Windows Support Scam

I have been called on several occasions by overseas call centres claiming to be from 'Windows Support', telling me that my PC has been sending out error messages or 'bad traffic' on the internet.

They seem to target people that use their PC's infrequently to perhaps browse the internet and clear email. A seasoned PC user will start to smell a rat immediately.

THIS IS A SCAM.

All they want is your money and perhaps leave you with a web-bot or bot-net installed on your PC.

Their tactics are as follows:

• Instruct you to open task manager, msconfig or your eventvwr to view your log files.
• They will convince you that you are looking at the bad traffic or stopped services.
• They will ask you to browse to a 'desktop sharing' software site (these change over time).
• They will instruct you to download and install it.
• They will then ask you to run the software and you will be asked for passwords.
• At this point they are into your system and can do what they want.
• You may also be asked to pay a fee of around US$80.00 for a year's worth of maintenance.
• They will direct you to a site to pay the $80 via a credit card.
• Congrats they now have your name, credit card number and the 3 digit code.

So not only have you been scammed, you have paid them for the privilege.

Have a listen to a recording of a typical call.
https://soundcloud.com/csoonline/microsoft-support-scam

So what is a bot-net?

A bot-net is a piece of insidious software that turns your PC into a 'robot' that takes orders from a central 'command & control' server hidden somewhere on the internet. It receives instructions to send out spam, phishing emails, or denial of service attacks aimed at targets as per instructed from the command & control server. In most cases these web-bots are not detected by industry standard virus scanners. They go undetected for years. All you may notice is a slight slow down of your PC at times.

Once your PC has a web-bot installed, and there are millions of them out there. Your PC becomes a commodity that's bought, sold or rented out to criminals for lots of purposes. Some may want to send millions of spam emails quickly. Some may want to build email lists (from our inboxes). Some want to hit Government servers with denial-of-service attacks. The list goes on.

How do you get rid of a bot-net?

If you're lucky you can use a tool that identifies and removes them. If you're not, you need to format and re-install Windows. Be warned, some of the tools to remove them also contain newer ones. That's the catch 22. Who can you trust? I suggest the re-install. It's the only safe method. You can save all your data, pictures and video's before hand. You will need to re-install ALL of your added software from the original cd's. NEVER restore software from a backup as the web-bot may be in your backups.

Why are the call centres making the calls?

They are paid to do it. Many bot-net operators actually pay call centres to make the calls and train them specifically in the task. The call centres may not actually know what they are really doing. I have heard of some of them transferring your call to a 'level 1 technician' who will do the repair. By this they wash their hands of 'blame'. These calls usually take your $80 first, before transferring you.

"Oh what a tangled web we weave when first we practice to deceive."

Now that you know this, tell your friends that are perhaps less computer literate.

Trying out Linux on an old PC or Laptop

Many of my friends are always complaining about how slow their PC has become. Or ever since browsing a site they can't get rid of a toolbar. Or my computer is doing some strange things and I can't get it to go back to the way it was.

Many of those friends just went out and bought a new computer that is faster and came with a new version of Windows (which they thought would be better). However they never took into consideration that with every version of Windows comes a whole new learning curve... How to use it? Plus the newer versions used more of the computers resources so the speed it operates is not really that much faster than the old one.

Windows operating systems, like versions of Office, are completely different in how they work, or more precisely, where are the resources hidden that I used to use? In essence Windows versions are like Linux Distributions. When you find the 'distro' you like you stick with it. There are hundreds of Linux 'distros' out there to choose from. The below video will show you a couple that are the main or recommended ones to try.

So if you just bought a new PC with Windows 7 or 8 and you are left with an old computer that you are just going to throw in the bin... WAIT! Try Linux first on that old PC. You don't need to worry about loosing your files as we aren't going to be using the hard drive on the old PC. The PC does not even need a hard drive installed at all.

Now watch how much faster your computing experience has become. Browse the net faster, use your internet banking more securely. Edit video or photo's so much faster. The whole computing experience is just what you thought you would get with a new computer. Only thing is... it's on your old one.

Watch the video and see for yourself.


Now compare the speed of your new PC with Linux installed on your old one. Was it worth the money? Not convinced? Wait 6 months and compare speeds again.

Why cloud data isn't as safe as you think

There's a great article from ZD-Net written by Robin Harris outlining the disadvantages of the use of Cloud Storage for corporate data. 

Here's a snippet of that article:

Serious cloud users know the vendor story: multiple datacenters, geograpically distributed; advanced erasure coding that is better than RAID 6 (which I've discussed); multiple version retention; checksums to ensure data integrity; and synchronization across devices. What could possibly go wrong?

Plenty
As has been documented, client-side corruption is all too common, so the cloud will carefully preserve and spread corrupted data. If you crash during an upload the data may be inconsistent - but the cloud doesn't know that - or the cloud may fail to sync changed files.

Worse, clients cannot typically preserve dependencies between files since uploads are not point-in-time snapshots, creating unexpected and unwanted application (mis)behavior. A group of linked databases - say, between CRM, ERP and distribution systems - could end up inconsistent due to piecemeal uploads of changes at different times.

The basic issue is that the loose coupling between the local and cloud file systems leaves data less protected than users - or cloud vendors - like to admit. Like most problems it is fixable, once we admit we have a problem.

