lobby your bank, credit card companies, merchants, billing companies, and anywhere else online that requires to you create and maintain yet another password. Ask them when they plan to adopt identity selectors such as Windows CardSpace (or other identity selectors such as Novell's Bandit for example). We need to start moving beyond usernames and passwords and to enjoy a safer Internet.
  4. Protect your Social Security/Tax/National IDs: It stuns and amazes me that most banks here in the US use a person's Social Security Number (SSN) as the primary identifier for their customers. I've lost count of the number of times I have been asked to provide my full SSN when speak to my bank, mortgage company, etc. I am even more astonished at how flummoxed the phone rep's are when I refuse to provide my whole SSN - they just don't know what to do or go out of their way to avoid performing the couple of extra steps necessary to look you up in their systems using other credentials (name, address, etc).
  5. Monitor your bank / credit card transactions monthly: I am as guilty as the next guy of not doing this as regularly as I should. Until recently. A few weeks ago I decided to take a more proactive stance regarding my financial position and invested in a money management package (I chose Microsoft Money, but tools like Quicken are great too). Whilst categorizing all my uncategorized credit card transactions, I found that I had been billed over $120 by TFN*GreatFun (Trilegiant's well documented scam). I am in the process of jumping through the (quite unnecessary) hoops required to have these charges reimbursed. Without Microsoft Money, I would most likely not have noticed these charges and so it has already more than paid for itself!

Hope this helps you avoid getting compromised.

Posted: Monday, January 07, 2008 6:33:14 PM (GMT Standard Time, UTC+00:00)  #    Comments [0] -
Identity | Security

 Thursday, November 01, 2007
Running .NET EXE's from network shares by default? Just say No!

Brad Abrams is asking whether or not the default behavior of the .NET runtime should allow your machine to run .NET applications stored on network shares by default.

Today, you can run native EXE's stored on a network shares without having to do any security work at the desktop. .NET application on the other hand will fail with a somewhat unhelpful "[exename] has encountered a problem and needs to close.  We are sorry for the inconvenience" error message.

This is, as Brad points out, a well known issue with some simple workarounds involving:

  1. Configuring your machine to trust a given strong-named (i.e. signed) .NET EXE (using MSCORCFG.MSC; details here)
  2. Alter your machine's Code Access Security Policy to trust a given network share (using CASPOL.EXE, as shown by Shawn)

I believe that softening the default Code Access Policy to permit .NET EXE's to run from default shares will introduce too many opportunities for malicious software authors to fool users into running apps that they think they trust.

Remember the ILoveYou virus which, as Dominick points out, copied itself to network shares as one of the avenues through which it spread its infection?

The only way I could accept such a sweeping change is if only EXE's that are Digitally Signed with a cert from a Certificate Authority in my trusted root store were permitted to run from a network share. Otherwise users WILL be fooled into running something that is less than desirable and which causes significant damage ... something I think we should all take steps to avoid.

In short, Just say NO!

Posted: Thursday, November 01, 2007 4:51:45 PM (GMT Standard Time, UTC+00:00)  #    Comments [0] -
.NET | Security

All content (unless otherwise specified) is © Copyright 2010 Richard Turner.