Filtered Geek

Recently Hotmail has had a security breach, that has now spread to over 30,000 Gmail and Yahoo mail account (further reading here). Email is such a wonderful thing to have, but it is also one of the more dangerous areas of the internet. Keeping safe is not just large company's problems, it is your's as well.

What Is Social Engineering?

Social Engineering  isn't new, in simple terms, social engineering is the act of convincing someone to do something that they do not realize is wrong. Trying to trick someone to do something has been around probably as long as humans have began to socialize. Deception is key, gain someone's trust (or apparent trust) and you would be surprised what they will do for you.

Social engineering is basically, getting what you want from someone else. Ever convince a friend to come to the movies, when they already had plans? Got that cashier to believe you didn't wear those shoes before returning them, even if you wore them dancing the night before. All can be classified as social engineering.

Social Engineering and Computers

Well now that you understand at least at a high level what social engineering is, start to think of what can happen in the world of technology. The Filtered Geek has at least three books on his book shelf (A good one - The Art Of Deception), that talks about computer horror stories with company's, all stemming from social engineering. A quick example; ever been sitting at your desk and get a phone call from the IT department? Was it the IT department? hopefully yes, but there are documented cases where a rather smart fella, has posed as employees and gained the trust of people. Once the person has the trust, you would be surprised what someone will tell someone. Just imagine this IT guy telling you his sad story, about how the boss needs software audits to be done by closing, and he is falling way behind, but if you could only help him out he would be most grateful. You feel sorry for the fellow employee, and you help him out by giving him some information about your computer, maybe even your login, because he's IT.

Woah, Wait a Second

How can you be SURE he is IT? Exactly! this isn't the only way social engineering can occur, but bear in mind if you are a victim of it, you probably don't even know it!

So what about those emails you get from places like PayPal, or your bank.

THE NUMBER 1 RULE OF SECURITY IS TRUST NO ONE

If you ever get a unsolicited email from anyplace that holds value, like banks, auction sites, anywhere that has your personal information, be VERY weary of it. When in doubt open your browser window, and manually go to the site, login, and try to confirm the information. Links in email can take you ANYWHERE, and it takes about 5 minutes of skill to spoof an email, and not much longer to type a fairly convincing one up. A hacker would love to convince you (social engineering) to click a link in a fake email, and get your password, while you don't even know you have been duped!

Microsoft has a useful site that also outlines some ways to keep you safe from these tactics online

Filtering The Filter

• Be very weary people claiming to be someone, especially when you can not confirm it.
• Don't click links in email and login. Go the site on your own and login
• Trust is what social engineers prey on, watch who you give it to.
• DON'T CLICK ON LINKS IN EMAIL

What's VLC and why should I care?

VLC is a open source media player that has been in development for around 10 years now. It has been a popular media player in the tech communitys because of its small file size, open source code base, and ability to play just about any file type you can throw at it.

All Files You Say? Even DVDs, Quicktime, and other formats?

You bet! No matter what you need to play VLC will most likely play it. Pop a DVD into your computer, voila! VLC will play it no problem! Found a embedded QuickTime movie in a website and you don't have QuickTime installed... VLC will play it with a simple browser plugin. A handy feature that you may not even know about is the ability to play incomplete downloads... yes, you can be downloading a large movie file, and you can watch the piece you have currently finished.

Got Mac? No Problem!

VLC even works on Mac. Being a open source project has its perks, VLC has been ported to more OS's than you probably thought existed.

But Wait Theres More!

The feature list is almost to exhaustive to print in one article. Checking out the features page on the site will list out more features than you probably ever need. You can check out the features page, but here is a good rundown of the files you can play (and mostly likely will encounter)

• DVD
• MPEG 1/2
• DIVX
• MPEG 4
• H.261
• Windows Media
• Real Video
• QuickTime
• Any Audio File (Except MIDI)
• Plus many many more

You can even run a VLC server and stream your media across your home network. (But that is a little more geeky than this blog will get into, unless anyone is interested in learning!)

VLC - Filtering the Filter

So VLC is quite the media player, 10 years in development and fairly unknown outside the tech circle. I personally couldn't live with out it, and I bet you will love it too when you give it a go!

So lets recap

• FREE to download
• Plays just about every media format out there
• Can stream media across a network
• Multiple platforms
• Small file size (carry it on a thumb drive)
• Open source

Go out and give VLC a try... Make your media playback quick, easy, and free!

What is a Yubikey?

What is the most important thing on the internet to you? Ok, what do you use to keep those important things safe from prying eyes... A password. Why do you hate passwords? Because they are hard to remember! And this is one of the main reasons why your digital life can be at risk, you hate having to remember all your passwords, and because of that, you make them all short and thus easy to break! Well the Yubikey addresses at least part of that problem, weak passwords.

The Yubikey (Avaliable at Yubico.com - $25+S/H) is a small USB device with no moving parts and 1 button. When inserted into the computer it is recognized as a keyboard (this makes it basicly universally accepted with no drivers to worry about). Now if you hit the button on the Yubikey you will see a long string of gibrish type on the screen, what good is this you ask? Well read on.

Yubikey - Better Stronger Faster

So, you have a big long string of text, neat. Well this long string is actually a strong and UNIQUE phrase, and by unique I mean one time, never again, erase and its gone forever unique. Thats right, every time you press that button, you get a long string of text, that you will never ever ever see again. Well what good is that? Well to avoid getting into a long drawn out explination of why (which is better explained by a pro like Steve Gibson (creator of SpinRite --- Basicly best disk recovery tool EVER) on his podcase Security Now with Leo Laporte [Episode 143], but avoid being long winded, the code is unique, but there is a part of the code that is an identifier of the Yubikey (A fingerprint if you will), and this fingerprint can be used to identify the Yubikey, and use it for authentiction using super strong encryption.

Ok So Now What?

So with this unique key you can't just go to your banking site and make your password a button press of the Yubikey (too bad too). Websites need to integrate this type of authentication into their sites. So only if you could use this to manage your passwords.... WAIT YOU CAN! 

There is one password site that the FilteredGeek uses for just this application - MashedLife

MashedLife is a online password repository, that stores passwords in a encrypted account. Simple idea, create an account, and enter login credentials for websites, once that is done you create a login bookmark. Now when you are on a site that you have a login stored, you simply use the bookmark, some javascript runs and viola your username and password are inserted into the login fields. This stops key sniffers and the like, because you don't type on the keyboard, and better yet, you can use really complex passwords because you don't have to type them in! I prefer to use passwords from Steve Gibson's page, Perfect Passwords, which is basically a 64 character long, totality 100% random password, that is uniquely yours!

Ok so the one issue I had with MashedLife was that why would you protect all your passwords behind one password... if someone got that password, they could login anywhere you can.... Bad. Well the Yubikey just so happens to be supported at MashedLife, so you can register the key at the site, and then you use the key instead of a user/password. On top of that, you provide a PIN that you enter after your yubikey is used, which provides multi-factor authentication (awesome).

Yubikey - Filtering The Filter

Yubikey is a great way to use complex safe passwords, coupled with a site like MashedLife you can not only have super safe passwords, but also have easy access to them all!

1. Go Grab a YubiKey - $25 from YubiCo.com
2. Sign up for a MashedLife.com account
3. Enter your passwords into MashedLife (Changing your weak passwords if needed)
4. Register your YubiKey with Mashedlife
5. Enjoy a one stop shop with super secure passwords!