Key.me is one of a handful of new online services that provide physical key replacement. A free mobile app stores a picture of your key and for a small fee will either send you a physical copy or you can pick it up at a local kiosk (in NYC). The service is designed for people who find themselves locked out of their house or constantly losing their keys.
The concern is third parties such as valets, stalkers, and criminals making copies of your keys and entering your house. Realistically if a thief wants to break into your home they will find a way, though opportunity does provide an incentive. Key.me offers some protections against this type of abuse such as requiring a credit card for payment. Unfortunately a Wired author demonstrated these protections are easy to bypass.
The real problem is not key duplication services, it is who you trust with your keys. We are often talking about securing your digital accounts with strong passwords and keeping them private. In real life keeping your physical keys secure is just as important.
• Only give your car key to the valet; and only for businesses that offer valet service.
• Keep your keys out of sight and on your person when you are at the bar or other public places.
• Don’t leave your keys out in the open on your desk at work.
• Don’t keep your home address printed with your keys.
Services like Key.me provide a resource for people who are constantly locking themselves out of their apartment or losing their keys. Just remember, it only take a few seconds to take a picture of your keys. Simple precautions make sure they are secure.
Links and Resources:
Wired: The App I Used to Break Into My Neighbor’s Home
Sophos: How to break into people’s homes with your mobile phone
Brian Krebs is reporting the Department of Homeland Security (DHS) is warning hotels that criminals are installing key loggers on publically available hotel kiosks and business center computers. Keyloggers are either software or USB type sticks that capture every keystroke a user makes on the computer. Criminals install these programs and devices to steal user information for use in fraud, identity theft, and other criminal activities.
From the DHS advisory:
“The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”
Unfortunately there is not much a user can do to tell if a public hotel computer is compromised. To stay safe do not log into any website or corporate server from a public kiosk or business center computer. This may inconvenience the business or casual traveler, but not entering your credentials is the only way to offer protection from snooping keylogging criminals.
More about Keyloggers at hotel business centers:
KrebsonSecurity: Beware Keyloggers at Hotel Business Centers
Image Credit: Flickr: Bull3t Hughes
Yesterday a report released by the security company Avast shows that a typical factory reset on your phone does not remove all personal data. Of the 20 secondhand phones purchased for the study the company was able to retrieve more than 40,000 photos, 750 emails and text messages, a loan application, and other personal data.
Take these steps to ensure your data is destroyed before you sell or donate your old phone.
From Lifehacker, instructions on how to securely delete your personal data.
• For all phones with SIM cards, remove and keep the card. If you do not need the card, physically destroy the card.
• If the card needs to stay with the phone, first erase and format the card to remove all personal data. Generally the existing SIM card is not required when turning in a used phone.
Settings > General > Reset > Erase all Content and Settings
1. Encrypt the phone using the built in encryption software
2. Preform a factory reset
*Encrypting the phone will take some time depending on the size of the phone storage.
Blackberry and Microsoft:
1. Encrypt the phone using the built in encryption software
2. Preform a factory reset
Note: No process is 100% guaranteed to make all your data unrecoverable. If you are worried that your data may be recovered do not resell or donate your phone.
Lifehacker: How Do I Securely Erase My Phone Before I Sell It?
ConsumerReports: Avoid ID theft and protect personal data when getting rid of a gadget
Image credit: Flickr – Vincent Lee
Lynda.Com has released a new course on creating secure PHP websites. This video is a must for anyone developing PHP websites and applications.
Watch for free with your MyNEU credentials
Link to the course: Creating Secure PHP Websites
From the Course Details:
Hackers target PHP web applications more often than other sites because most PHP code is written by developers with little security experience. Protecting web applications from these attacks has become an essential skill for all PHP developers. Creating Secure PHP Websites shows you how to meet the most important security challenges when developing websites with PHP. Instructor Kevin Skoglund covers the techniques and PHP code needed to develop sites that are more secure, and to avoid common mistakes. Learn how to configure PHP properly and filter input and escape output. Then check out step-by-step defenses against the most common forms of attack, and the best practices to use for encryption and user authentication.
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
Encrypting and signing cookies
Session hijacking and fixation
Securing uploaded files
Throttling brute-force attacks
Implementing password reset tokens
Next week, in an ongoing effort to enhance the security of our campus wireless networks, Information Technology Services will be implementing changes to the unsecured wireless network NUwave-guest.
