Facebook Lockdown…

Facebook-LockHave you ever logged into your Facebook account while attached to a public Wi-Fi connection? If you have, you are not alone. A majority of smart-phone users do it on a regular basis, and why not? It is easy enough, standing in line at Starbuck’s? Just update that Facebook status and check out what your friends are up to. Unfortunately, using public Wi-Fi hotspots makes it very easy for almost anyone to intercept your internet activities.

This vulnerability is best  demonstrated by an extension for the Firefox browser called Firesheep that makes use of a packet sniffer to intercept information  from popular websites (Facebook and Twitter, for example) traveling over the Wi-Fi network and then allows the Firesheep user (hacker) to assume the log-in credentials of whoever’s identity was intercepted. Once logged in, the hacker has access to all sorts of personal information with very little fear of detection. Keep in mind, this extension is readily available and is very easy to use. Next time you think about logging into Facebook at your local Wi-Fi hotspot, look around. Is one of those guys (or gals) in the corner with a laptop running Firesheep?

Fortunately, defeating this particular exploit is fairly simple. Facebook allows you to access their website with the HTTPS (HyperText Transfer Protocol Secure) protocol instead of the more commonly used HTTP. HTTPS encrypts communications with SSL (Secure Socket Layer), preventing hackers from eavesdropping on your browsing. Some websites, such as banking websites, PayPal, and others require the use of HTTPS and Facebook has allowed the use of HTTPS on its website for quite some time, although it required users to manually type https://facebook.com into the address bar of their browser instead of the using the default http://facebook.com.

Facebook has a new option, automatically enabling the use of HTTPS. This option can be accessed by selecting Account from upper right corner of the page, and choosing Account Settings. Within the Account Settings is an Account Security section that looks like the one below.

Facebook Account Settings

Putting a checkmark in the Browse Facebook on a secure connection… box (be sure to click Save to apply the setting) will do just what it says and will provide a much more secure Facebook experience. Do yourself a favor, check the box, and shear that Firesheep!

NOTE: Enabling HTTPS will make browsing a little slower and Facebook apps like Mafia Wars and Farmville won’t work. Facebook chat, however, may still work. I just tested chat and it works for me, although others have been unable to use it over a secure connection.


The internet is out of room… doom is upon us!

The internet is out of room... doom is upon us!As of yesterday, February 3rd, the organization that controls the distribution of internet addresses has allocated all of the remaining addresses that it held for distribution.  More information can be found here. This blog post is intended to shed a little light on exactly what that means and how it will impact the internet and you, the internet end user.

Out of space? In order to understand what we mean when we say that the internet is out of addresses, we’ll need a little background on how the internet works and where those addresses come from. The internet is built on a protocol known as IPv4 which is based on 32-bit addresses limiting the total number to just over 4 billion available. At the inception of the internet, this seemed that it would more than sufficient but the explosive growth of internet-enabled devices has rapidly depleted the reservoir, creating a need for more numbers. In addition, not all of the 4 billion addresses are usable for assignment but are instead designated for other purposes, such as non-routable internal address spaces, multicast, or simply can’t be used because of the way the protocol and routing works, and explanation of which is beyond the scope of this post. In a nutshell, the IANA (Internet Assigned Numbers Authority) had 5 blocks of just under 17 million address left for distribution. There are 5 Regional Internet Authorities (RIR) that each control a different geographical region and they agreed to each receive one of the 5 remaining blocks. Each RIR is now able to distribute the newly acquired addresses but cannot get anymore. The IP address barrel is empty.

What does this mean? In the short term, there won’t be any noticeable impact. The RIRs (ARIN in North America) still have addresses to distribute to ISPs, governments, corporations, etc. and while they will most likely be more frugal in doing so, the addresses could last from 6 months to 2 years depending on the region. As an end user, you probably won’t notice anything for quite some time although change is coming. The internet continues its unabated growth and there is too much money at stake to allow for a little address claustrophobia to stop it. There is a solution at hand…

What is the solution? Since IPv4 and its 32-bit address space is used up, a new version of the Internet Protocol (IP) has been created. The new version is called IPv6 and uses a 128-bit address space. At first glance, you might think that going from 32-bit to 128-bit only allows for 4 times as many addresses and we might run out of space again, but this isn’t the case. A 32-bit address has 232 combinations (4,294,967,296) while a 128-bit address has 2128 combinations (340,282,366,920,938,463,463,374,607,431,768,211,456). This staggering and tough-to-comprehend number means that each person on earth could be assigned many trillions of their own addresses and we would still have plenty left over.

