>the laziest blog on earth...contact me: mudwerks AT gmail DOT com
ALL MY SONGS!...
AVAILABLE NOW on bandcamp!
…The first step is to determine how securely you’ve configured your cloud service accounts—and how much interdependency they have. The best passwords in the world won’t help if the exposure of just one account by a server hack or social engineering lets a hacker or fraudster bypass the password and your accounts are too heavily connected.
- Do you use strong passwords, and change them regularly? While passwords won’t stop an attacker who has exploited other means to gain access to your account, a strong password can at least protect you from a direct breach.
- Do you share access to your cloud services with other people, such as family members or friends? If you have devices that belong to your kids set up with your credentials for reasons like sharing an app or music, you’re also creating an opportunity for that data to get stolen—or shared by them with friends. Set up individual accounts for each person in the family on devices to prevent accidental exposure of your own personal data.
- Do you use the same e-mail address and password as your credentials for more than one service? If your password gets exposed by one service—as it did with some Dropbox users last month—and you’ve used the same information in multiple places, you could be a target for a broader hack. Many sites and services require you to use an e-mail address as a user name. Make sure you vary the credentials you use, selecting a different user name or e-mail account for each to avoid a one-shot exposure. If you don’t want to create an e-mail address specific to each service, at least use randomly generated passwords that are at least nine characters long.
- Do you use two-factor authentication? Some cloud services now provide a second level of authentication before you sign in or make changes to the account, often by sending a code via text message to your phone. This feature adds another step to authentication, and is often used to double-check security when you log in from an unfamiliar machine. Microsoft, for example, has added two-factor authentication to its cloud services for Windows 8 when adding new “trusted computers” to the account or making other changes. Google provides two-factor authentication for Google Apps accounts as an option for additional security, and Dropbox is now adding the capability.
- Do you use the same credentials for iCloud and iTunes? One potential problem that users of Apple’s iCloud and other services can easily fall into is the overuse of a single account across the services used on their devices—for example, using the same Apple ID for both iCloud and the iTunes store. The iTunes store links your credit card data to your Apple ID for music and application purchases, as well as in-app purchases. It stores your contact information and address as well. So it’s a potential source of even bigger headaches if it’s exposed along with your iCloud account.
- Do you use the same cloud-based e-mail account as your password recovery contact address for more than one service? If you use a single account as your alternate contact point for all your services, and that one gets exploited, the others don’t need to be hacked to be taken over. The attacker can simply reset passwords on accounts and take them over, getting access to everything in them.
- Do you have multiple webmail accounts connected into a single mailbox? For example, does your Google account retrieve your e-mail for your Apple iCloud, Microsoft Live, or other cloud services account? Again, this creates a single point of failure, and can provide an attacker with enough information about your other accounts to potentially take them over.
- How hard is it to guess or research your answer to your chosen security question? Depending on how determined someone is to take over your account, and how public your life is on the Internet, the security questions used to reset your account could be particularly vulnerable (the hacking of Sarah Palin’s Yahoo account is a prime example). If you’re using “mother’s maiden name” or some other personal biographical fact that could be found in a public records search, someone with time on their hands or an axe to grind could find the answer and exploit it to take over your account…
![(via Critical windows bug makes worm-meat of millions of high-value machines | Ars Technica)
Microsoft has plugged a critical hole in all supported versions of Windows that allows attackers to hit high-value computers with self-replicating attacks that install malicious code with no user interaction required.
The vulnerability in the Remote Desktop Protocol is of particular concern to system administrators in government and corporate settings because they often use the feature to remotely trouble-shoot e-mail servers, point-of-sale terminals and other machines when they experience problems. RDP is also the default way to manage Windows machines that connect to Amazon’s EC2 and other cloud services. That means potentially millions of endpoints are at risk of being hit by a powerful computer worm that spreads exponentially, similarly to the way exploits known as Nimda and Code Red did in 2001.
“This type of vulnerability is where no user intervention or user action is required and an attacker can just send some specially crafted packets or requests, and because of which he or she can take complete control of the target machine,” Amol Sarwate, director of Qualys’ vulnerability research lab, said in an interview. While RPD is not enabled by default, he said the number of machines that have it turned on is a “big concern” because it is so widely used in large organizations and business settings.