I draw your attention to the comments placed below the article:

Good work

'The Cloud' has got to be the biggest rip off ever. I can't wait to shout out 'told you so'. The sheep that can't think for themselves, the weak IT managers that should be standing up and fighting for security over keeping the ants happy, the moron media that write about Tech to look cool but actually know very little and have virtually no hands on experience. If you are a muppet, then get into 'The Cloud'. If you have no family and kids and are a Financial Controller or IT Manager then join the war on putting things right. I say no family or kids because you will be fired as soon as you stand up for all the things that are good and great about IT and humans. BYOD and 'The Cloud' is not one of them. Get your own datacentres, your own servers, 2 firewalls with DMZ and honeypots, forcefully educate your staff and your kids about security and being proud to protect data and systems. Hire security guards to pat down and forcefully remove all Tech from visitors to stop espionage and photography. Back up to tapes drives not someones server who you dont know and have no clue where the data is. Are you thinking this is over-the-top? Oh no, this is the minimum you should be doing. But of course many of you will do nothing. Not until all your data is deleted or changed or corrupted or ransomed. Educate, educate, educate (and start with yourself).

User: philswift

My two cents worth:

Corporate organisations are inherently unsecure. Bad passwords, unrestricted use of portable storage (usb) devices, smart phone use as storage media, unpatched operating systems, out-dated anti-virus software, phishing emails, web-bots, trojans, and the list goes on. The common factor in all of this is humans. Your staff, to be precise, are usually there to do a job. Do they spare a thought about your data security? Some of them can barely speak english let alone type in a complicated password. But management insist they need to function using a computer in order to maintain the companies 'automation' goals.

So your board of directors say let's shift that to 'the cloud'. That way we can sleep peacefully at night and our data security becomes someone else's problem. If anything happens we can sue them. You may or not be aware that the Target data breach happened because they out-sourced their Cooling and Lighting control of stores to a vendor that promised a saving in the electricity bill. The security breach came through that 3rd party vendor. The vendor had VPN access to the electrical control servers on the Target network. It is not clear how the vendor was hacked but someone got his VPN credentials.

Cloud vendors all promise that they all adhere to strict security protocols. How many of them use 3rd party vendors for their cooling and electricity supplies? How many of them outsource their security camera monitoring and alarm systems? Their door locks and swipe card systems? Their fire control and gas/sprinklers?

I once had contact with a company that used swipe cards on all their doors. I looks really impressive when their guests are shown around their operations. The whole system was run from an old Windows XP machine sitting in the server room. Access to that room needed a swipe. The XP machine didn't have a UPS. In the event of a power failure. The servers still ran for as short time. But not the XP machine. Everyone was locked out and the IT manager would not have had access to the server room to gracefully shut down the servers. What this illustrates is the need for management to show off their prowess of all things technical. It looks great from the outside, but it is a trembling house of cards waiting for a stiff breeze on the inside.

Now what guarantees do you have that your cloud provider is not the same? How many so-called cloud providers do actually have a data-centre? Most use 3rd party data-centres. And the list goes on. It's all smoke and mirrors.

So what's the solution? It's not easy but you need to divide your networks. Use tcp/ip the way it was intended. Educate your staff properly. Make use of the skills of penetration testers. Don't jump at all high tech solutions that may not be all that necessary to your business. Make use of a 'competitive advantage' strategy in IT. In other words don't do what your competition is doing. Do it differently. Use operating systems other than the industry standard Windows. Don't pay buckets of cash for off-the-shelf solutions when you can employ someone to write one specific to your organisation. All of these steps make it hard for a hacker to get to your data. 

Unfortunately it may be all too late for IT that has become entrenched in large corporations. It's possible that only the small startups will have their feet firmly planted on the ground after all the lessons learnt from 'big business' with their head in the clouds. The future is not that certain. The only certainty is change will take place.

Set Up a Secure Network / File Sharing Server in 5 Minutes

This is how easy it is to set up a secure file sharing network for yourself.... enjoy!

Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet

BGP hijacking is an “exceedingly blunt instrument” to capture traffic, and is “about as subtle as a firecracker in a funeral home,”

The full Original Wired article is available here.

This is just a summary of that article:

In 2008, two security researchers at the DefCon hacker conference demonstrated a massive security vulnerability in the worldwide internet traffic-routing system — a vulnerability so severe that it could allow intelligence agencies, corporate spies or criminals to intercept massive amounts of data, or even tamper with it on the fly.

The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.

Now, five years later, this is exactly what has happened. Earlier this year, researchers say, someone mysteriously hijacked internet traffic headed to government agencies, corporate offices and other recipients in the U.S. and elsewhere and redirected it to Belarus and Iceland, before sending it on its way to its legitimate destinations. They did so repeatedly over several months. But luckily someone did notice.

And this may not be the first time it has occurred — just the first time it got caught.

BGP hijacking happens in some form or fashion every day, but it’s usually unintentional — the result of a typo in a routing announcement or some other mistake. And when it does occur, it generally results in an outage, as the traffic being routed never reaches its destination. This was the case in 2008 when Pakistan Telecom inadvertently hijacked all of the world’s YouTube traffic when it attempted to prevent just Pakistan citizens from reaching video content the government deemed objectionable. The telecom and its upstream provider mistakenly advertised to routers around the world that it was the best route through which to send all YouTube traffic, and for nearly two hours browsers attempting to reach YouTube fell into a black hole in Pakistan until the problem was corrected.

