Ghostery – privacy help

Concerned about your privacy, who and what is tracking you during your internet browsing?

Take a look at Ghostery, it is a util that will show (and enable you to block) who is tracking you..
http://www.ghostery.com

Works on most popular browsers.

How to install guide (IE);

Clever password -> website -> password salting scheme

This is quite clever (as long as you are vigilante);

http://supergenpass.com/

You know the deal, you need to create a new account and have to supply username, email and password to do so.  You may have learned or heard that it is NOT a good idea to use the same password for different sites (if one gets compromized ALL your logins would thus be vaunerable), but also you really can’t remember 1031 different passwords…  well SuperGenPassword.com CAN help you with this!?

What is does is quite simple you enter sitename (the url/site you are creating the login for) and password (your generic/master password) into SuperGenPassword and viola it provides you with a “unique” password for the site – the clever part is that you wont have to remember this password!?  You simply remember the generic/master password, and next time you visit the site you use SuperGenPassword to generate the password you need for the site..  This is done simply by hashing (http://en.wikipedia.org/wiki/Hash_function) the site/url salted (http://en.wikipedia.org/wiki/Salt_(cryptography)) with your generic/master password.

Lets take an example;

Password on url test.dk become l5zuZo0qa2
Password on url test.com become eipalNBj0T
Secret on url test.dk become nY8BEihJsR
Secret on url test.com become dXt1E8tILH

As you can see the same password makes a different hash depending on the url.

Now SuperGenPassword even offers some clever scripting shortcut so you can generate these passwords automatically and insert them into the password field on web-sites, I would advice against this as the scripting they use has been proven to be vaunerable to interception by malicious sites/scripts which can thus obtain your generic/master password.  Instead use http://supergenpass.com/mobile/ their mobile solution and generate the password manually in a different tab and paste the password into the site you wish, a bit more work but a lot more security..  also a good trick is to pad the password with a “pin”, lets say the hash from the data you entered into http://supergenpass.com/mobile/ become dXt1E8tILH – then normally you would use this as the password – however if you add padding to the start eg. added TOAD to the beginning the “final” password would thus become  TOADdXt1E8tILH, thus even if someone found out you were using SuperGenPass and somehow got hold of your password then it would be useless for them as only you would know to add TOAD to the password generated by SuperGenPass.

Here is a YouTube video that explain a bit about SuperGenPass, note that he is USING the scripting which I advice you do NOT.. But you may get the idea a bit better though..

So DO NOT use the script, use http://supergenpass.com/mobile/ instead..

Dropbox – major security breach – what to do?

As you may have heard Dropbox suffered a major security breach this weekend, for almost 4 hours ALL dropbox accounts (including data) was accessible to ANYONE without password (or rather you were asked for a password, but it would accept anything)..

The major problem here is that ANYTHING in your Dropbox is unencrypted, and thus anyone that gets access to your Dropbox has access to your data…

This is, besides a major concern for Dropbox users, a wakeup call for users of cloud solutions – I totally have to agree with Steve Gibson (www.grc.com/securitynow) that we need PIE – Pre Internet Encryption, everything we store in the colud really NEED to be encrypted before it leave our servers/lan.

Obviously this Dropbox breach was not good 🙁  but never fear there is a solution, still in Beta but still very promising..  The solution is called SecureSync, it creates an encrypted folder in your dropbox and anything stored here is encrypted (you HAVE to access the folder via the “SecureSync” shortcut in MyDocuments though, if you look directly in the encrypted folder you will only get encrypted data – this however is quite clever as you can still syncronize with machines that do not have SecureSync installed, for Dropbox the encrypted data is merely data and is thus synchronized just as other data – however once you instal SecureSync on the target machine you can suddenly read the encrypted data via the “SecureSync Shortcut”.

SecureSync is free (at the moment at least) and still in Beta, but it seem to work fine although especially the install routine obviously will be improved.

Get it here;
http://getsecretsync.com/ss/getstarted/

Filter bubbles

A very interesting ‘webcast’ on what could be named “Filter bubbles”, it is an interesting observation on how Google and Facebook automatically filter certain information away for you (all in good faith I hope, but still)..  Your search on “Egypt” may thus bring very different results than the same search done on a friends computer, good or bad?  well it is hard to tell but it offers some scary prospects.  Take the 9 minuts and listen to this, it is interesting stuff.

