Firesheep by Eric Butler has just been released to the world. This Firefox plugin does a few things that have already been fairly easy to do for a while, but rolled up in one easy to use package:

1. Sniffs data on unencrypted Wireless Networks
2. Looks for unencrypted login cookies sent to known popular insecure sites
3. Allows you to login to that account with ‘One Click’

So what sites are impacted by default? Amazon.com, Basecamp, bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Github, Google, HackerNews, Harvest, Windows Live, NY Times, Pivotal Tracker, Slicehost, tumblr, Twitter, WordPress, Yahoo, and Yelp are among the few. A plugin system allows anyone to add their own sites (and cookie styles) to the plugin.

Yikes! It goes without saying that this is a major security problem for anyone who uses unencrypted wireless networks. Includes on this list are many universities and companies such as Starbucks.

I’m not trying to say I had anything to do with Google adding two-factor authentication to Google Apps. I’m really not. But on September 9th, MakeUseOf published an article named How To Secure Your Google Apps Account with Two Factor Authentication. In this article, I wrote: All of this brings up the question: why doesn’t […]

Currently I am in the Computer Science Master’s Program at West Chester University and I am focusing my research on Location Based Updates in Social Media and their societal and security implications. So you can say I think about this topic more than most normal people do.

FourSquare is a growing service that allows you to “Check in” to restaurants, grocery stores, museums and just about any place you can imagine. However, I have seen several of my friends checking in to locations which, I must say as a security research student, set off warning bells. Although I am calling out FourSquare specifically, these also apply to just about any other location based software where you broadcast your location to other folks, whether they are your friends or the general public. GoWalla and BrightKite are in the same boat.

Without further ado… here is my list of top FourSquare Security Faux Pas (after the break…)

There have been a number of high profile account compromises due to the insecurity of password reset questions. Examples of two big ones off the top of my head are Sarah Palin Yahoo account compromise and the Twitter “Hacker Croll” fiasco. There have been many more compromises on accounts due to weaknesses in password reset questions, even […]

Have you ever come across a server that is doing a lot of traffic? Maybe you have logged in to see a process running at 100% CPU, so you know the culprit, but instead of kill -9ing it, wouldn’t it be great to see what exactly it is up to? Or even if you see […]

I presented this paper to my class on March 17th, 2009. Hybrid Stealthy Networks – Paper Presentation Original paper: Hybrid Stealthy Communication Protocol (I got a 25/25!)

The Remote Desktop connection settings for Windows Server 2008, and I believe Windows Vista, includes 3 levels of service: Don’t allow connections to this computer Allow connections from computers running any version of Remote Desktop (less secure) Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure) At first blush, you […]

Real Security is knowing when you’re being bamboozled.

I have a new post up on Makeuseof, regarding Firefox Addons for Privacy and Security. Maybe you won’t use all of them but even installing some of them (NoScript in particular) can really lower your chances of getting hit with a javascript exploit.

As soon as I heard PayPal would be offering a $5 Security Key for additional security while logging in, I jumped on it. A few days later, it arrived in the mail. It’s a great idea, but I decided that carrying a little secure key that generates special numbers for the 3 times a month […]