The bug affects Windows XP and all versions of Windows released since, including the developer preview of Windows 8. It was privately reported by Luigi Auriemma, an Italian security researcher who frequently focuses on vulnerabilities in industrial control systems and SCADA, or supervisory control and data acquisition, systems used to control dams, gasoline refineries, and power plants. Microsoft said there’s no indication the vulnerability is being used in the public to attack Windows users at the moment, but the company predicts that could change.
“Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days,” Suha Can and Jonathan Ness, of Microsoft Security Response Center Engineering, wrote in an advisory published Tuesday.
They urged users to “promptly apply” an accompanying security update. Those who can’t update right away and are running Vista or a later version of Windows should enable Network Level Authentication, a feature that requires users logging in to RDP boxes to have security credentials before gaining access…
[a good time to make sure your pc’s are up to date, security patch-wise…]](http://24.media.tumblr.com/tumblr_m0uha26ge31qz5q5oo1_500.png)
(via Critical windows bug makes worm-meat of millions of high-value machines | Ars Technica)
Microsoft has plugged a critical hole in all supported versions of Windows that allows attackers to hit high-value computers with self-replicating attacks that install malicious code with no user interaction required.
The vulnerability in the Remote Desktop Protocol is of particular concern to system administrators in government and corporate settings because they often use the feature to remotely trouble-shoot e-mail servers, point-of-sale terminals and other machines when they experience problems. RDP is also the default way to manage Windows machines that connect to Amazon’s EC2 and other cloud services. That means potentially millions of endpoints are at risk of being hit by a powerful computer worm that spreads exponentially, similarly to the way exploits known as Nimda and Code Red did in 2001.
“This type of vulnerability is where no user intervention or user action is required and an attacker can just send some specially crafted packets or requests, and because of which he or she can take complete control of the target machine,” Amol Sarwate, director of Qualys’ vulnerability research lab, said in an interview. While RPD is not enabled by default, he said the number of machines that have it turned on is a “big concern” because it is so widely used in large organizations and business settings.
The bug affects Windows XP and all versions of Windows released since, including the developer preview of Windows 8. It was privately reported by Luigi Auriemma, an Italian security researcher who frequently focuses on vulnerabilities in industrial control systems and SCADA, or supervisory control and data acquisition, systems used to control dams, gasoline refineries, and power plants. Microsoft said there’s no indication the vulnerability is being used in the public to attack Windows users at the moment, but the company predicts that could change.
“Due to the attractiveness of this vulnerability to attackers, we anticipate that an exploit for code execution will be developed in the next 30 days,” Suha Can and Jonathan Ness, of Microsoft Security Response Center Engineering, wrote in an advisory published Tuesday.
They urged users to “promptly apply” an accompanying security update. Those who can’t update right away and are running Vista or a later version of Windows should enable Network Level Authentication, a feature that requires users logging in to RDP boxes to have security credentials before gaining access…
[a good time to make sure your pc’s are up to date, security patch-wise…]
(via Vintage Scans: Cloud 1969)
From Cloud issue 13.
After Amazon launched its music locker without first getting licenses from the record labels, there were rumors that Google might do the same. Google had been negotiating with the labels, but (not at all surprisingly) found that the labels were making ridiculous demands (lots of money and crazy restrictions that would handicap the service). It appears that the folks at Google are realizing what Amazon figured out a while ago: there doesn’t appear to be any licensing needed to run a music locker service. After all, you don’t need a license to listen to your own music stored on your own hard drive. Why should it be any different if that hard drive is connected to you via the internet?
So it should come as little surprise that Google is, indeed, moving forward with its music locker launch, and doing so without label approval. It sounds like the offering will be similar to Amazon’s, but with (significantly) more free storage.
The real question is how the labels will react. With Amazon, there was definitely some complaining and fretting and talk about how “something” had to be done, but none of the labels seemed willing to step up and sue. But with Google entering the market as well, and Apple likely to follow soon as well, you have to think that some label is going to take a flier on a lawsuit just to register the protest. Of course, in the meantime, I imagine everyone will be continuing to pay attention to the one current lawsuit in this space: EMI’s suit against MP3Tunes, for which we should (finally?) be hearing some sort of decision before too long.
