If you’ve ever struggled with your PC’s BIOS, or been knee-capped by a rootkit that assailed the BIOS, you undoubtedly wondered why this archaic part of every PC wasn’t scrapped long ago.

Well, be of good cheer: Windows 8 will finally pull the PC industry out of the BIOS generation and into a far more capable — and controversial — alternative, the Unified Extensible Firmware Interface.

To best understand where we’re headed, it’s helpful to look at where we’ve been. An integral part of every PC, the Basic Input/Output System spans the entire history of the personal computer — more than 30 years. The very first IBM PC had a BIOS. And despite extraordinary advances in hardware and software, the BIOS we still puzzle over today is not much different from the one in that original PC.

Essentially a miniature OS, the BIOS has a simple but critical function — when a PC powers up, the BIOS checks that all hardware is in order (the POST or “power-on self-test” sequence); fires up the full operating system on the machine, such as Windows (using OS loader code); and then hands all control of the computer over to the OS.

Although older operating systems (such as DOS) relied on the BIOS to perform input and output functions, modern OSes (including Windows) have their own device drivers and completely bypass the BIOS after they’re up and running.

These days, it’s rare that a PC user is forced to invoke the BIOS’s cryptic and somewhat enigmatic user interface. Usually, it’s in response to some near-catastrophic system failure.

The Unified Extensible Firmware Interface (UEFI) is essentially the next generation of BIOS. It’s a system that potentially offers new and more advanced control of the boot-up process. If your PC is less than two or three years old, chances are good that it already has UEFI capabilities. Chances are very good that you didn’t know that, because the hardware manufacturers have been carefully keeping the old BIOS interface as your default boot system. But that will change with Windows 8.

How UEFI is different from/better than BIOS

The standard BIOS has all sorts of problems, not least of which is its susceptibility to malware. For example, there are rootkits that hook themselves into the BIOS OS-loader code, permitting them to run underneath Windows. They’re difficult to remove and will reinfect Windows over and over.

And because the BIOS sits on a chip on the motherboard, it’s more difficult to update than an operating system or an application. So most PC users never update their BIOS, leaving the PC possibly incompatible with newer operating systems. (The early PC BIOS was hard-coded on a chip, so upgrading required replacing the entire chip or PROM.)

The UEFI is a more sophisticated system that runs before your primary OS kicks in. Unlike the BIOS, UEFI can access all PC hardware, including the mouse and network connections. It can take advantage of modern video cards and monitors. It can even access the Internet.

And as you can see in Figure 1, UEFI offers a modern, easy-to-decipher user interface. It could make dual-booting simpler, more visual, and controllable by mouse or touch. If you’ve ever played your BIOS, you discover that UEFI is in a whole new dimension.

Figure 1

Figure 1. The Asus.com website offers this view of a UEFI-interface screen — clearly, an improvement over the typical BIOS UI we’re faced with today.

Unlike the BIOS, the UEFI can exist on a disk, just like any other program — or in nonvolatile memory on the motherboard or even on a network share.

At this point, it’s important to note that systems can run either the BIOS or the UEFI — or both. When they’re both used, the BIOS goes first to run POST, then the UEFI takes over and hooks into any calls that may be made to the BIOS. (Windows typically doesn’t make calls directly to the BIOS, but other operating systems might — and the UEFI will handle them, not the BIOS.)

The UEFI can also run without the BIOS — it can take care of all OS loading/interface functions previously handled by the BIOS. The only thing the UEFI can’t do is perform the POST or run the initial setup (configuring the CPU, memory, and other hardware). PCs that have the UEFI but no BIOS have separate programs for POST and setup that run automatically when the PC is powered on.

As we all know, the BIOS initialization process — including POST — seems to take a long time. The UEFI, on the other hand, can run quickly.

Moreover, a BIOS is easily reverse-engineered and typically has no internal security protection, making it a sitting duck for malware. A UEFI can run malware-dodging techniques such as policing operating systems prior to loading them — which might make rootkit writers’ lives considerably more difficult. For example, the UEFI could refuse to run OSes that lack proper digital security signatures.

And that’s where the UEFI controversy begins.

Windows 8 will implement UEFI in new ways

Back in September, Microsoft wrote voluminously about the UEFI in Windows 8. The first post, “Reengineering the Windows boot experience,” talks about the basic ways Windows 8 will use the UEFI. (If your PC doesn’t support a UEFI, Win8 should still work fine.)

The article shows how current text-based, boot-time options, such as system repair store and image recovery, can be made more usable with a new graphical interface. The story goes on to describe how system startup could go, in seconds, from power-on to Windows Desktop without so much as flickering the screen. It also shows how dual-boot will work with a graphical face-lift.

The changes appear to be largely cosmetic, but they’re long overdue and a welcome improvement to the constrained, DOS-era recovery environments under which Windows operates.

The second article, “Protecting the pre-OS environment with UEFI,” shows how the UEFI secure boot — using Public Key Infrastructure (PKI) digital certificates — validates programs, peripherals, and OS loaders before they can run. The system can go out to the Internet and check whether the UEFI is about to run an OS that has had its certificate yanked.

If it sounds a lot like Secure Sockets Layer protection — no stranger to controversy — there certainly are similarities.

Microsoft states it will let the hardware manufacturers struggle with the difficult question of who controls the digital-signature keys. “Microsoft supports OEMs having the flexibility to decide who manages security certificates and how to allow customers to import and manage those certificates, and manage secure boot. We believe it is important to support this flexibility to the OEMs and to allow our customers to decide how they want to manage their systems.”

Still, Microsoft is ensuring that anyone buying a certified Windows 8 PC can rely on a certain level of protection from rogue OS loaders. “For Windows customers, Microsoft is using the Windows Certification program to ensure that systems shipping with Windows 8 have secure boot enabled by default, that firmware not allow programmatic control of secure boot (to prevent malware from disabling security policies in firmware), and that OEMs prevent unauthorized attempts at updating firmware that could compromise system integrity.”

The controversial side of dual boot

When those details first hit, the Linux community flew up in arms. Dual booting between Windows 8 and Linux might require a digital signature from a recognized certificate authority. That authority might be Microsoft, through its Windows Certification program, and Linux folks would have to pay the piper.