In April 2010, another outage occurred when China Telecom distributed an erroneous announcement for more than 50,000 blocks of IP addresses, and within minutes some of the traffic destined for these domains got sucked into China Telecom’s network for 20 minutes. After analyzing the details, Renesys concluded that this incident, too, was likely a mistake.

But the incidents this year have all the characteristics of an intentional intercept, Renesys says.

BGP hijacking is an “exceedingly blunt instrument” to capture traffic, and is “about as subtle as a firecracker in a funeral home,” Renesys has noted in the past.

In all the years Renesys has been monitoring internet traffic, analysts had never seen anything that looked intentional before. Generally, Madory says, mistakes look clumsy and show obvious signs of being mistakes. They also generally last minutes, not days as these did, and they also generally do not result in traffic being re-routed to its legitimate destination, as occurred in these cases.

“To achieve this thing where you can get [hijacked] traffic back to its destination, . . . you have to craft your [BGP] messages in a way that you control how far it propagates or where it propagates,” he says. “And we can see these guys experiment over time, modifying different attributes to change the propagation until they’ve achieved the one that they want. We’ve never seen anything like that, that looks very deliberate where someone is tweaking the approach.”

As Renesys warned on its blog: “We believe that people are still attempting this because they believe (correctly, in most cases) that nobody is looking.”

Malware fight goes public on the wed

The original article by Ben Grubb (SMH) goes on to outline the numbers of Australian computer IP numbers that were found to be infected by Bot's and Trojan malware. For the lay-people... you are assigned an IP address when you access the internet via your ISP. Malware signatures can be detected by the 'packets' of information your computer sends and receives.

Please don't be fooled by tele-marketers telling you you are infected, you may be, but they only want remote access to your PC in order to plant malware of their choice, and to get you to pay them for it.

The Government would like the ISP to contact their users and offer assistance to remove the infection from the end users PC. This however is a BIG ask and can be quite difficult.

The ACMA (Australian Communication and Media Authority) have published a page that outlines the statistics daily - click here for that page. The page details the total numbers and type of infection that it has detected.

I have listed the malware variants (outlined by ACMA) below:

1. Zeus targets Microsoft Windows machines. It does not work on Mac OS X, or Linux.
2. Conficker Exploits the Windows Server Services.
3. IRCBot affects Microsoft Windows XP Professional SP2.
4. Ramnit only infects Windows. Mainly known for spreading via USB devices.
5. Mebroot infects all Windows O/S'.
6. Virut infects all Windows O/S'.
7. Rootkit TDSS infects all Windows O/S'.
8. Flashback is a virus that infects Apple's OSX.
9. Sality infects all Windows O/S' and spreads through Windows networks.
10. Slenfbot infects all Windows O/S'.
11. Festi infects all Windows O/S'.
12. Cutwail infects Windows XP, Vista and 7.
13. Kelihos infects all Windows O/S'.
14. Waledac infects all Windows O/S'.
15. Nitol Botnet, interestingly, came installed in Windows PC's manufactured in China. Meaning it was installed at the factory.
16. Spyeye infects all Windows O/S'.
17. Lethic infects all Windows O/S'.
18. Darkmailer infects all Windows O/S'.
19. Trojan Pony - Found inside Pirated Apple & Windows versions of Adobe Illustrator CS4.
20. Dorkbot infects all Windows O/S'.
21. Pushdo infects all Windows O/S'.

Only two are capable of infecting Apple Mac computers the rest will infect all Windows operating systems. None quoted affect Linux.

Particularly interesting is 'Nitol' came pre-installed on some PC's manufactured in China. Clearly this is a real worry. The other worry is that pirated versions of software from Adobe (Illustrator CS4) came with the trojan Pony. The CS series of Adobe products are so expensive ($1800 approx) that people without the ability to buy them were forced to install pirated versions. I prefer to encourage people to use 'Open Source' instead. A good example is Gimp. Possibly not as comprehensive as Illustrator but how much do you need... really.

Flashback uses a well known exploit. It tricks the user into thinking that it is a real Adobe Flash player and asks the user to authorise it's installation. Seems Steve Jobs had good reason to disallow iPads from using flash. Unfortunately Flashback will infect Apple Macs.

So what do you do?

From my experience (if you are a Windows fan) you need to start from a clean operating system. Installed from an 'original Microsoft' disc. Even if your PC is pre-installed... format it and install from the original disc. You will not have the 'Bloat-ware' installed by your PC manufacturer. You should also be able to install the appropriate drivers from the manufacturer's disc's. If the manufacturer does not supply the disc's choose a different manufacturer's PC. Many of the cheaper Chinese PC's don't come with original disc's. Stay away from those. Once you have a clean PC, install a good virus scanner. My choice would be Avast, available here for free.

If you already have a PC (or more), and want to use a cheap PC but also want to be safe... format them and install Linux instead. Linux Ubuntu is my choice but Linux Mint is also a favourite as it is the most similar to Windows XP in it's interface. You will not require a drivers disc as they will sense your hardware and install the drivers automatically during the installation process. Both have support for all your Windows document/image/music/video formats and are the easiest to use for beginners. Both are also perfect of corporate desktop applications as they support Windows RDP sessions and VPN connections to Windows Servers.

Drop me a message on Google+ if you need help/advice.

Why use OpenERP in your business

OpenERP is a full featured Open Source Enterprise Resource Planner for small to large organisations.
It is available online for a monthly fee or you can install it on your own server for FREE.