On May 21, 2014, ITS will enable registration requirements and a time limit for NUwave-guest access on the Boston campus. All other Northeastern locations will implement these changes at a later date. Individuals wishing to use the guest wireless network will need to register through a new guest wireless portal page, similar to those used by coffee shops and airports. These changes provide a greater level of security for our campus networks by limiting Internet access to identified guests visiting Northeastern for a certain period of time.
As a reminder, NUwave-guest access is intended for limited guest wireless access only. Northeastern students, faculty, staff and sponsored accounts must use the secure wireless network NUwave.
Individuals wishing to use NUwave-guest will need to register through the guest wireless portal registration page, providing their name, cell phone number and email address. Guests will receive a text message containing their user name and an access code to be entered into the guest portal login page for network access, on up to three devices. Additionally, there will be a new eight-hour time limit for NUwave-guest. Once the allotted time expires, guests will be required to re-register in order to receive a new access code to continue to use the guest wireless network.
Conference and Event Planners
ITS has worked with conference and event organizers to ensure a smooth transition. Organizers may submit a myHelp request one week prior to the event in order to pre-register attendees and provide wireless access for the duration of the event. For access beyond what is already provided with NUwave-guest, organizers may submit a myHelp request two weeks prior to the event date and ITS will work to provide the proper solution. Additional information on how conference and event organizers can provide wireless access to their attendees is located on the NUwave-guest Wireless Network FAQ page.
Want to learn more? Visit the NUwave-guest Wireless Network FAQ page on the ITS website.
Questions or concerns? Please contact the ITS Service Desk at 617.373.4357 (xHELP) or email@example.com.
Microsoft has released a security update for Internet Explorer to resolve the critical vulnerability announced earlier this week. The Internet Explorer vulnerability could be exploited to give a remote attacker control of a user’s computer, letting them install more malicious software onto the machine. This update will be downloaded and installed automatically through Windows Update and will patch all versions of Internet Explorer (IE 6 – IE 11). The update will require a system reboot after installation to complete the patch and should not be delayed.
Computers with Windows XP
Microsoft has made the decision to issue the security update for Windows XP users even though the operating system is no longer supported. Windows XP users are still strongly encouraged to upgrade to Windows 7 and should not expect additional updates. Contact the ITS Service Desk at 617.373.4357 or firstname.lastname@example.org for assistance with upgrading to Windows 7.
Microsoft and US-Cert have released an alert about a vulnerability in all versions of Internet Explorer (IE 6 – IE 11) that could allow an attacker to install and run code on a computer. The most likely way a computer would be affected is through a website drive-by-download. A drive-by-download is where a user visits a malware infected website and malicious code on the website exploits the vulnerability in the users web browser to infect the computer with malware.
As of now researchers have only seen active campaigns on the Internet targeting IE 9 through IE 11 though earlier versions of IE may become targets in the future.
When Microsoft releases a patch to close this vulnerability only users running Windows 7 and above will be fixed. Windows XP users will never have this vulnerability fixed, forever leaving Windows XP users insecure from a known serious vulnerability in Internet Explorer.
For the user
Windows 7 and above users should use Internet Explorer only if it is necessary for business activities, e.g. NU SharePoint, or Banner. For all other websites it is recommended to use a browser other than Internet Explorer until a patch is released.
Windows XP users, Microsoft no longer releases updates or patches for Windows XP; there will never be a patch for this vulnerability. It is strongly recommended to upgrade to Windows 7 or 8.1.
Contact the Service Desk at 617-373-4357 or email@example.com for assistance with alternate browsers or upgrading to Windows 7.
ThreatPost: NEW INTERNET EXPLORER CVE-2014-1776 ZERO DAY USED IN TARGETED ATTACKS
KrebsonSecurity: Microsoft Warns of Attacks on IE Zero-Day
Sophos: Microsoft acknowledges “in the wild” Internet Explorer zero-day
The Verge: Security flaw puts all Internet Explorer users at risk, exposes Windows XP
Lynda has released two new videos explaining Heartbleed and how you can protect yourself.
The first video, Protecting Yourself from the Heartbleed Bug tells users how they can stay secure and change passwords.
View Here: Protecting Yourself from the Heartbleed Bug
This second video Heartbleed Tactics for Small IT Shops provides an in depth explanation of the Heartbleed Bug.
View Here: Heartbleed Tactics for Small IT Shops
Note: You do not have to be logged into Lynda to view thse videos