Why don’t we just switch now? When IPv6 was designed, the decision was made to start fresh and not hinder it with any backwards compatibility to IPv4. This means that switching to IPv6 isn’t as simple as throwing a switch. Any time you access a website or use an internet connected device, the information is traveling through a number of different routers, devices, and connections. The screenshot below is a route I traced from my computer to google.com. A TRACERT to Google.com

In order for me to connect to google.com through an IPv6 connection, every device in that list would need to be compatible with and properly configured for the IPv6 protocol. This is going to require a lot of hardware to be upgraded and network engineers will need to learn a new IPv6 skillset. These things come at a cost that most companies will try to avoid for as long as they can. The groundwork is being laid – Windows supports IPv6 as does OS-X, Linux, the iPhone, and your ISP may (or may not) already support IPv6. There are also workarounds available that can translate between IPv6 and IPv4 addresses (such as Teredo and 6to4) but these do not work in all cases. In summary, until the situation becomes bad enough that everyone involved is forced to upgrade, IPv6 will be ready (it has been available for 10 years already) but little used.

How will we switch? Now that the end of IPv4 is becoming more apparent, preparations for the switch are being made. IPv6 connections are being turned on and the transition to the protocol is slowly building momentum. There is a World IPv6 Day scheduled for June 8th, 2011 where some of the largest websites in the world (Facebook, Google, Yahoo!, and others) will enable IPv6 connectivity to their websites as a test. While IPv4 will not be disabled, this will test the world’s ability to connect to these websites while IPv4 and IPv6 are running in tandem. The event is also intended to provide some momentum for the inevitable switch to IPv6.

What do I do now? In the immortal words of Douglas Adams, “Don’t Panic!”  Nothing is going to change in the immediate future and almost all of the work that needs to be done will be handled by ISPs, network professionals, and hardware vendors. If you are curious about your IPv6 readiness, you can test your connection here.

Malware and You!

Malware InfectionIn my line of work, I see malware and its effects on a regular basis. It is readily apparent that malware infections are becoming more common and frequent despite the best efforts of software developers and antivirus companies. An unseen battle is currently being wages between the malware creators and the anti-malware architects. In this war, the first line of defense is overlooked all too often… the user. A properly educated and attentive user can prevent an infection just as proper hygiene can prevent illness. I can’t help with attentiveness, but I may be able to help educate and “knowing is half the battle”. The questions below are the ones that I am most frequently asked.

What is malware? In a nutshell, malware is malicious software and can take various forms, such as:

  • Virus – a program that attaches to another program and makes copies of itself.
  • Worm – a program that makes copies of itself without the need for another program.
  • Spyware – software that collects information about users without their knowledge – passwords, browsing habits, etc.

  • Adware – software that displays advertisements to the users usually as popups.

  • Scareware – software that uses social engineering to scare an unsuspecting user, usually with the intent of having them download and buy something, such as fake antivirus software.

  • Rootkit – allows hidden privilege access to a users computer and can be difficult to detect.

  • Backdoor – allows remote access to a computer while remaining undetected.

  • Key Logger – tracks a users keystrokes and transmits the information to a third party.

Where does malware come from? Malware can come from a number of sources, including:

  • Applications – be careful when downloading and installing things from the internet, particularly: games, coupons, toolbars, screensavers, wallpapers, weather gadgets, anti-spyware applications.
  • Email – attachments and links to the internet can be methods for compromising your computer.
  • Websites – look out for game sites, coupon sites, links posted on social networking sites, and videos.

How do I avoid infection? There are a number of simple steps that you can take in order to significantly reduce your risks.