My choice would be to install it free. I have installed it on a Linux Ubuntu 12.04 workstation and can access it from any other workstation on my network regardless of operating system. The benefits are obvious.

The video below gives you an overview of the numerous features of OpenERP... enjoy!




Other video's from OpenERPConsulting are available here

My relationship with operating systems.

My relationship with operating systems. 

I started my computer career back in 1985. It was the age of main frames and CPM was in flavour. A couple of geeks (Bill and Chris) working in a garage in Seattle came up with a system to operate smaller computers. They called it DOS. In a few years it took over the world and it got me hooked too. They sold it to IBM who named it PC-DOS and it flourished. Bill & Chris changed it's name to MS-DOS and Microsoft came to the fore.

At this time I began my career as a Database Developer. I used a RDBMS called Dataflex. And till this day find that Dataflex is better than sex. Only another Dataflex Developer will understand. I was intorduced to Dataflex by a computer salesman who loaned me his Dataflex manual. I read it and found I understood it. Nobody else could? I did do 3 courses to learn Dataflex properly and within 3 months wrote a system to control a Travel Distribution company I worked for.

In the next few years the dudes at Xerox (correct me if I'm wrong) came up with something later called a GUI and also a mouse as Xerox was into document scanning/printing. Microsoft saw an opportunity and Windows was born. My acceptance to that technology was during the reign of Windows 2.0. Other versions of Windows were released and the best version for networks was Windows 3.11, which supported workgroups and networking. Do you remember 'ini' files. They rocked!

Around this time Viruses were born. I remember the Jerusalem Dos based virus, then the Michaelangelo Virus.

Years passed... the Internet came, Windows adapted. Bill even tried to compete with it and started a parallel network called the 'MSN' or Microsoft Network. It failed and was forced to infuse itself as part of the Internet. Netscape was the web browser you had to have to surf the world wide web.

In 1995 Bill released Windows 95. It was sexy, good looking and had great promise. It was a complete redesign of the Windows system, It had something called a 'Registry' and promised to encompass all those pesky 'ini' files. The masses cheered. Only thing was, when you looked at the registry it had more entries that the human brain had synapses. I was worried, and for good reason. Viruses had all this 'white noise' to hide in.

Time passed and 'NT' came. At first it was not considered as a replacement to other Server software but later was adopted by smaller companies. Windows 98, Windows ME, SE and then... Windows XP arguably the best and most utilised of all operating systems. Viruses flourished and they needed to be categorised as there were so many of them. Trojans, Worms, Bots, Malware, Adware. They all seemed to do the same thing. Make my life difficult.

I recall one time being called into the Microsoft head office in North Ryde, Sydney to offer my technical knowledge because my company was applying for a distribution job they advertised. They so proudly showed me their air-conditioned, glass walled, raised floor server room. I asked what OS do they run, NT? They blushed as replied... Unix. They are connected to Seattle directly. Gosh. Why was I there... well... they had a call centre that took calls from consumers who were interested in their software. The call staff took a blank A4 envelope and wrote down the address of the caller and on the inside of the envelope flap wrote what product they were interested in. Ya know... Windows, Office, Publisher etc. They then placed the envelope in a tray and took the next call. Someone then came from the mailroom and collected all the envelopes, inserted the applicable brochures, sealed and posted the envelope. How many calls did they take, who called, what did they ask for? No body knew as they didn't recorded anything. Nothing...

This is from the people that created Access and Excel? I was shattered. I could have done that in a week. Automated everything for them and offer them a customised sort of CRM. We didn't get the job, possibly because our solution to them was too cheap. Those Managers are probably retired now but I think they lied on their resumes when getting their job.

My 4 daughters all had PC's running Windows and I soon was fed up of restoring their OS when they became infected. Steve Jobs was plugging Mac's like crazy and they were all happy when I suggested they go Mac and not PC. Till this day they are all Apple users.

Windows Vista came and soured my fondness of computing. Windows 7 arrived and I was dismayed that it wasn't a whole new OS, but just Vista polished up. Everything was hidden but it essentially remained the same. I could have XP run with under 20 system processes. 7 had around 60 to 80 processed running and needed more and more memory and processor speed to run efficiently.

Around this time I started to notice other good lookers in computing. The old Unix system for servers had spawned an offspring... Linux. At first it was a character driven (Dos like) system, but later a GUI emerged. A friend of mine introduced me to Ubuntu. I was immediately attracted to this gorgeous system. I remember thinking about my first introduction to 95, only this was better, faster and crikey... stable.

I was intrigued, hooked, and explored like a cat in a new house. It had something called the 'software centre' which was like a catalogue of software tried and tested for that version. What's more all that software was free. Also I was completely taken aback by the fact I could now browse the internet without any fear of catching any pesky viruses. It was completely liberating.

I first put Ubuntu on my old Thinkpad laptop. Ubuntu sensed the hardware and immediately found that my old Thinkpad's scratch pad could tolerate multi-touch and enabled it. It was like having an iPad before they were invented. Windows on the other hand could only tolerate single-touch or edge-scrolling. What's more the old Thinkpad sped up like Lance Armstrong on steroids. Booted up in a flash, shut down in a flash and the 'suspend/hybernate' actually worked and didn't crash as in the case with Windows. I found that I could VPN and RDP into my work server just as if I was using Windows.