That controversy went on for a while but eventually died down (though it never disappeared) when it became clear that putting together the signature is relatively easy and not very expensive.

Then another conflagration started last week. To understand why, you have to understand that UEFI secure boot has two bail-out options. First, most PCs let you turn off UEFI secure boot entirely. You have to be sitting at the computer and do it manually, but it’s easy enough. In one of the Microsoft postings mentioned previously, the company acknowledged that hardware manufacturers could “allow customers to … manage secure boot.”

Second, there’s a provision for something called “custom secure boot mode” in which you, as a customer, can sit at your computer and type in a signature for any OS loader you darned well like. This manually created whitelist overrides the Windows 8 or third-party check, letting the UEFI run OS loaders unhindered.

You must also understand that Windows 8 will run on two entirely different hardware platforms — Intel/AMD platforms spanning the range from (ponderous!) tablets to full-size desktops, and the svelte, tablet-friendly ARM platforms. If you use Win8, one of your first decisions will be which platform you choose.

The Linux world was taken aback when researcher Glyn Moody and the Software Freedom Law Center announced last week in a blog that Microsoft is making specific demands from hardware manufacturers who intend to sell Windows 8 bundled with their ARM machines — that is, those lightweight Windows 8 tablets. The Microsoft restrictions prevent hardware manufacturers from disabling secure boot and also prevent hardware manufacturers from implementing “custom secure boot” whitelists — but again, only on ARM hardware.

In other words, if at some point in the future you buy an ARM-based tablet with Windows 8 preinstalled, you won’t be able to dual-boot with Linux or any operating system other than the ones that pass the security check. Presumably that could mean Windows 8 or some later version of Windows that Microsoft might ordain in the future.

Aside from the fact that the restrictions fly in the face of what Microsoft specifically said in September, it’s hard for me to get too worked up about them. If you buy a Win8 (ARM) tablet, you won’t be able to root it (Wikipedia definition), and you may not be able to upgrade it. You’ll just have to take that into account when you think about buying one — assuming Microsoft is up-front about the limitation and mentions it to consumers.

Intel-based Windows 8 machines — even tablets (including tablets that run only the Metro interface) — aren’t hobbled by those ARM restrictions. At least at this point, Intel/AMD machines are, in fact, required to allow multibooting (with signed operating systems) and even to replace Windows 8 with an OS of your choice. It remains to be seen whether Microsoft’s going to change its mind about that distinction.

Related Article: Windows 8 hardware rules ‘derail user-friendly Linux’

Source: © 2012 Windows Secrets

Twitter spam is probably the most common (and annoying) out of all the social networks. Below is an infographic showing the types of spam to affect Twitter and a little description about each one.

Twitter really needs to do more to stop the spamming from idiot users, unwanted business products, DMs and bots.

If you’re used to working with version control systems like CVS, Subversion or Git in order to keep track of changes to your code, then you will be well aware that changes to binary files such as images, just can’t be tracked in the same way.

Sure, there is no problem storing your binary data within any of these version control systems, but existing strategies either simply store the whole binary file in a single chunk, or store binary deltas. Both approaches consume significant amounts of disk space, and obscure the actual changes that have been performed within the file, defeating the real advantage of using any revision control system.

That’s why I was really excited to see the Microsoft Research group hard at work on the problem. Actually, probably the most refreshing thing about their research is that they are using the open-source graphics editor, GIMP, as their tool of choice in order to perform their research.

The Microsoft team set about tracking changes made to an image within a DAG (directed acyclic graph). This allowed them to track the individual editing operations, as well as the spatial and temporal relationships between each operation. These graphs could then be converted to standard RevG (revision graph) format.

This provides an intuitive interface to perform all of the common revision control operations including things like ‘review’, ‘replay’, ‘diff’, ‘branch’ and ‘merge’. It also provides a neat way to track creative processes within digital artwork.

The general approach that the team took involved developing a plugin for GIMP that could keep track of operations on-the-fly and built the DAG as different actions were performed. This, in itself, is not so exciting. After all, nearly every image editing application these days records your session history, making it possible to undo and redo actions.

Exporting this information as a graph that can be integrated into a functioning revision control application so that it is possible to open a version of the image at any point during its development, however, is definitely new. What is significant here is that the DAG only contains a faithful history of the operations performed by the user, and not any of the binary data itself.

While the DAG file itself can grow quite large and complex, so that it may not make sense to anybody reviewing the version history of a particular image, the team have worked out a way to represent the information within a revision graph which can be exposed to the user with a thumbnail of the image during each phase of its history.

The revision graph is capable of presenting non-linear information such as revision branching in a coherent and unified display. This means that by using the revision graph, you are able to perform all of the major functions that are available to you through any normal revision control system.

The RevG representation of the image data has been built into a very user friendly and intuitive interface that allows an end-user to quickly navigate through the entire revision history of an image, with the option of exploring different levels of detail in terms of the different operations performed at any point within the history. This UI has been built tightly integrated into GIMP so that when you click on any revision node within the graph, it highlights the areas of the image that were affected by that revision.

In order to display differences between revisions, you can either rely on this mechanism itself, or you can take advantage of a separate diff tool that actually play through both revisions in order to see the different changes that were made in each image. This will certainly help in collaborative environments where it is possible that you may need to perform merges and conflict resolution.

In fact the team have also developed a ‘merge UI’ that allows you to see each of the images that you intend to merge, and a preview of the resulting merged image. This really opens up the possibility of proper collaborative image editing, so that two artists can work on different portions of the same image at the same time and then simply merge their changes.

Unfortunately, the work that has been done so far has been so deeply integrated with GIMP that it does not provide a universal mechanism that can be used by any arbitrary image editing software. Nonetheless, the groundwork has been done, and certainly if the major software vendors can get it together to agree on a standard based on this research, the way is paved to finally bring realistic revision control to image editing software and this will transform the way that designers work within any commercial studio.

If you want to read the actual research paper, you can pick it up at Microsoft Research. That reminds me, the next time I hear any geeks openly bashing Microsoft, this is the paper I will point them to.

