Security Questions are asking a bit too much personal information that can be stolen by hackers.

Does it annoy or even scare you when certain websites ask you for additional login credentials to set up a security question in the case that you forget your password? Do you ever wish that you could create your own security questions so you do not feel like you are giving up too much of your personal information?

In today’s society where identity theft is knocking at our front door every day we go online, we have become a little more self-conscious as too what information that we willingly give over the internet. Some sites that have you create accounts will ask for an additional security question but most of them define what question you must answer. That is a bit controlling and on the verge of stealing your personal information without asking for permission.

In the case that a websites’ information is compromised or stolen, your security question and answer may be taken also. It has been reported on security blogs that a hacker can use this information in conjunction with other credentials to log into your account. If a website has defined security questions then hackers are in-the-know of how to use your answers or personal information against you. If you answer a simple security question of “your mother’s maiden name”, right off of the bat hackers are able to utilize that piece of information along with whatever else they steal from a sites database directly against you. Something like your mother’s maiden name is commonly used for credit or banking transactions. Just think what damage a hacker can do in knowing your mother’s maiden name.

What can you do if a site requires that you select and enter a pre-set security question?

One thing you can do is just lie. That’s right, if you lie then that is one big step in protecting your real information. There is no rule set in stone that you must tell the truth on a security question. However, if you forget your login or password and are required to retrieve it through entering the answer to one of your security questions, you must remember the lie that you entered. Some sites, such as Gmail, will allow you to setup your own security question. In this case you can pick something off-of-the-wall as to not identify you in any way that can be used against you by thieves. Remember, treat your security question just like you would a password because in some situations it can be just as powerful (or dangerous) as a login name and password.

Do you ever think that you could become a theft victim of your secret security questions?

Today I went for the CEH v5 exam, EC-Council certification# 312-50, I'd been studying for it for a while. It had no less than 150 questions - and pretty tough ones too - but I managed to pass it (85% which is OK considering US law was part of the Qs).

I can really recommend you to go for this exam - it's somethin' else dude! The questions are short and exact (still multiple choice), but just the process of going there is VERY cool and interesting. Personally I downloaded a lot of spooky tools and guides, created an isolated network with virtual machines and tested, tested, tested. It was fun I can tell you - I can't seem to stop studying this stuff!

I also read 2 books on the journey:
- Michael Gregg: Certified Ethical Hacker Exam Prep (very good)
- Kimberly Graves: Official Certified Ethical Hacker Review Guide (very brief)

If you're a totally cool (and white) hacker dude already, you could probably go for the latter only (it will give you the overall idea of what this exam is all about, the CEH terminology etc). BUT the first one mentioned, by Michael Gregg, is a VERY good introduction (broad and deep) into the world of haxin' actually.

The whole idea with this exam is, that to be a professional penetration tester or security consultant, you need the skills and tools of the hackers. Put yourself in their place and start looking for your (or your customers) weakest link! A security system is only as strong as its weakest link - that also means, that security is a process (maintenance).

Security is, and always will be, a mixture of: Prevention + Detection + Response!

.

By default, the about:config preference UI automatically detects localized preferences and displays the localized setting. But if you are a hacker working on customizing the default settings, this can be very confusing. This little extension “fixes” the default behavior to display the chrome URI of the localized .properties file.

Works with Firefox 2 -> 2.0.0.* (more…)

config, default behavior, default settings, Firefox, hacker, Internet, localized, preference, ui, uri, Web

Hey,

I get this question a lot: how can we block U3 devices on the network?

Well, one approach that some companies take is to simply block the physical USB ports by glue etc. - no USB devices are able to get in, so we have a “secure” system… Hmmm, this would mean that we are not able to use other USB devices either - maybe not the best solution for all of us then…

If you have Windows Vista deployed the new Device Control functionality, but most companies have Windows XP and Windows Server 2003 products in production (and probably waits for Vista Service Pack 1 before they go ahead with the Vista deployment)… So, what could they do then?

Third party software, like GFI EndPointSecurity is capable of blocking USB devices etc. - and it’s does a very good job too, but there’s also a free way to do it (if you ask me it’s the best way to do it): implement Software Restriction Policies (SRP)!

I’ve been writing about the “Default Deny All Applications” approach and this is (of couse) also capable of blocking U3 devices - out of the box, built-in Windows functionality.

When the Default Security Level is set to Disallowed, nothing is able to launch except what the administrator defines as Unrestricted (and some default rules and limitations on top of this). When a user plugs in the U3 USB device NOTHING happens - no weird hacker tools, utilities, applications and whatever those ‘wonderful’ devices normally introduce.

Behind the scenes SRP restricts access to the U3 LaunchPad and leaves only an event in the Windows Event log:

Source: Software Restriction Policy
Event ID: 865
Type: Warning

“Access to C:\…\LaunchPad.exe has been restricted by your Administrator by the default software restriction policy level”

This limitation can be set on user and/or computer level.

After introducing SRP on your Windows computers (Windows XP and above) - you can consider your network “U3 free”.