Ubuntu was now my secret 'mistress'. Don't tell the wife.

I kept my relationship with Windows alive as I was working in the IT department of the 2nd largest Privately owned Transport company in Australia. They were a Microsoft preferred organisation. However even my work PC was dual booted and I used Ubuntu first and Windows only if I really needed to. Slowly though I noticed I needed Windows less and less.

Everything I needed in a Windows system I found in Linux, with only one exception... iTunes. Apple as it seems, didn't want to bother creating a version of iTunes for Linux. Bad move Apple... I traded my iPhone for an Android. Again a breath of fresh air... instead of fussing with iTunes to update my music and ringtones... all I needed to do is drag and drop new music & video to and from the phone. No more 5 PC limitation in iTunes. FREEDOM was mine at last. It felt good... really, really good. No more rules to follow using proprietary software. No more worrying about registering a software license, looking over you shoulder in case Windows WPA itself detected you were using pirated software when in fact you weren't.

Windows is now my ex-wife. Although I still have my pc's dual booted, I can't remember the last time I needed Windows for anything. What's more I no longer need to buy software, it's all FREE.

Dataflex runs happily in Lunix and the world is wonderful again.

For those of you that have done the Microsoft MCP, MCSE courses and have been told you need to do the refresher course for the newer OS or remove the letters from your business cards and letterheads will understand the costs involved. I am free from that.

My advice to anyone that is caught in a relationship that requires constant work to maintain... it's simply not worth it. It's time for a change. 

Tricks to speed up Ubuntu

From nixiedoeslinux

She shares my name and she is really good with linux.

Bad SSL Certificate errors whilst clearing mail

If you ever get a bad SSL certificate error in Outlook or Evolution mail, here's a clue for you.

Open Firefox and go to the server in question. Make sure the https://servername is in the address bar. So if it's the gmail server then log into your gmail account. If it's a local ISP then log into their web mail interface.

Find the locked padlock icon on the Firefox window and click it. Then navigate to view certificate. You will notice it will be a self-signed certificate. Find the option to export certificate and save it to a file.

Now open your email client and find the 'preferences' or 'options' page for certificates. You should find the option to import 'contact certificates'. Import the file you just saved.

That's it... you should not get this error.

Everyone... EVERYONE needs to read this... take notes if you must

5 Security Holes Almost Everyone's Vulnerable To
by:

 Thorin Klosowski

Original article is here.

Problems with security seem to pop up all the time—from an easy to hack router to apps that leak your data into the world. Thankfully, it's pretty easy to protect yourself. Here's how to do it.

Unless you keep up to date on all the security news, it's easy to miss a bit here and there about what has been exploited and what hasn't. We're all vulnerable at some point, and if you haven't touched the settings on your computer since you took it out of the box, it might be time to take another look.Already know about these security holes and have them patched up? Good for you! Send this along to your friends who don't to help keep them safe.

UPnP Allows Access to Your Gear from Outside Sources

UPnP (Universal Plug and Play), a component meant to make devices like routers, printers, and media players easy to discover on a network, has been accused of having security holes for a long time, but this week the US Government suggested you disable it yet again. The most recent study suggests 40 million to 80 million network-enabled devices responded to discovery requests from the internet and are vulnerable to an attack that gives hackers access to webcams, printers, passwords, and more. This means routers and devices with the bug can be accessed from the internet to remotely screw with your system even if you don't have malware installed.

The good news is that most of the affected hardware is old, and the problem likely isn't as widespread as it seems. That said, in the case of most devices, you can turn UPnP off in the settings (look in your manual for directions). The UPnP setting on your router doesn't have anything to do with the protocol that lets you stream media over a network, print from inside the network, or anything similar. Turning it off on the router level only blocks you from controlling these devices over the internet, which most people don't need to do.

To turn it off on a router level, you pop into the admin page and disable UPnP. If you want to check your hardware, security site Rapid7 has made a tool to scan devices on your network.

As far as security risks go, this one's easy to fix and it's not going to affect a lot of people these days. The rest of these are much worse.

WEP/WPA Passwords on Your Router Are Easy to Crack

Full size

Chances are that your router is using either a WPA (Wi-Fi Protected Access) password or a WEP (Wired Equivalent Privacy) password. Unfortunetly, it's pretty simple to crack a Wi-Fi network's WPA password and a WEP password.

Both of these vulnerabilities exist for different reasons. In the case of WEP, it's as simple as cracking the password with an automated encyrption program (and a lot of time), while in WPA, it's more about a vulnerability in WPS (Wi-fi Protected Setup) on certain routers. This can be corrected by turning WPS off. If you can't turn WPS off, you can install DD-WRT orTomato so you can. DD-WRT should add a nice security layer to your home network.

Browsing Without HTTPS Leaves Your Vulnerable to Snoopers

Full size

HTTP Secure is the protocol used to secure everything that you send online that's important. This includes your bank information, social networks, and just about everything else that needs security. For your home network, you can simply install the HTTPS browser extension that ensures you'll always use the secure version of a site so your data doesn't fall into the wrong hands. Without HTTPS, your personal data is far more likely to fall through a security hole and into the hands of some nefarious person.

While it's important to use HTTPS at home, it's far more important to always use it on public Wi-Fi. At places like hotels, airports, or libraries, someone is probably snooping out your passwords. Your best solution for public Wi-Fi is to use a VPN (virtual private network) to route your traffic safely and securely.