Mozilla has released the first publicly available beta of Firefox 5, which acts as a halfway house between the final stable, final release of Firefox and the developmental version, Firefox Aurora. The beta version offers a more stable environment than Aurora in which to road-test developmental features before they’re implemented into the next final release.

On the surface there’s little to differentiate Firefox 5 from Firefox 4 in this beta release, which installs over the top of any existing stable release, but it does feature the new Firefox Channel Switcher that allows users to move between developmental and stable versions of Firefox from a convenient dialog box.

At time of testing, the Firefox Channel Switcher only works when switching users from the Beta channel to the Aurora alpha channel. However, while Firefox Aurora is designed to be installed alongside the beta or stable version, switching to Aurora from the Firefox Channel Switcher actually overwrites the Beta version.

The Beta version also showcases the same Feedback button that’s present in Aurora, and which is designed to encourage users to report bugs as well as general feedback about the build they’re currently using.

The final release of Firefox 5, scheduled for late June, will also coincide with Mozilla’s decision to forcibly upgrade the 12 million remaining Firefox 3.5 users to version 3.6 in a move that effectively signals the end-of-life for version 3.5 of the browser. In the meantime, Firefox 5 Beta is a free download for Windows, Mac and Linux users, but remember that it will install over the top of any existing stable Firefox application, so use with caution. To revert to an earlier stable version, simply install this over the top of the beta version.

Download Firefox 5 Beta

Firefox 5 Beta and add-on compatibility

When Mozilla push an update containing Firefox 5 to users on the beta channel, one major concern is add-on compatibility for existing Firefox users. If all your addons are up to date then you simply need to turn off the Add-on Checking. Here’s how:

By default Firefox 5 will not allow you to install these incompatible add-ons (this is the same for all previous versions). But you can install them using the small hack in the config file for Firefox 5. To do that, type about:config into the address bar, and hit Enter or Go. When promoted with a “This might void your warranty!” warning, click on I’ll be careful, I promise! button.

Now right click on any open space and then select New -> Boolean.

This will bring in a popup and in the box enter extensions.checkCompatibility.5.0 as the preference name.

In the Boolean value, select false and click OK.

Now try installing the add-on which was not compatible, you can see add-ons work perfectly now. Be warned that incompatible add-on can cause Firefox to crash or become unstable.

If your add-ons are not compatible after this, then you will need to alter the max version number in the actual add-on:

Open the file xpi extension with WinRar, then extract the file install.rdf (but keep the WinRar window open) and open the .rdf file in notepad; where is says ‘maxversion’ change it from 1.0 (or whatever version it says) to 5.0. Save this change,  then drag the file back into the open WinRar window. Then drag the file into Firefox to install it.

Most people will never be exposed to photos of children being sexually abused by predators. But images of that abuse can be found in dark corners of the online world, where networks of child abusers and child-pornography consumers produce and propagate photos of children being victimized.

This week, Microsoft is donating a new technology to the National Center for Missing & Exploited Children (NCMEC) that has the potential to make a drastic difference in the fight against the spread of child pornography online.

The technology, called PhotoDNA, was initially created by Microsoft Research. It was further developed by Hany Farid, a leading digital-imaging expert and professor of computer science at Dartmouth College, to help NCMEC in its efforts to find hidden copies of the worst images of child sexual exploitation known today.

Ernie Allen, president and CEO of NCMEC, says child porn is a problem that had all but disappeared in the late 1980s — the U.S. Supreme Court had ruled that it was not protected speech, but instead constituted child abuse. Law enforcement had cracked down on its distribution and importation.

Then along came the internet.

“Twenty years ago we thought this problem was virtually gone,” Allen says. “As wonderful and powerful as the Internet is, it has created an opportunity for people to network with others of like interest, and to access content in the privacy of their own homes that would have formerly put them at risk to acquire.”

Today, says Allen, the problem is exploding. Since 2003, NCMEC has reviewed and analyzed almost 30 million images and videos of child pornography. These photos of sexual abuse are seized from pedophiles who both trade in the illegal images and form communities that reinforce their shared interest in children.

Allen says that the NCMEC cyber-tip line has handled 750,000 reports of child sexual exploitation and child pornography from the public and Internet service providers. “We’re currently reviewing 250,000 images every week,” Allen says. “So this is a massive problem.”

Tracking the Traffic With PhotoDNA

NCMEC has worked with law enforcement to identify many of the worst images of child sexual abuse and exploitation. As they are passed from pedophile to pedophile, many of these images surface repeatedly during child pornography investigations. “Our goal is to stop that victimization,” Allen says. “Using PhotoDNA, we will be able to match those images, working with online service providers around the country, so we can stop the redistribution of the photos.”

The basis for PhotoDNA is a technology called “robust hashing,” which calculates the particular characteristics of a given digital image — its digital fingerprint or “hash value” — to match it to other copies of that same image. “Like human beings, every photo is a little different,” Allen says.

The weakness in most common forms of hashing technology is that once a digital image has been altered in any way — whether by resizing, resaving in a different format or through digital editing — its original hash value is replaced by a new hash. The image may look exactly the same to a viewer, but there is no way to match one photo to another through their hashes.

During the course of working with NCMEC, Microsoft researchers became aware of that weakness in the hash value detection and resolved to overcome the obstacle in tracking down images of abuse. That’s when the company enlisted the help of Dartmouth’s Hany Farid, a noted expert in digital forensics technology.

For the past 10 years, Farid’s Dartmouth lab has been developing mathematical and computational tools to determine whether digital media is authentic. The expertise he’s developed has applications for the media, national security, law enforcement and consumers themselves.

“Everybody’s aware that you can manipulate digital images, sounds and video. What we’ve been trying to do is bring some trust back to that underlying media. That’s been the thrust of my lab here at Dartmouth,” Farid says.

Microsoft Research created the underlying technology for PhotoDNA. It then collaborated with Farid to further develop the technology for use by NCMEC and online service providers.

“The problem was that that the signature was extremely fragile — the tiniest change to the image and the signature would be completely different,” Farid says. “The PhotoDNA technology extends the signature to make it robust and reliable, so that even if you change the image a little bit, we can still find it.”