SugarSync – another cloud service

Just found an alternative to www.dropbox.comcalled SugarSync, it offers a free version as with Dropbox and from what I can read with more space to begin with.

Comparisons made by various reviewers on the net seem to suggest that Dropbox is slightly easier to get started with, however pricing on SugarSync appear cheaper.

Had Dropbox been 1-3$ and not 10$ a month I had been a paying customer, but 10$ for 50gig is just too steap 🙁

Check out SugarSync here;
https://www.sugarsync.com/free/

a few oter alternatives here;
http://techpp.com/2010/07/05/dropbox-alternatives-sync-files-online/

And finally (note the price is per year not month);
http://emea.trendmicro.com/emea/products/personal/safesync-solution/

HTTP watch – see what’s going on

Have you ever seen those warnings from your browser “The HTTPS content you are…..” stating that the page you are loading contain both HTTP and HTTPS?  The answer is most likely yes, sure you can disable these warnings (which due to their frequency may even be necessary) but for the sake of security or even just curiosity you may wish to know just what it is on the webpage that is HTTP and not HTTPS (often it’s simply an image, however if it should prove to be a java-script it might be a good reason for a raised eyebrow).  Anyhow, how do you get this information?  Well I found a mention of something called HTTP Watch in a forum somewhere (can’t remember where sorry), this is an add-on to IE/Firefox that will allow you to see what’s going on when loading a web-site, simply install – rightclick on the web-site and choose HTTP Watch – record and re-load/load the page and get the complete list of objects loaded..

Cool, and better still the Free version is quite sufficient 😀

http://www.httpwatch.com/

WOL over the Internet

Just found an interesting post about WOL (Wake on lan) over the internet, now that sound kind of useful 😀

Check it out here;
http://www.ezlan.net/WOL.html

Among other you will need this;
Wake on Lan GUI
http://www.depicus.com/wake-on-lan/wake-on-lan-gui.aspx

Update;
I have “installed” and tested this, but so far sadly without luck :-/ I will hopefully have time to do some more digging in the near future, but I am a bit sceptic, when the PC is off it does not have an IP!?  It may work if you have an ADSL modem but with a router I can’t really see how it would work.

Blocking google ads via your hostfile

Nothing new here, just a quick way to block google ads via a simple addition to your hostfile – Not that I am against Google ads (I use them myself on this blog), but sometimes they are put in annoying places and besides I respect that some people just don’t like advertising.

Here’s how to;

Fire up your Notepad (if you are running Vista,7 you MUST launch in administrator mode – rightclick notepad and select “run as administrator”), open the file “hosts” found here; c:\windows\system32\drivers\etc.

Now add these two lines to the bottom of the hosts file (there should be a tab between the numbers and text);

127.0.0.1 pagead.googlesyndication.com
127.0.0.1 pagead2.googlesyndication.com

save and your done, no more google ads.

Cracking WPA using Amazon EC2 cloud service

You better stop using your girlfriends or the dogs name as password for your WPA key on your access point, German computer sciencetist Thomas Roth  has made a proof of concept on using Amazon’s EC2 cloud service for cracking WPA keys.  By using Amazon’s EC2 service the brute forcing of simpler keys are now within reach for anyone.

Read more here;
http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances/

http://stacksmashing.net/

Shopshield added protection for online purchasing

I heard of this service on a pod-cast, the judgment was not overly enthusiastic due to the pricing but from what I could understand the service does what it promises to do.

So the ONE thing that it does seem very useful for is the “one time credit card” option, basically what this does is to create a temporary creditcard number that you can then use for your online purchase, once this transaction is done the creditcard number is revoked.  This is great if you need to order something from a dodgy site that you do not fully trust, your own creditcard is never revealed to the site you are buying from and thus should they later try to charge you extra they are out of luck.  This service would from what I can tell cost you a fee of US$ 2 or 2½ per creditcard number (if you use the as-you-go plan), I think it’s an ok price for an online purchaece “insurance”.

http://www.shopshield.net