All the Apps, Software, and Websites You Use Might Accidentally Leak Data

Full size

It happens time and time again. A hacker finds an exploit, and suddenly all your favorite software and web sites are vulnerable to people snagging your passwords. This might make your entire system insecure, it may give your passwords away, or they're leaking your personal data like name and address. This happens with Java constantly, but it has happened to pretty much everyone at some point, including: Mega, Google Wallet, Apple, Skype, Path, Zappos, LinkedIn, andFacebook.

First off, you need to keep your software up to date. This means both your operating system and your mobile software. Generally, when your data is leaked, someone notices, and the software is patched up right away.

It's not exactly the perfect solution, but since the security holes are on the service or software side, it's all you can do. That said, make sure you have: two-factor authentication enabled where you can, you use a different password for every site, and use a a password system like LastPass to ensure your leaked data doesn't reveal enough information to get your login information for another service.

Strong Passwords Aren't Enough to Protect Against Everything

When it boils down to it, a good password only gets you so far. Certain security holes, like social engineering hacks can happen when a skilled hacker bypasses technical protections (like a strong password) to get the information they want from talking to a person—no "real" hacking is required. It's exactly what happened last year when theApple and Amazon exploits were uncovered in Mat Honan's hack.

In short, people are one of the biggest security holes in the larger chain. Hackers can use psychological tricks to get your information, they might pose as someone important, as a Facebook friend, or even as you when talking with customer support. With a little information, they can then gain access to your account. If that account uses the same password as everywhere else, they essentially get access to everything you do. Thankfully, you can protect yourself with a few simple tips.

The main goal is to make sure you don't have all your eggs in one basket. That means if someone gets one password to one site, they can't get in elsewhere. So, never use the same password more than once, use two-factor authentication, get creative with your security questions, and monitor your accounts.

Plugging up these security holes isn't exactly a fun way to spend an afternoon, but it's certainly more entertaining than waking up one morning to find someone has stolen your identity. It's also a pretty easy process, and once you're set up you don't need to do much else.

Security fears over exposure of web-accessible printers

The page where you can upload a document to the printer on one of the exposed HP printers.

Google is exposing thousands of Hewlett-Packard printers that aren't password protected, allowing anyone to control and manage them remotely and print reams of documents.

Many of the printers are at universities, including a number in Australia.

All it takes is one malicious script written by a clever hacker and you'll be replacing the paper tray every five minutes. 

ZDNet's Zack Whittaker

British blogger Adam Howard first highlighted the exposure in a post titled “Google has indexed thousands of publicly accessible printers” on his Port3000 blog.

An exposed printer's usage page.

Mr Howard points out that a well-crafted Google search returns about 86,800 results for publicly accessible HP printers.

Surprisingly, many of the printers aren't protected by a password, meaning anyone can upload a document to them via a web interface and print it remotely.

When accessed remotely without a password, the printers display an array of information such as how much ink or toner they have left in them, how many pages they have printed in their lifetime and how many paper jams they have had. They also display the names of documents printed to them, which could potentially contain personally identifiable information.

The exposure mainly affects large organisations whose IT staff fail to enable a password on printers when telling their routers to allow inbound connections so that staff can print from one office to another.

Mr Howard wrote on Port3000: “There's something interesting about being able to print to a random location around the world, with no idea of the consequence.”

After revealing the exposed printers, he warned: “Lock down your printer :)."

Mr Howard added that there were other, more serious, security concerns with the printers being exposed, as many models “have known exploits which can be used as an entry point to a private network”.

A Fairfax Media Google search on Monday of exposed printers in Australia revealed that the University of Melbourne, University of New South Wales, University of Queensland, University of Wollongong, La Trobe University and the University of Sydney all had printers accessible remotely via the web that could be used by anyone.

The University of Melbourne appeared to have the most publicly accessible printers, with 26 able to be accessed without a password.

John DuBois, director of communications at the University of Melbourne, said the university was aware of access issues with some of its printers, which are locally and externally managed.

Mr DuBois said they were set-up incorrectly.

"We are already implementing substantial network improvements which should prevent any unauthorised external access," he said.

In total, about 44 HP printers in Australia (mostly at universities) were found using Google.

University of Wollongong's deputy director of Information Technology Services, Daniel Saffioti, thanked Fairfax for letting the university know about an unprotected printer it used.

"We have looked into the matter and are rectifying the issue as a matter of urgency," Mr Saffioti said.

Rob Moffatt, director Information Technology Services at the University of Queensland said an insecure printer on its network was located in an independently owned and operated child care centre within university grounds.

"While someone could possibly change settings remotely, causing the device to malfunction, only limited information can be extracted from the device," Mr Moffatt said.

"We will, however, recommend as an extra precaution that this device be password protected."

A University of New South Wales spokeswoman said three printers within its networks had been identified as being insecure.

"...Appropriate steps will be taken to ensure access is secure," the spokeswoman said.

"The university currently has a program in place to consolidate and secure UNSW printers."

Ged Doyle, chief information officer at La Trobe University, advised there were "several very old printers from years ago" on its network with no password. "These were rectified immediately," Mr Doyle said. "The standard process for network connected devices now deployed at La Trobe, which was not in place years ago when these old printers were installed, overcomes this type of issue."

Comment is being sought from the University of Sydney, as well as from Google.

Printers at the Massachusetts Institute of Technology, University of Gothenburg in Sweden and University of Freiburg in Germany were also found to be exposed.