Farid says another challenge to the task faced by NCMEC is simply finding the images among the billions of pictures floating around the Internet. But he says PhotoDNA’s ability to automate the search will help NCMEC and online service providers get over that hurdle as well. Because the amount of data in the PhotoDNA is small, it allows large data sets to be searched for matches very quickly.

“If I laid down in front of you a couple of billion images and ask you to hand me the ones that are inappropriate, you can imagine the scope of that problem,” Farid says. “And so we have been developing technology that can pluck out those inappropriate images from a sea of billions in a very fast, very reliable way.”

Giving Law Enforcement New Leads

Once NCMEC assigns PhotoDNA signatures to known images of abuse, those signatures can be shared with online service providers, who can match them against the hashes of photos on their own services, find copies of the same photos and remove them. Also, by identifying previously “invisible” copies of identified photos, law enforcement may get new leads to help track down the perpetrators.

“NCMEC is equipped to make the PhotoDNA tool available to law enforcement agencies, online service providers and others working with NCMEC to disrupt the ability of predators to use the Internet to exploit children or traffic in child pornography,” Allen says.

Brad Smith, Microsoft’s general counsel, says the company will be working to implement PhotoDNA in the coming months on online services such as Bing and Windows Live, along with other online service providers looking to help disrupt the spread of these photos online.

“We believe the ability to move faster and be more efficient can make a real difference in addressing the problem,” Smith says. “This is an opportunity for us across the technology community to partner closely with the National Center for Missing & Exploited Children to use this technology. By combining our efforts, we can have a much bigger impact.”

Phishing has been around for a while now. Longer than most of you think, and over the next year or so, its going to get worse. Can you detect a Phishing site or Scam? Are you protected…

What is Phishing

OK, for those of you who don’t know what phishing is, here’s a quick overview. This exploit originates via email and typically requests account information, such as usernames or passwords, a situation that could easily lead to identity theft. According to the United States Federal Trade Commission, nearly 255,000 cases of identity theft were reported in 2003, most of them attributed to the crime of phishing.

Phishing now crosses over to the web, where fake websites are created that look like legitimate sites like Banks. You fill in your details as usual to check your online banking account, only to be redirected to your original bank. Whats actually happened here is that you have entered all your information into a fake website that now has your login details. These are then used to steal your identity or funds from your bank.

What can be done to protect yourself?

Well, here’s a security concept for everyone: “if you can’t do it securely, then don’t do it at all.”

This particularly applies when it would be far more “convenient” to do it in an insecure fashion. I’m not talking convenience here, I’m talking security. So, how this applies to phishing is, don’t use email to send links or account information. Some sites are sort of getting around to this. One such is eBay. Now eBay will include a copy of all legitimate correspondence they send you in your email account at eBay.

Of course, the problem is if someone can match their website close enough to fool you into entering you eBay username/password on their server and do a man-in-the-middle attack on your account (and including their own phishing email in what you see) you’re still 100% compromised. And all that takes is time and skill to set up.

Given the limits of email right now (including SPF and such), it is impossible for the average user to know whether or not a specific email is legitimate or not. Sure, www.ebay.com is easy to verify, but is www.myebaysecurity.com also legitimate? Should I click on the enclosed link? SPF, rDNS, and everything else can confirm that that IP address is legitimately assigned to that name.

So, the easiest solution would be to not send email with links. Yes, I am aware that this will mean the end of the cute HTML email ads that you send/receive. That’s the part about “if you can’t do it securely then don’t do it at all.” There’s no use in crying about what you can’t do if you can’t do what you want to do in a secure fashion.

It’s 2005 and the technology has advanced enough for any financial site (that means any site that involves money being exchanged) to run its own web-email-type system. They wouldn’t even need it to be SMTP-capable. It would only be used for outside people reading their email from that business and sending email to employees inside that business and for employees at that business to send/receive email from the clients connected to it.

This isn’t to say that you’d have to check that email account all the time to see if you have email. Again, this is 2005. We have all kinds of means of alerting people when they need to check something. We can send a text message to their pager or mobile phone, we can leave a voice message on their pager, cell phone or home phone. It would even be possible to send a text only email without any links telling them that they have email at such-and-such bank/auction site/wherever and that they should go there to check it. Since they should already know the web site name (they have used it before, right?) they shouldn’t need to have it spelled out for them in the email.

It is economical for a bank to have a computer call phones and leave voice messages if you need to contact the bank (they already do this) but it is not economical for the phishers to do that (even if they’re running Skype or whatever). And it gets even easier if the bank (or whatever) allows you to choose the text message to be sent to your pager/cell phone.

The best part is that this would not require 51%+ of the email servers to be upgraded or modified or anything else. For this to work for a specific bank/site it would only require that they change. And the technology is 100% available (and Open Source) today.

It should be noted that this does not in any way describe any method for securing financial transactions done over the Web. This is just a method to kill phishing attempts and the losses associated with successful compromises.

Read more about Phishing here: http://en.wikipedia.org/wiki/Phishing

Note: I published this article earlier in the year and I have decided to re-post it due to demands I’m getting from people finding me from this site: http://www.realtime-websecurity.com – Since I re-designed my blog, I had removed this article, hence the re-post.

A picture may be worth a thousand words, but it could also hide something more treacherous.

Today, businesses wanting to guard against the potentially ultra-serious hazard of vitally important data being deliberately leaked to unauthorised people outside or even inside the organisation, need to get to grips with an alarming reality: a picture can also conceal a thousand words.

Or in some cases even up to around 5,000 words. More than enough to betray all your most precious and commercially sensitive data: locations of newly-discovered oil fields; formulae for synthesising newly-discovered molecules of breakthrough drugs costing millions or even billions to develop; designs of revolutionary products you’re planning on being the first to bring to market; ultra-sensitive lists of hard-won customers; you name it.

Data concealed in pictures? It may sound like the basis for a plot sequence in the next Mission Impossible movie, but it isn’t. It’s real. And unless you are prepared to let any Tom, Dick or Harry cruise around your precious data, you need to be aware of the threat it poses.

