Security

Why everybody should be using HTTPS

Using HTTPS on a website has historically been a pain, and therefore reserved only for e-commerce sites. In order to use HTTPS you would need to first purchase certificates which had a cost associated; then you would need them installing, which your hosting provider would need to support. As a result adoption of HTTPS for ‘regular websites’ was low. Last week, I took the opportunity to secure this website. The best part was doing so cost nothing, and it took just 10 minutes! This led to the conclusion – there’s no excuse not to use HTTPS. What is HTTPS? When using…
Read more

Share

Time for a new approach to password security?

The password. It’s been used for thousands of years and today represents the key security token in modern computer systems. Despite its ubiquity, the password is not well loved. Attitudes towards passwords vary from apathy to downright contempt. Very few people would ever stand up and argue that the password is a good method of securing a system. IBM predicted back in 2011 that the password would be dead within five years. However, while the giants of the technology industry are rushing to consign passwords to the dustbin of history, nobody seems to be asking whether the problem is with passwords…
Read more

Share

Physical Security: How to cause mayhem!

I have a number of rules I use in a professional and sometimes personal capacity. This is number 1: Always assume the worst about everything. You’ll rarely be disappointed. When you apply it in a security context, it means given a choice, users will always choose the stupid option. Take passwords, if you don’t mandate a certain password quality, then they’ll choose crap passwords (No, Pa55w0rd does not could as a good one!) If you make the password rules too difficult, well… With a little patience and technical expertise though, it is possible to secure your systems effectively. Password policies,…
Read more

Share

TalkTalk: Words fail me

On Friday, as the whole TalkTalk hacking was blowing up in a big way, I sat down to write an article about the fiasco, if fiasco is a strong enough word to describe the mess TalkTalk find themselves in. The problem is that every time I managed to write a bit the story had once again changed. As with many things however, the more you sit and watch it, the more you recognise patterns. Two such patterns that have come out of this debacle are: Here’s another company that has failed to invest in Information Security; The CEO – Dido…
Read more

Share

What the latest Java exploits teach us about security

I contributed earlier to a disucssion on an article in The Register (Link) on dealing with malware caused as a result of security vulnerabilities in Java. The article discusses how to go about cleaning up the various pieces of Malware downloaded and requires the use of multiple security tools covered in 12 steps. As I and others suggested at this point, given an infection of this magnitude, going for a clean-up should be the last resort. Virus removals are my least favourite computer repair job since it can be virtually impossible to totally rid a system of a virus, and…
Read more

Share

Fail: Telephone “Computer Virus” Scam

The other day I received a phone call from 01234 765093. If you get a call from them, unless you have experience with computers and you fancy wasting their time, then you should ignore them and under no circumstances do what they suggest. Failure to heed this advice is likely to lead to your computer being held ransom pending payment of a large amount of money. Others have reported this as being close to £200 GBP. First you will get a phone call, claiming to be from somebody like Microsoft, or another big company. Lets get one thing straight, they…
Read more

Share