Even the United Nations Development Programme had a vulnerable printer.

“All it takes is one malicious script written by a clever hacker and you'll be replacing the paper tray every five minutes, and using up the toner supplies faster than you've ever known,” wrote Zack Whittaker for tech website ZDNet's Zero Day blog.

“Perhaps more worryingly, many of these printers do not have passwords enabled and can be directly accessed from outside their company's firewall.”

Tech website Gizmodo said the unprotected printers could be used to play pranks on the organisations that used them, and added that it had conducted two pranks itself.

“Send the University of Cambridge a hard copy of a Rihanna cover. (We actually did this, and it worked),” wrote Gizmodo writer Leslie Horn. “Congrats, random Chinese IP address, you just got bombed with 50 copies of a report I once did on War and Peace.”

In a statement, HP said it encouraged customers to protect their printers with safeguards by placing them within a firewall and providing network credentials only to trusted parties.

"By following the HP recommended security features, printers should not be accessible to the public via the internet."

James Turner, an analyst at IBRS in Australia who specialises in information security, said the exposure of printers without passwords on the internet was “just one facet of where someone decided that it was better for the printers to be easily accessible, than to be secure”.

“This is the ongoing challenge of the internet. Devices that are intended for easy access on smaller networks can take on new dimensions when plugged into the internet,” he said.

“This issue with printers is similar, though on a much smaller scale, to the challenge that industry has had with [industrial control systems] being connected to the internet.”

Mr Turner suggested pranksters would be the main people taking advantage of the issue, but said more malicious uses of the security gap were no doubt being thought of.

“Passwords are a nuisance to usability, but we don't have better options that are less intrusive while also providing equivalent confidentiality,” Mr Turner said.

Paul Ducklin, of security firm Sophos in Australia, said: “You'd think we would have learnt by now. It was over 10 years ago that we first got a wake-up call about printers accessible on networks where they shouldn't be.”

Mr Ducklin was referring to the “Bugbear" virus, which was widespread at the end of 2002.

One of the things the virus would do was copy itself anywhere on a network it could find, including to printers, which resulted in them printing a lot of gobbledegook.

He said IT people learned quickly back then that they should put passwords on printers.

“Printing other people's viral garbage wasn't just a security risk, it cost real money in wasted paper and toner,” Mr Duckin said. “Coming in on Monday morning to an empty paper feed and 2000 pages of hexadecimal drivel in the output tray focused the mind of many a bean-counter.”

He added that there was a security risk implicit in letting untrusted outsiders connect to internal devices.

"Printers these days have their own [operating system], network stack and often rather powerful firmware,” he said. “A lot could go wrong. Secondly, it's resource mismanagement, plain and simple. You don't let outsiders randomly and remotely turn on taps in the bathroom to waste water they can't even see, let alone wash with. So why let them send print jobs they will never read or even collect?”

Read more: http://www.smh.com.au/it-pro/security-it/security-fears-over-exposure-of-webaccessible-printers-20130129-2dhxo.html#ixzz2JOFRSeor

Internet founder claims governments can't be trusted with data

Australian Broadcasting Corporation

Broadcast: 29/01/2013

Reporter: John Stewart

One of the founders of the internet, Tim Berners-Lee, has attacked a proposal to store all Australian's internet data use warning it could be misused and government's can't be trusted to keep the information secret

Transcript

EMMA ALBERICI, PRESENTER: One of the founders of the internet, British computer scientist Sir Tim Berners-Lee, has attacked a proposal to store all Australian's internet data use for two years. The proposal is being considered by a joint parliamentary committee and would require internet service providers to keep a log of individual internet data. Sir Tim Berners-Lee says the information could be leaked or misused and governments cannot be trusted to keep it secret. John Stewart reports.

JOHN STEWART, REPORTER: The first internet was developed by the US military during the Cold War to protect their communication systems from a nuclear strike.

20 years later, Sir Tim Berners-Lee took the next step, helping to develop the worldwide web. The British computer scientist wants governments around the world to resist the temptation to spy on people and says that a proposal being considered by the Australian Government to log individual internet data use for up to two years will have little impact on criminals.

TIM BERNERS-LEE, COMPUTER SCIENTIST: If you do snoop on people, if you record, for example, the websites that somebody visits then you're not gonna get the criminals because they are gonna go through - they're gonna use Tor or they're gonna go through some intermediate nodes. They're gonna go to some trouble in order to just obscure it.

JOHN STEWART: Sir Tim Berners-Lee argues that if internet users believe the Government is recording their web history, they'll stop using it and limit the flow of valuable information.

TIM BERNERS-LEE: You will produce a world in which a teenager who really needs to go to an online forum to compare - to get some professional advice or really needs to know whether or not they're suffering from a given disease or wants to understand something about sexuality, medicine, growing up and realises that if they click they will be branded for the next two years as having gone to that site.

JOHN STEWART: He also says storing individual data logs is tricky and governments cannot guarantee that systems won't be hacked.

TIM BERNERS-LEE: That information is so dangerous. You have to think about it as dynamite. You have to think about if it gets away, what you've done is you've prepared a dossier on every person in the country which will allow them, if that dossier's stolen, to be blackmailed. Maybe you have every member of the Australian military will have this little dossier which will allow a foreign power to exert a huge amount of pressure on them.