The technique is called steganography, from Ancient Greek words meaning hidden or covered writing, just as that lumbering dinosaur the stegosaurus is so named because its back was covered in those large bony plates whose real purpose is a mystery even today.

But steganography wasn’t a mystery to the Ancient Greeks; indeed they most likely invented it. The Greek historian Herodotus records that in 312 BC, Histaeus of Miletus commanded the head of his most trusted slave to be shaved and tattooed with a vitally important secret message on it. Once the slave’s hair had grown, hiding the message, Histaeus used him as an emissary to a friendly power via enemy territory to instigate a revolt against the Persians.

This example from history shows why steganographic writing is such a dangerous threat to security. Friends who betray us are always a more potent threat than people we recognise as enemies from the outset, and steganographic messages look friendly and innocent.

You could devise a simple steganographic message by agreeing with your recipient that your real message will consist of the first letter of every word of your apparent message. ‘Bring us your invoice by Monday’, for example, would really mean ‘BUY IBM’. In steganographic writing the apparent message is known as the covertext and the real message is called the plaintext.

The innocuous appearance of the covertext in the example illustrates why steganographic writing doesn’t tend to set alarm bells ringing. It looks innocent, whereas the message ‘BUY IBM’ encrypted in a simple code that consisted, say, of substituting each letter for the next letter in the alphabet – ‘CVZ JCN’ – obviously looks dodgy and would be certain to awaken the suspicions of even the most credulous member of an industrial espionage prevention team.

The point is that any encrypted message will tend to raise suspicions because even though it can’t readily be read you will know it’s been encrypted and will instantly conclude that something fishy’s going on.

In the highly competitive ocean of modern business, the threat of steganography has recently become a major issue in corporate life.

It’s actually been a significant threat for several years due to the increased computing power available on everyone’s desktop, but people have been distracted by publicity about cryptography and steganography has rather remained in the background.

It’s a particularly worrying threat now because of the enormous computing power on desktops today, the massive volume of electronic communications, and the number of freely available tools that allow even a routine user to employ steganographic techniques.

By far the biggest type of threat is the potential for concealing steganographic writing within computerised images. With Windows you can literally drag and drop your hidden text onto a picture and the deed is done.

As Gordon Gekko reminded us in the film Wall Street (1987), the most valuable commodity of all is information. And it’s precisely that which can so easily be given away today – or sold – using image-based steganographic techniques.

What’s actually happening when you carry out what looks like a simple drag and drop?

An electronic image is comprised of thousands of ‘picture elements‘ or ‘pixels‘. A pixel is a binary number that provides information on the colour or (in a black and white picture) the shade of grey that should be displayed in that particular pixel.

The binary number will look something like this: 10011011 etc depending on the pixel in question. The individual numbers (the 1 or the 0) are known as bits and the further along you go to the right the less significant the bits become in defining the precise colour of the pixel.

Why does the opportunity for steganography exist? Because while each pixel is defined by a series of bits, some of these bits can be changed without affecting the resulting pixel to any discernible extent. In a computerised image whose size is 256 by 256 pixels, making a total of 65,536 pixels, there would easily be room to conceal say, about 5,000 words of data.

This method of concealment is known as ‘bit twiddling‘. An obvious place to conceal a secret message would be within a computerised picture that does not show any apparent changes.

Bit twiddling is the most common way to conceal text within a computerised image. There are many more techniques, though, particularly when using image formats such as the now ubiquitous jpeg which many will have encountered through their digital cameras.

An apparently innocuous picture of – of example – an employee’s child’s first day at school taken with a standard family digital camera could easily be used to conceal a damaging leak. The leak could be so fatal that by the time the school term ends, thousands of other mums and dads at the business from which the information was leaked will have had to find new jobs – if they can.

Insider Threats are big business, and selling or leaking company information, customer credit card details and more can now all be hidden in a single image file and emailed or innocently be taken out of the building on a laptop or removable media.

What’s the best way to guard against the hazard of modern image-based steganographic betrayal?

The first step is to recognise that it is a potential problem and get help to understand what tools are likely to be available to a malicious team member. You also need to know the manner in which these tools can be used because they often leave little trace of their presence – some are even termed ‘zero footprint‘ by those who develop them.

Yet help is at hand because dedicated teams of experts have been making available tools to help detect steganography. The technique they use is known as ‘steganalysis’.

Steganalysis is as much an art as a science. The detection tools need to be used so that the appropriate steganalysis resource is used in the appropriate situation.

Admittedly, this is not easy, when the range of steganography tools and the steganalysis counterparts have proliferated and are proliferating just as the threat from viruses did when they first emerged into the IT environment.

At work I began my own anti-steganography work as a forensic technical exercise but was soon alarmed at what my experiments were told me, not just about the power of the steganography tools available but also about the degree of care that needs to be applied to combat this potent security hazard.

Taking the threat of betrayal by apparently innocuous pixels seriously will lead you to put into practice the measures necessary to defend against it. And you do need to take this threat very seriously indeed. The stegosaurus may be long extinct, but steganographic treachery is, unfortunately, here to stay.

Your passwords are the keys you use to access personal information that you’ve stored on your computer and in your online accounts.

If criminals or other malicious users steal this information, they can use your name to open new credit card accounts, apply for a mortgage, or pose as you in online transactions. In many cases you would not notice these attacks until it was too late.

Fortunately, it is not hard to create strong passwords and keep them well protected.

What makes a strong password

To an attacker, a strong password should appear to be a random string of characters. The following criteria can help your passwords do so:

Make it lengthy. Each character that you add to your password increases the protection that it provides many times over. Your passwords should be 8 or more characters in length; 14 characters or longer is ideal.

Many systems also support use of the space bar in passwords, so you can create a phrase made of many words (a “pass phrase“). A pass phrase is often easier to remember than a simple password, as well as longer and harder to guess.

Combine letters, numbers, and symbols. The greater variety of characters that you have in your password, the harder it is to guess. Other important specifics include:

The fewer types of characters in your password, the longer it must be. A 15-character password composed only of random letters and numbers is about 33,000 times stronger than an 8-character password composed of characters from the entire keyboard. If you cannot create a password that contains symbols, you need to make it considerably longer to get the same degree of protection. An ideal password combines both length and different types of symbols.

