Is Tor Secure?

The Onion Router, otherwise known as Tor, is a free browser that can help you defend against traffic analysis and network surveillance which threatens personal freedom and privacy. It gives you anonymity by bouncing communication around a distributed network of relays run by volunteers all around the world. It prevents somebody watching your Internet connection from learning what sites you visit, and prevent sites that you visit from learning your physical location.

Is it bulletproof? No. There are some nodes that collect data as reported by ExtremeTech.

Reasearches have reported that 110 live nodes in Tor are “misbehaving” by collecting data on the connections that pass through it. The purpose of this collection is unclear, and there seems to be some variation in what the nodes are collecting. Some are much more sophisticated and are pulling in data that could be used to identify users. Others seem to just be tracking statistics. The most likely scenario is that some computer science researchers are running studies on Tor, which involve collecting some data. At the same time, law enforcement is running similar nodes that are trying to unmask users of illegal “hidden services” that are hosted in Tor. The Silk Road was one such hidden service.

Dropbox Accidentally Turned Off Passwords

Dropbox accidentally turned off the password feature on their file sharing service last Sunday from 4:54pm until 8:41pm. The file sharing service was eventually restored and secured at 8:46pm. Between those times, anyone can access any of the 25 million Dropbox accounts by simply typing in a random string of characters in the password field. Dropbox said, less than 1 percent of the accounts were accessed at that time period and will continue to investigate if any accounts were compromised.

It just shows you that online services such as Dropbox, and social sites such as Facebook and Twitter are not 100% secure. If you’re concerned about the security, then you shouldn’t really place any highly sensitive information on any of the online services. If you must, then you should use the highest encryption standard you can find. I recommend that you use AES-256 encryption. If you’re a Windows user, you can use the popular compression program called 7Zip. For Linux or Ubuntu users, you will find more information here in this forum.

Twitter Will Be More Secure With HTTPS

Twitter announced today that it is adding HTTPS to their service to make it more secure. Twitter users should be able to go their user’s setting and choose a box to always use HTTPS. Twitter says HTTPS is recommended for users who use public Wi-Fi where network connections are less secure.

HTTPS is a combination of HTML and SSL/TLS protocols. HTTPS are often used for payment and banking transactions on the web. HTTPS usually displays a locked key on some browsers, or a modified or certified address bar in some browsers.

Twitter hopes to have HTTPS as the standard setting in the future.

Keeping Track of Your Online Accounts

I imagine most people own at least a dozen of accounts online, from email accounts, chat accounts, to online banking, online shopping websites such as Amazon, eBay, Paypal, to Forums, Users groups, Social Media websites, etc. Some users have over 100 accounts. So, how do you keep track of all your usernames, passwords, info, etc? I found an easy way of organizing all my online accounts. I would like to share it here.

Use one email account

I use one email account for all my online activities. Most websites require that you register a valid email address. Using one single email address for all your online activity will make things easier. If you ever have to hunt for a forgotten username or password, you know where to go. To start your recovery, see my next point.

Keep all emails after registration

Most websites that require registration require a valid email address. Websites will usually send out a message or a notice that you have registered an account. Some websites require that you activate the account via an email link. It’s important that you keep these registration messages and not delete them. They sometimes contain usernames and passwords.

Create an “Accounts” folder

The next thing to do is to file all your registration email messages under one folder called “Accounts.” If you have forgetten your username or password in the future, you can always go back to this folder and search for the registration message you received when you first signed up for an account. Sometimes, the registration messages will reveal important information such as username, password or a hint question to get you logged in into an account.

Use one username

To simplify your online experience, you might want to consider using the same username when signing up for accounts. If your name is common, you might want to create something unique. Fortunately, both my firstname and lastname are not very common, so I use the same username for most of my accounts. I say most, because a couple times the account name was already taken. Having the same username may sound like a bad practice for security folks, but it does simplify things. Hence the importance of my next point.

Don’t use the same password for all accounts

Don’t use the same password for all your online accounts. This is bad security practice. If you have over 50 accounts, the practice of one password for each account could go out of hand. So, I recommend that use one password for your email accounts. Use a different password for finance/banking. Use another password for chat accounts, social sites, blogs, etc. You may end up with 5-6 passwords altogether, but it’s not going to be as daunting as having to remember all 50 passwords.

This is how I keep track of all my online accounts. What do you think?

Mandatory Upgrade To WordPress 3.0.2

There is a mandatory upgrade to WordPress 3.0.2 from all previous versions. This is a maintenance release to fix a moderate security issue which allows a user with an author level access to gain access of the rest of the site. The upgrade is particularly important to blogs with multiple users, and all others.

