The DEF CON conference, a meeting ground for hackers and those who want to learn what they are up to, was held last week in Vegas. There were some interesting topics and tips for cyber security I thought you might be interested in. So here is the abbreviated highlight reel.
- There are folks who make a living watching Internet traffic over wireless networks (like at Starbucks, McDonalds, etc.). In a demonstration at DEF CON it was easy to see unencrypted passwords and user names fly across the connection. Therefore, please consider scrambling your Internet connection when using public Wi-FI networks. There are free services that provide this capability (if you scramble on one end you must descramble on the other so it not just something you put on your laptop).
- In the same category, make sure you have strong passwords on ALL your mobile devices. Don’t send passwords “in the clear,” make sure they are encrypted.
- Type in “https” instead of “http” in your browser bar. That puts you on a more secure version of many major websites. This works if you’re talking to web site that support SSL/TLS.
- Credit cards that use quick-swipe technology (think Mobil Speedpass) can be read while they are still in your wallet by evil doers’. Someone with an RFID reader and a proper antenna in their backpack could swipe your credit card info by simply walking right by you.
- Naughty hackers can install their own cell phone towers to intercept your calls (and text messages) before passing them on to the real mobile carrier. These “man-in-the-middle attacks,” let hackers eavesdrop, but they can also alter your text messages, without your knowledge.
- Don’t accept USB devices as gifts unless you know the person very well. It could be a Trojan Horse laden with malware to gain entry into your computer and company network.
- Your hotel key card can be scanned by touch, so keep it deep in your wallet. Another common issue is the hotel key can get erased by other magnetic strip cards (credit cards) in your wallet or the other way around. In this case you may not want to put the key in your wallet at all.
- Tavis Ormandy, who works as a researcher for Google, picked apart Sophos Antivirus software and found it lacking in several areas that leave it vulnerable to attack or circumvention – something he says might apply to other antivirus vendors’ products as well, but he just hasn’t looked. He reverse engineered the product and found, among other things: the key used to encrypt some data is stored with the data, making it relatively easy to decrypt; its buffer overflow protection only works on Windows platforms prior to Vista; the signatures Sophos selects to identify viruses are weak and can be generated independent of Sophos, making it possible to flood users with false positives.
Well, there were more than 8 “hacker secrets” but this was about as much as I could handle before running to make sure by credit card hadn’t been poached.