Use the entire keyboard, not just the most common characters. Symbols typed by holding down the “Shift” key and typing a number are very common in passwords. Your password will be much stronger if you choose from all the symbols on the keyboard, including punctuation marks not on the upper row of the keyboard, and any symbols unique to your language.

Use words and phrases that are easy for you to remember, but difficult for others to guess. The easiest way to remember your passwords and pass phrases is to write them down. Contrary to popular belief, there is nothing wrong with writing passwords down, but they need to be adequately protected in order to remain secure and effective.

In general, passwords written on a piece of paper are more difficult to compromise across the Internet than a password manager, Web site, or other software-based storage tool, such as password managers.

Create a strong, memorable password in 6 steps

Use these steps to develop a strong password:

1. Think of a sentence that you can remember. This will be the basis of your strong password or pass phrase. Use a memorable sentence, such as “My son Aiden is three years old.”

2. Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters) on your computer or online system, do so.

3. If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each word of the sentence that you’ve created to create a new, nonsensical word. Using the example above, you’d get: “msaityo”.

4. Add complexity by mixing uppercase and lowercase letters and numbers. It is valuable to use some letter swapping or misspellings as well. For instance, in the pass phrase above, consider misspelling Aiden’s name, or substituting the word “three” for the number 3. There are many possible substitutions, and the longer the sentence, the more complex your password can be. Your pass phrase might become “My SoN Ayd3N is 3 yeeRs old.” If the computer or online system will not support a pass phrase, use the same technique on the shorter password. This might yield a password like “MsAy3yo”.

5. Finally, substitute some special characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, we create a pass phrase of “MySoN 8N i$ 3 yeeR$ old” or a password (using the first letter of each word) “M$8ni3y0″.

6. Test your new password with a Password Checker. A Password Checker is a non-recording feature on this Web site that helps determine your password’s strength as you type.

Password strategies to avoid

Some common methods used to create passwords are easy to guess by criminals. To avoid weak, easy-to-guess passwords:

Avoid sequences or repeated characters. “12345678,” “222222,” “abcdefg,” or adjacent letters on your keyboard do not help make secure passwords.

Avoid using only look-alike substitutions of numbers or symbols. Criminals and other malicious users who know enough to try and crack your password will not be fooled by common look-alike replacements, such as to replace an ‘i’ with a ’1′ or an ‘a’ with ‘@’ as in “M1cr0$0ft” or “P@ssw0rd”. But these substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case, to improve the strength of your password.

Avoid your login name. Any part of your name, birthday, social security number, or similar information for your loved ones constitutes a bad password choice. This is one of the first things criminals will try.

Avoid dictionary words in any language – Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, and substitutions. This includes all sorts of profanity and any word you would not say in front of your children.

Use more than one password everywhere – If any one of the computers or online systems using this password is compromised, all of your other information protected by that password should be considered compromised as well. It is critical to use different passwords for different systems.

Avoid using online storage – If malicious users find these passwords stored online or on a networked computer, they have access to all your information.

The “blank password” option

A blank password (no password at all) on your account is more secure than a weak password such as “1234″. Criminals can easily guess a simplistic password, but on computers using Windows XP/Vista or Windows 7, an account without a password cannot be accessed remotely by means such as a network or the Internet. (This option is not available for Microsoft Windows 2000, Windows Me, or earlier versions) You can choose to use a blank password on your computer account if these criteria are met:

• You only have one computer or you have several computers but you do not need to access information on one computer from another one

• The computer is physically secure (you trust everyone who has physical access to the computer)

The use of a blank password is not always a good idea. For example, a laptop computer that you take with you is probably not physically secure, so on those you should have a strong password.

How to access and change your passwords

Online accounts

Web sites have a variety of policies that govern how you can access your account and change your password. Look for a link (such as “my account”) somewhere on the site’s home page that goes to a special area of the site that allows password and account management.

Computer passwords

The Help files for your computer operating system will usually provide information about how to create, modify, and access password-protected user accounts, as well as how to require password protection upon startup of your computer. You can also try to find this information online at the software manufacturer’s Web site. For example, if you use Microsoft Windows XP, online help can show you how to manage passwords, change passwords, and more.

Keep your passwords secret

Treat your passwords and pass phrases with as much care as the information that they protect.

Don’t reveal them to others – Keep your passwords hidden from friends or family members (especially children) who could pass them on to other less trustworthy individuals. Passwords that you need to share with others, such as the password to your online banking account that you might share with your spouse, are the only exceptions.

Protect any recorded passwords – Be careful where you store the passwords that you record or write down. Do not leave these records of your passwords anywhere that you would not leave the information that they protect.

Never provide your password over e-mail or based on an e-mail request. Any e-mail that requests your password or requests that you to go to a Web site to verify your password is almost certainly a fraud. This includes requests from a trusted company or individual. E-mail can be intercepted in transit, and e-mail that requests information might not be from the sender it claims. Internet “phishing” scams use fraudulent e-mail messages to entice you into revealing your user names and passwords, steal your identity, and more.

Change your passwords regularly – This can help keep criminals and other malicious users unaware. The strength of your password will help keep it good for a longer time. A password that is shorter than 8 characters should be considered only good for a week or so, while a password that is 14 characters or longer (and follows the other rules outlined above) can be good for several years.

Do not type passwords on computers that you do not control. Computers such as those in Internet cafés, computer labs, shared systems, kiosk systems, conferences, and airport lounges should be considered unsafe for any personal use other than anonymous Internet browsing. Do not use these computers to check online e-mail, chat rooms, bank balances, business mail, or any other account that requires a user name and password. Criminals can purchase keystroke logging devices for very little money and they take only a few moments to install. These devices let malicious users harvest all the information typed on a computer from across the Internet—your passwords and pass phrases are worth as much as the information that they protect. Windows has an OnScreen Keyboard that you can access if needs be. Press Start > Run and type OSK and click OK. Now use the mouse to type in a password.