There should be no valid excuse not to upgrade to version 3.0.2 since WordPress upgrades are easy and painless. All it takes is just one click. I upgraded my blogs just a tad different than most WordPress users. I use Subversion update. I have a script that updates all my blogs all at once. Based on the Subversion upgrade, there are only about a dozen files that have changed.

So, update to WordPress 3.0.2. It should be quick and worth the while.

49 Microsoft Vulnerabilities

Microsoft plans to patch 49 vulnerabilities this coming Tuesday. Microsoft considers four of them to be critical. The patch covers fixes to Internet Explorer, MS Office, .NET, Windows 7 and Windows Server 2008. To date, this will be Microsoft biggest patch at one time.

Speaking of Microsoft, I’ve yet to take advantage of the latest Windows 7 Home Edition Family Pack for just $149. The latest release started October 2.  The family pack comes with 3 licenses. Share between two other friends and you can get a Windows 7 Home Edition for about $50. Good deal.

Facebook Glitch Exposes Private Chats

Just when you thought it was safe to back into social media, there could be one as terrible as Facebook. Today, a software bug allowed Facebook users to view their friends private chat sessions. Very nice. How juicy. The same bug also allowed users to see their friends pending friends requests.

Well, this one is not so bad and juicy as reading other people’s chat messages. Nevertheless, it’s a security hole that was open for a limited time before Facebook turned off its instant messaging service. I predict it won’t be the last time. As Facebook grows in users and complexity, there’s great potential for a slip up like today.

If you’re worried about privacy, don’t place anything online that can get you in trouble.

Hardware Issues

My Linux desktop is sick. It’s having a hardware problem. It’s causing the kernel to panic. The mouse freezes and keyboard is flashing. At times, it causes the OS to shutdown. It doesn’t matter what distro I install. I tried the last 4 Ubuntu releases, Linux Mint 7, Linux Mint 8 and Fedora 12. I haven’t figured out yet if it’s a memory or a motherboard problem. I have eliminated just about everything else including power supply, CD, DVD, sound card and graphics card. It’s probably a memory issue. So now, I’m stuck on a Windows XP machine.

Interesting news today. The French and German government are sending out warnings to those who use IE as the fallout of the Google and China IE Zero Day security hack reverberates worldwide. Microsoft is directing users to use IE 8 instead. I say move to either Firefox, Safari or Chrome. I abandoned IE 5 years ago for the same reason. Some call for dumping IE now.

If you contemplating in interviewing with Google, better Google about what Google could possibly ask you during the interview, because Google, the company, tend to ask very tough interview questions. It’s interesting to hear about Google’s hiring policy, in that it focuses on super bright, intelligent people, which doesn’t seem to always translate to the best workers or workers with great interpersonal skills or better yet, workers with common sense.

Should Fedora release Fedora 13? For superstitious folks, thirteen is an unlucky number. Nevertheless, Fedora is forging ahead. Fedora 13 benchmarks are out, along with Ubuntu 10.04.

Kaiser Permanente Stolen Hard Drive

From eSecurity Planet:

More than 15,000 Kaiser Permanente patients in Northern California this week are being notified that their personal information, including birth dates, addresses, phone numbers and medical-record numbers, was exposed last month after an unencrypted external storage drive was stolen from an employee’s car.

Kaiser Permanente officials said the theft occurred in early December after an employee left the drive inside the car at her home in Sacramento. A week after the break-in, the unidentified employee notified hospital officials of the potential data breach.

Kaiser then notified state and federal regulatory agencies as well as the Sacramento Police Department.

All the affected patients are being notified of the incident through the mail, Kaiser officials said.

The culprit: an employee.

The employee was fired for violating Kaiser’s security policies after she stored the patient files on a personal device without encryption and failed to receive permission to remove the data from the hospital.

Another IE Hole

Well, another IE hole. This is from the Dow Jones Newswires:

The cyberattack that has prompted Google Inc. (GOOG) to threaten to pull out of China exploited a previously unknown vulnerability in Microsoft Corp.’s (MSFT) Internet Explorer browser, a security research firm said Thursday.

The attackers took aim at Google and numerous other corporations by targeting one or a few key individuals in each company, tricking them into clicking on a link or a file that appeared to have been sent from a trusted source, said McAfee Inc. (MFE) Chief Technology Officer George Kurtz in a blog post.

This enabled malicious software to be downloaded and installed on the targets’ corporate computers, opening back doors that allowed the attackers to perform reconnaissance and gain complete control over the compromised systems, said Kurtz.

The attackers, believed to be in China, had identified high value targets with access to intellectual property and were able to siphon off valuable data from the companies, he said.

Read More