Blogs

Insecurity of Signature Images on the Web

Someone recently asked about the security of a signature image on their web page. They wondered if they should remove it or if there was some way to keep it from being downloaded or spidered and cached by search engines. While I can understand the desire to give that personal touch to a web page I wouldn't publish an image of my signature. That being said, here's some analysis.

I assume we all agree that there is no reliable way to keep a publicly viewable web image of anything, including a signature from being viewed, downloaded, cached, reused, etc. If you disagree, consider that you're not trying to hide it from search engines. You're trying to hide it from people, unscrupulous people specifically. How can you make it public while at the same time hide it from people with questionable intentions? My web-enabled mind reading system is not finished yet, is yours?

Death to the Secret Question

In The curse of the secret question, an article by Bruce Schneier, he explains why security questions are so inadequate. Schneier and I share the view that the security question is, essentially, a second password which serves as an alternate login mechanism. Since most people answer these questions truthfully the accounts that these questions are supposed to protect are only as safe as the answers provided. Having more security questions does little to solve the problem.


Consider this, you are asked to choose one of the "secret questions" and to provide an answer. The questions are:
  1. What is your dogs name?
  2. What was your first phone number?
  3. What color was your first house?
  4. What was the name of the street you lived on when you were 10?


You choose number 2, "What was your first phone number?" and you answer truthfully, 321-555-1212. Is that really as secure as your password was? (You have good password management practices, right?) NO, it's not as secure, because that phone number was known by everyone else that lived in the house and all the people who called it knew it too. Worse yet, it's still your phone number because you haven't moved out yet!

Email is insecure but it doesn't have to be

Perhaps you've heard that e-mail is insecure. Do you know why it is considered insecure? Do you know how to secure your e-mail?

Many of the protocols involved with the sending and receiving of e-mail are not considered secure protocols, in the sense that they are vulnerable to eavesdropping. For instance, Simple Mail Transport Protocol (SMTP), the protocol used to route e-mail around the Internet, is typically implemented without any type of transport encryption. This means that unencrypted e-mail messages are viewable to anyone with the tools to eavesdrop on the network connections between mail servers. Post Office Protocol (POP) and Internet Message Access Protocol (IMAP), when implemented without transport encryption, suffer from the same eavesdropping problems as SMTP. Even when SMTP is implemented with transport encryption it does not, by default, require the authentication of e-mail message senders, therefore mail servers cannot be sure that the senders of messages are really who they claim to be. Even though POP and IMAP require users to authenticate themselves, messages are sent and delivered using SMTP. The result is a situation where the recipient of an e-mail message can be positively identified but the sender cannot.

SpoofStick helps users defend against IDN vulnerability

CoreStreet recently released an updated version of their SpoofStick product which helps to address the recently discovered IDN vulnerability in today's major browsers.

SpoofStick is freely available for both Microsoft's Internet Explorer on Windows 2000 or XP and Mozilla's Firefox browser on all platforms.

Sending Cache-control Headers Using Apache's header module

NOTE: If you're using Apache 2.x go here.

I manage a fair number of Apache 1.3x web servers. Most of which are used for virtual hosting. After reading an article by Jeff Fulmer in SysAdmin Magazine entitled "Save Bandwidth and Increase Performance with Cache-control Response Headers" I decided to configure my Apache servers to use mod_header to send the Cache-control header for graphics files.

Countermeasures for Identity Theft from Frank W. Abagnale

An article by Frank W. Abagnale, the lecturer and consultant, entitled 14 tips to avoid identity theft details some good advice for protecting your identity.

Abagnale's tips:

1. Guard your Social Security number. It is the key to your credit report and banking accounts and is the prime target of criminals.

2. Monitor your credit report. It contains your SSN, present and prior employers, a listing of all account numbers, including those that have been closed, and your overall credit score. After applying for a loan, credit card, rental or anything else that requires a credit report, request that your SSN on the application be truncated or completely obliterated and your original credit report be shredded before your eyes or returned to you once a decision has been made. A lender or rental manager needs to retain only your name and credit score to justify a decision.

Password management

Many people need to create accounts for different things. Accounts for buying things, accounts for viewing things, accounts for participating in things. Then there are all the accounts they need for things like e-mail, terminal logins, etc.