  • System Updates – make sure that you are set up to receive the latest updates. If you do not have them set to install automatically, make sure that you install them manually on a regular basis as most of the updates are security related.
  • Antivirus – make sure that you are running a current and reputable antivirus program. There are a number of options available and even some free options that do a good job. Be certain that the software is being updated frequently with the latest definitions and that it is running scheduled system scans.
  • Anti-Malware – no antivirus program is 100% effective and it is a good idea to supplement it with anti-malware software that is not memory resident. Keep the software up-to-date and run scans daily or weekly. Some free examples (at least for personal use) are Spybot S&D, Malware Bytes, and SuperAntiSpyware.
  • Practice safe surfing – Be vigilant. If something seems to good to be true, it probably is. When a website asks you to install something, make sure that it is trustworthy, you know exactly what is being installed, and that it is legitimate. Check the browser’s security settings – the security and privacy settings need to be set to the defaults or higher.
  • Paypal?Email Safety – Phishing is the most dangerous thing to watch for with email. Scammers have gotten very good at crafting emails that look like they come from eBay, or your bank, or PayPal. These emails usually contain a link for you to click on so that you can change your password or accept a new security policy or something that appears would be to your benefit. The problem is that the link doesn’t take you to eBay, or your bank, or PayPal but redirects to the scammers website. As soon as you type in your username and password, the scammer has it and is using your hard earned money to buy themselves some fancy new apartment in Nigeria. Do NOT click on links in an email. Just don’t. If you get an email from your bank, or eBay, or PayPal… close the email, open your browser and visit the website manually. Do not open attachments unless you are certain they are safe.
  • Other tips – Avoid peer-to-peer software such as Kazaa and Limewire. Be careful about letting other people use your computer – they could inadvertently (or intentionally) install malware on your computer. Log out or lock the computer when not using it. Restart your computer regularly to allow for boot time antivirus scans.

Why do people create malware? There was a time when home computing was new and the internet was still limited to scientists, that most people writing viruses were doing it as a technical exercise or a somewhat malevolent hobby. That isn’t the case today and the primary reason for virus and malware creation is… MONEY. The software is used to steal account information, turn computers into SPAM servers, track browsing habits, or trick users into purchasing bogus software.

Why should I care about malware? At the very least, malware can cause your computer to run very poorly, creating frustration and wasting your time whenever you use it. At its worst, malware can compromise your bank account information and personal security, creating massive problems that can be extremely difficult to resolve.

How do I remove malware? Removing malware, depending on the variant, can be quite problematic and is beyond the scope of this post. Reputable antivirus tools and the anti-malware tools mentioned earlier are a good start, although booting windows into safe mode, using MSCONFIG, and editing the registry may also be requirements. In some cases, difficult infections may require a computer professional for proper removal and in the worst cases, a system  format and reinstall is the only certain fix.

Technothaurity? A little pretentious, don’t you think?

The name may come across as being a bit pretentious although tone of this blog and its content are intended to be accessible to anyone, not just the technology elite. The name of this blog was chosen for two simple reasons:

  1. The most important reason – it was available. Have you tried to come up with a catchy, simple, usable, and apropos internet domain name that isn’t already taken? Let me assure you, it is not a simple task.
  2. I have enjoyed, dreamed of, fiddled with, read about, worked on, studied and been immersed in technology for almost my entire life. This means that I have acquired a good bit of knowledge about the subject and when I don’t know something, I can usually: figure it out, know someone who does, or know where to look it up.

This does not mean that I consider myself an authority on all things technological. Far from it. One of the things that I enjoy about working with technology is that there is so much to learn and the tech landscape is constantly and rapidly changing. It is impossible to learn everything… but it sure is fun to try. Authority? No. Knowledgeable? Sure. Enthusiast? Absolutely.

Being such an enthusiast for so long has made me a bit of a “Go-to Guy” when people have questions about computers, the internet, TVs, or just about anything with buttons. This blog is intended to share a little bit of insight, opinion, and acquired knowledge with anyone who stumbles upon it and shares an interest.

Comments, questions, and criticisms are welcome and encouraged.