JOHN STEWART: A spokesperson for the Attorney-General's Department says the Government has not made any decision about whether or not Australia should have a data retention regime and "The parliamentary committee has been asked to consider the concept of data retention in relation to non-content telecommunications information, which plays critical roles in police investigations. ... Metadata does not include the content of communications, only features such as dates and I.P. addresses assigned to a user that can be helpful for police and national security investigations."

Sir Tim Berners-Lee was speaking at the launch of the CSIRO's $40 million strategy to make better use of the National Broadband Network and increase online services in health, education and business.

STEPHEN CONROY, COMMUNICATIONS MINISTER: With services making up more than 70 per cent of our GDP, this flagship will be pivotal in addressing productivity.

JOHN STEWART: Sir Tim Berners-Lee welcomed the new CSIRO funding and called for governments around the world to make more information public and improve internet access for all.

John Stewart, Lateline. 

Five Best Desktop Media Servers

Getting your music and movies from one computer to another computer across the house or across the world has never been easier. There are tons of apps designed to make the process simple and painless so you can watch movies on your smartphone when you're out, or just listen to the music on your desktop downstairs in your upstairs bedroom. This week we asked you to name some of those great apps, and here are five of the best based on those nominations.

Earlier in the week, you told us which apps you thought were the best desktop media servers. We tallied up your nominations and picked out the top five based on the number of votes. The vast majority of you centered on a select few, but there are more options than we could possibly highlight here. Here are your five favorites:

Plex (Windows/Mac/Linux)

We expected Plex to get some love in the nominations, but we didn't expect it to be as overwhelming as it was. It's true, Plex is a stellar media server and media center application, with mobile apps that let you take your music and movies with you on virtually any mobile device or operating system without worrying whether that system can play them. Plex transcodes on the fly, automatically adjusts its performance and quality for available bandwidth, and is a snap to set up. It works just as well locally on your home network as it does with your mobile device when you're out and about on 3G or 4G. If you have a supported set-top box, it's even easier. The des ktop app is free, the mobile apps are $5, and the MyPlex media center hub gives you control over your files on the go.

PS3 Media Server(Windows/Mac/Linux)

The PS3 Media Server started out as a project to just transcode and stream media from a computer to a PS3 somewhere on your home network, but it's grown to be much more than that. The app is DLNA compliant, so it supports just about any device on your home network that's DLNA or UPNP compatible, and it doesn't take a ton of configuration to do it. You'll need to do some heavy lifting with port forwarding and dynamic addressing to get access to your media outside of your home network with a DLNA-compatible device, but we've shown you how to do that before. While the app is PS3-centric, it also supports a number of Smart TVs natively, can pass media through VLC, so if you're playing internet radio or streaming TV on your computer, you can send it through to the PS3, and even supports browsing FLickr and Picasa photos, mounting ISOs as DVDs, and tons of file formats. It's completely free.

Subsonic (Windows/Mac/Linux)

Subsonic has been around for a long time, but it's still an excellent option. It's most often used for music, but it also supports video. As long as the video format you have supports streaming over HTTP, Subsonic can show it to you on almost any device. After you get it running on your home network, Subsonic can also be configured to allow remote access to your media, so you can enjoy it on your mobile device or sitting at a laptop far away from your media collection. Subsonic also supports a number of set-top boxes, and can manage podcasts. It even has a handy web UI to manage your server from abroad. All of those features are more setup-intensive than some of the other contenders, but it's free, open source, and even the mobile apps are free to download. Keep in mind though: If you want to use Subsonic's advanced features, and you want to use it in conjunction with the mobile apps for longer than the 14-day free trial, you'll need to cough up at least a $15 donation to the project.

Serviio (Windows/Mac/Linux)

Serviio is a contender we weren't terribly familiar with until those of you who nominated raved about it. Not only does Serviio stream across your home network to connected TVs from a variety of manufacturers, it also supports Blu-ray players, set-top boxes, and the PS3 and XBox 360. It's also DLNA compliant, so it works seamlessly with supported devices on the same network, but it doesn't stop there. Serviio transcodes video and audio on the fly in both standard and high definition, can stream from online sources, live TV streams, RSS feeds, and more, and can be configured to stream to the internet—assuming you're using the supported web-based media player or the Serviio Android app. There are community-contributed apps for Windows Phone and Android as well, but they're mobile consoles for the Serviio server application running back home. Serviio is free, but if you want to contiue using the web player or access your content when you're off of your home network, you'll need to pony up $25 for a Pro license.

PlayOn (Windows)

PlayOn is a simpler take on a media server that focuses on two things: the media you already own, and web-based television from streaming services like Hulu, Netflix, Amazon Video On-Demand, ESPN, CNN, NBC, and many others. PlayOn supports streaming from the server app to any DLNA-compliant TV, set-top box, or game console. There are apps for iOS and Android that allow you to enjoy your media on the Wi-Fi or 3G/4G, once paired with your computer. PlayOn doesn't transcode or offer remote management features—as long as the app is running and your computer isn't sleeping, it works. It's biggest benefit is access to web-only programming. You can download and try PlayOn for free, but if you want access to all channels and features, you'll need to pay $90 (currently on sale for $40) for a Lifetime license. If you want PlayOn's new "PlayLater" DVR/recording service, you'll need to cough up $129 (currently $60). It's pricey, but minimal configuration and supported by a company, so you have someone to call if you need help.


Click here for the original article