Windows 7 On Screen Keyboard

What to do if your password is stolen

Be sure to monitor all the information you protect with your passwords, such as your monthly financial statements, credit reports, online shopping accounts, and so on. Strong, memorable passwords can help protect you against fraud and identity theft, but there are no guarantees. No matter how strong your password is, if someone breaks into the system that stores it, they will have your password. If you notice any suspicious activity that could indicate that someone has accessed your information, notify authorities as quickly as you can. If you need further help on what to do if you think your identity has been stolen or you’ve been similarly defrauded, then contact me.

What Is “Sexting?”

When people take a sexually revealing picture or video of themselves and send it or them as text message attachments, it’s called “sexting.” And recently the practice has been increasing exponentially amongst kids. Kids “sext” to show off, to entice someone, to show interest in someone, or to prove commitment. The problem with that, is that the moment the relationship ends (and most of them do) someone is in possession of a highly compromising image that can be easily posted on a social networking site or sent around via email or text.

There have been some high profile cases of sexting — including High School Musical star Vanessa Hudgens, who sent a nude picture to her co-star/boyfriend, Zac Efron, that ended up all over the Internet and made headlines. And in July 2008, Cincinnati teen Jesse Logan committed suicide after a nude photo she’d sent to a boyfriend was circulated widely around her high school, resulting in harassment from her classmates.

Why It Matters

In a technology world where anything can be copied, sent, posted, and seen by huge audiences, there’s no such thing as being able to control images. Even if a photo was taken and sent as a token of love, the intention doesn’t matter — the technology makes it possible for everyone to see your child’s most intimate self. And in the hands of teenagers, when revealing photos are made public the subject almost always becomes the object of ridicule and name calling. Furthermore, sending sexual images to minors is against the law, and some states in the US and the UK have begun prosecuting kids for child pornography or obscenity.

Advice for Parents

Don’t wait – for an incident to happen to your child or your child’s friend before you talk to your kids about the consequences of sexting. Sure, talking about sex or dating with teens can be really uncomfortable, but better to have the talk before the fact.

Remind them – that once an image is sent, it can never be retrieved — and they will lose control of it. Ask teens how they would feel if their teachers, parents, or the entire school saw the picture, because it happens all the time.

Talk about pressures – to send revealing photos. Let teens know that you understand that they can be pushed or dared into sending something. Tell them that no matter how big the social pressure is, the potential social humiliation will be hundreds of times worse.

The buck stops with them. If someone sends them a photo, have them delete it immediately. Better to be part of the solution than the problem. Besides, if they do send it on, they’re distributing pornography — and that’s against the law.

If you can’t deal with this, have your kids go to a professional that can help (and you should go yourself).

Statistics

• 22% of teen girls and 20% of teen boys have sent nude or semi-nude photos of themselves
• 22% of teens admit that technology makes them personally more forward and aggressive
• 38% say exchanging sexy content makes dating or hooking up with others more likely
• 29% believe those exchanging sexy content are “expected” to date or hook up

Remember; revealing photos can be resent to a vast audience. If the person you or a kid sends an explicit image via mobile phone, or even email. These can be forwarded to someone else, and before you know it, the content is uploaded online or passed between peers and sending a sexual image to a minor, even minor to minor is illegal.

Evidence

As a parent, you may be worried what your kids are sending to each other. Where do your ethics come in to play regarding a kids privacy? Sometimes drastic measures will force you to intervene in a child’s life and development and for his or her protection.  For the worried parent there is software available that will help you. MOBILedit is a Forensic Application that works will all mobile phones and PDAs and requres a data cable (one of these usually comes with a new phone as standard, if not, they are cheap to buy).

MOBILedit is quite costly, but the trial is fully functional and will allow you to use the application for a short time. Which will be all you need to gather the information you need. This software can also be used to read test (SMS) messages from both sides of the conversation. This is useful if your child is being bullied, or is indeed a bully him or herself. The application can be used for many predicaments you and your child may come across, and a way of proving facts.

Do not use this software as just a spying tool, this would be unfair and you would be infringing on privacy issues if you have no just cause, so please use this software wisely. You can download the trial below.

We all know how fun Twitter can be. Many people have fallen in love with this micro blogging site, and don’t really see anything that could go wrong. After all, who needs Twitter safety tips against a cute, bird logo?

Well, don’t be too caught up in your Twitter postings that you forget your safety. Remember that the Internet is still a prime target market for sexual predators, stalkers, fraudsters, scammers, hackers and people who want to do others harm. You might need these Twitter safety tips more than you realise, especially if you have just started to use twitter.

Just the other day, I chanced upon this TV interview of a young, popular actress who pointed out that someone has set up an account on Twitter, pretending to be her which leads me to…

Twitter Safety Tip # 1:  Don’t believe everything you read

Have we not learned from the past? The Internet, while not harmful by itself, is still a haven for individuals and groups that are up to no good.

After all, who can say that a 50-year-old pervert isn’t a cute, 15-year-old student from London when he sounds just like a 15-year old student from London? And that picture of him in that blue shirt just backs it up, right?

If you are inclined to believe this, then you need this Twitter safety tip more than anyone else. People who want to befriend you can easily make up lies on Twitter. Don’t think for a second that they wouldn’t take the time and effort to prattle away about their non-existent boring Algebra classes and upcoming winter dance if it meant making themselves more convincing.

Be aware that there are many fake profiles on twitter. Learn how to spot them. Firstly, you’ll notice that they have not posted much, and with links being shortened, its hard to see if your being sent to a real site or a dodgy site where you will be prone to a clickjacking attack/scam. Other things too look out for are the following and followers. Usually you can tell by looking if this is a real person or a fake. Also keep away from people sending tweets from API. Scammers/Spammers also follow each other, and may converse between themselves to make it look like they have actual friends. Be wary. A quick example of clickjacking. Click this link (its safe), but its shows you how an easy link can be spoofed.

The most common looking fake profile with low followers

Automated tweets from the Twitter API - Block these people

If you want to follow a celebrity, I suggest you look for the new Twitter Verified Account tag that’s added at the top right of a profile, and check out Valebrity for a huge list of validated celebs.

An official Verified Account

Last bits on this subject, there are lots of automated scripts out there that create fake profiles, bots that create fake posts and user accounts. So if you are unsure that this is a real person, do some investigating and look at their followers and see if any of them has ever had a proper conversation with this possible ‘fake’. If in doubt, don’t follow them back and block them.

A typical fake Profile. Notice there's no conversation, and low followers

Also beware of tweets and websites that claim Get 160,000 followers in a month, or words like that. Firstly, they don’t work, and secondly they are probably a scam.

Why? Well, once you click a link, you are directed to a website where you enter your Twitter login details. Now the scammers/spamers can send tweets from your account. Also, they may flood Twitter with thousands of messages. Twitter hates this and it will get your account locked and possibly deleted. If this happens and you still have access to your account, change your password immediately.

When visiting any website that is not directly affiliated or endorsed by twitter, be very careful when submitting your account details. You never know who owns the website or what they are using it for, so do some research first. Check the whois information for the site (this can also be faked), search twitter to see if other people are using the site (or even an app) and see if they seem to be sending spam tweets. If all is clear, then they are probably OK.

Never pay for a service that links to Twitter.

Twitter Safety Tip # 2: Don’t give out your location

I know that micro blogging is fun. There’s just something addicting about being able to post what you’re doing or what you’re feeling at this exact moment… and having hundreds, possibly thousands of followers seeing it.

If you have added people in Twitter who are not really your friends, then all the more reason to be careful. If you, for example, tweets that you’re stuck in the Starbucks near your home late at night, anyone could just take advantage of that information. Its only a matter of time until you turn on the TV and hear that someone is being stalked or has been attacked or murdered because they twitted their exact location, so be warned.

Lastly on this location tip. Be careful if you are using an iPhone and turn on the Location Option. It looks like this in a persons profile: 37.739705,-122.430799 and gives you the longitude and latitude of a persons iPhone. This can be used to track you. So turn this feature off.  In a test, I activated this feature on an iPhone with Twitterrific. With a laptop and mobile phone enabled with GPS Software I travelled miles away from home, where I left the iPhone switched on. I activated the Laptop and GPS, loaded my Twitter page and got the coordinates. I entered them into the GPS system and navigated the route to 20 meters from my doorstep. Anyone could do this with just a laptop and GPS Enabled phone. You can also go to Google Maps and copy and paste the longitude and latitude, this will also give the location. And with Street View, you can probably see where that person lives.

Twitter Safety Tip # 3: Don’t attract too much attention to yourself

Twittering that you have just received a gold bracelet from your boyfriend can also attract the wrong sort of followers to your account. Trust should not be so freely given on the Internet.

You might want to show it off on Twitter via TwitPic or some other image provider or host, but think about the possible risks. It might tempt others into doing something both you, and they, will regret.

As much fun as Twitter is, set a limit on how much private information you’re really broadcasting to the world. Many of you may be thinking, ‘yeah, whateverrrr’, or ‘yeah OK, this will never happen to me’. But never forego you’re safety,  and never let your guard down on the Internet. If you do, you’re a fool!

More protection…

When using twitter, I’d suggest using a 3rd party application like TweetDeck (which is my favorite twitter app) or CoTweet (which is my second fave). The reason for using a 3rd party application is that it uses Twitters API (Application programming interface) and you are less likely to get a trojan or virus from clicking on a users infected profile. Yes! You can also get a Trojan or Virus from using Twitter. A while back, Twitter was plagued by the ‘Mikeyy Worm‘ that infected you if you clicked on a profile that had been compromised by the Mikeyy worm. Incidentaly, the Mikeyy worm was actually written by Michael Mooney, a 17 year old kid and it crippled millions of Twitter accounts.

You can keep track of attacks on twitter here. And if you would like to report suspicious activity, a spammer or something that doesn’t look right, follow twitters Spam Team and then send them a tweet with your problem: http://twitter.com/spam and they should help. Also, if you have any real issues and you need support from Twitter, visit their ticketing system.

Twitter is not perfect and is riddled with security holes, and more are being discovered or exploited daily. For a platform that’s almost over 3 years old, the boffins at Twitter really should plug these holes, tighten up security and keep people safer. Don’t let this spoil your twitting experience though. As long as you keep safe whilst on twitter, and learn how to spot the fake profiles, you’ll have a great time.

If you have any Twitter tips you would like to share with us, please comment below and at some point I will include these in a list, and credit you.

Lastly, check out Sharon Hays’ Blog for tons of Twitter information. She’s a pure Twitter professional, lovely person and her blog will help you get used to Twitter if you are new. Also, checkout Twitter 101 for some excellent information.

Recent Twitter Bots/Scammers

I will update this section of this post as new scams, bots and strategies change, so keep popping back for updats…

You will notice that they are now having conversations. But with other bots and they use rubbish English like ‘Howz U doin‘,  ‘I did dat last wk‘ and so on. If you click on the people they are following, you will notice the same bad grammar and spellings. Some of these new spammers are also now mimicking or pretending to be up and coming actors/actresses and celebs.

3rd Party Application Spam

I’ve noticed that spammers are now creating profiles and posting tweets via TweetDeck and CoTweet as well as TwitterFeed. Again, there is no real conversation and the posts are riddled with useless links and random tweets. You may also notice that the spammers and bots are now using lists to make them look like normal people. Be wary.

New fake profile using TweetDeck and using Lists

True Twit

This is not a danger, but I wanted to update you with this cool utility. If you are plagued by Twitter spam (or Twam) and you have had enough, you can try True Twit. True Twit has been around a while now and what it does is to verify anyone following you. So, if for example, I follow you, I’m sent a DM to click a link to verify that I am in fact a cool human being and wants to follow you because I think your cool. I don’t have to enter any of my Twitter details either.

True Twit - Helping stop Twitter Spam

True Twit also has a few neat options behind the scenes, where you can send a verification note to anyone on your list to whom you think may is a spammer or may have a fake profile, they are then sent a DM to verify themselves. The message that is sent is customisable, or you can use the default message. You can also unfollow people too. Signup today and help stop the spam.

http://www.truetwit.com.

Stay tuned for more info…