• It's not paranoia: Using public or open Wi-Finetworks without taking your security into consideration is a bad idea. You don't even have to crack the network's passwords to grab tons of data from unsuspecting users on the network-We've shown you how to do it, and how to stop it from happening to you. Now, dSploit, a security toolkit for Android, makes that process so simple anyone can do it. Here's how it works, and how to protect yourself. 

    What is dSploit?
    dSploit is actually a suite of security tools bundled together in one application. It runs on rooted Android (2.3+) devices, its code is freely available at GitHub, and it's actually a great utility if you're a security professional or otherwise enjoy the ins and outs of network security, hacking, and penetration testing. We want to be clear that we're not villainizing the tool here; unlike apps like Firesheep, Faceniff, and Droidsheep, dSploit isn't made for the sole purpose of cracking networks or hijacking user sessions. It can certainly sniff out passwords transmitted in plain text on an open network, and it can crack poorly secured Wi-Fi networks. It can also scan networks for vulnerabilities, crack keys on common routers, and of course, hijack browser, website, or social network sessions and hold on to them. You can see a full list of the tool's features here. 

    For a security professional, an amateur looking for an affordable way to learn more about network security (or who's been tasked by their office to secure their Wi-Fi but can't afford professional pen-testers), or someone looking to protect their own network, dSploit can be a valuable resource. It can also be a valuable resource for people looking to steal your data. That's why we're going to talk about how it works and how you can protect your passwords and private data from anyone else using it. 

    How dSploit (and other apps like it) work
    dSploit makes it easy to do two things: Sniff out passwords being sent unencrypted, and hijack active browser sessions so you can masquerade as someone who's already logged in to a site or service. In both cases, they're really one-touch operations once you have the app installed. The former is easy to do. If someone is visiting a site, or logging in to a service without using HTTPS or SSL, your password is likely being sent in clear text. Anyone sniffing packets on a network can capture them without having to do any real kind of packet inspection, and once they have it, they'll try it on as many sites and services as possible to see if you use it for other accounts. The video above, from OpenSourceGangster, explains how the app works in detail, and how to use it. 

    The latter is a bit more intricate. If you're not familiar with session hijacking, it's the process of capturing cookies to exploit a valid active session that another user has with a secured service in order to impersonate that other user. Since no sensitive data like a login or password is transmitted in the cookie, they're usually sent in the clear, and in most cases they're used by web sites and social networks as a way of identifying a user with a current session so the site doesn't forget who you are every time you reload. This is the most common attack vector for apps that sniff out passwords and sessions via Wi-Fi. We showed you how this works when Disconnect, one of our favorite privacy protecting browser extensions, added protection against widget jacking and session hijacking, if you want to see an example. 

    dSploit approaches session hijacking in a similar manner to the other tools we've mentioned, mostly because it works well. The folks over at MakeUseOf explain how the app works in further detail, including some of the things you can do with it. Many web sites just encrypt your username and password, and once that handoff is made, everything else is unencrypted. While many sites have moved to HTTPS (and there are tools to help that we'll get to a little later), most require you to activate their HTTPS features. Many other sites haven't bothered moving to HTTPS universally at all. 

    What's the real risk here?
    The real risk from tools like this varies. The odds of you encountering someone in your local coffee shop running dSploit, Firesheep, or any other app like them to capture passwords and hijack sessions is pretty slim, but as we've mentioned, it only takes one person to ruin your day. 

    Someone could just capture as many Facebook or Twitter sessions as they can (after which they can change a user's password and keep the Facebook account for themselves), hijack Amazon shopping sessions and grab address and credit card information, read your email and chats, and so on. The risk goes up with more and more tools available that are easy for anyone to use, and with the number of people out there who simply don't protect themselves by encrypting their data. 

    How can I protect myself?
    Protecting yourself from these tools like it is actually remarkably easy if you put in the effort to actually do it: 

    * Turn on HTTPS on every site that allows you to connect with it, and install HTTPS Everywhere. This will make sure you're using HTTPS at all times, whenever possible, and none of your web browsing traffic is sent unencrypted. 

    * Get a privacy-protecting browser extension like Disconnect, which also protects against widget jacking or side-jacking. Disconnect is our favorite, but it shouldn't be the only tool in your toolkit. 

    * Use a VPN when browsing on public, free, or other open networks. We've explained why you should have a VPN before. We've even explained how to tell if a VPN is trustworthy. Using a VPN is the best way to make sure all of your data is encrypted and safe from anyone else on the same network, whether it's wired or wireless, public or private. 

    * Use your head, and practice good internet hygiene. Hone your phishing and scam detection skills, turn your BS detecter up to max, and learn how to protect yourself from online fraud. Someone doesn't have to hijack your session or passwords to get to you-they could just as easily replace the website you're on with one that looks like it but insists you give it a ton of data first. Be smart. 

    * It doesn't take much to use HTTPS everywhere you can, fire up a VPN if you're going to be working from the library, or just not to use public Wi-Fi and wait until you get home or tether to your phone instead (that's always another option). However, if everyone did it, unscrupulous use of tools like these wouldn't' be an issue and only the people who needed them would use them. However, as long as they're so effective, it makes sense for you to take the necessary steps to protect yourself.
  • Even if your company operates on a shoestring budget, you can grow your IT to meet your requirements and help make your business successful. 

    You're a small business and you have the budget to prove it. The problem is, you need to expand your IT. Without such an expansion, you can't grow. How do you get around the budget-lock? You get creative. That's one of the beauties of technology: It's there for you to use and to use in a way that benefits you. Of course, nearly every piece of technology has its recommended usages -- but that doesn't mean you can't bend the rules a bit or just add some new policies to help your business IT grow.
    I've come up with 10 creative ways you can expand your company's IT without having to blow your budget wide open. Some of these ideas can be implemented with little to no effort, whereas some will require some serious change. Either way, the end result is the same.

    1: Open source

    This should be a no-brainer. Your IT budget is limited and you need more of just about everything. Though open source can't easily help you with hardware, it can do wonders for you on the software side of things. Those older machines? Slap a lightweight Linux distribution on them. The newer machines? Opt for LibreOffice instead of Microsoft Office. There are so many ways in which open source can help you -- even beyond the desktop. Install Linux on a desktop machine or even put it to work as an in-house server you can use in a multitude of ways.

    2: CRM/CMS/HRM

    One of the best-kept (non) secrets of midsize to large businesses is that they manage their workflow with the help of CRM (customer relationship management), CMS (content management system), and HRM (human resource management) tools. Part of that "secret" is that there are plenty of cost-effective solutions that can meet (and exceed) those needs. Try the likes of Orange HRMDrupal, and openCRX. Each of these tools offers tremendous power, at zero software cost, that can enable your company to expand in ways you probably never thought possible. And you don't always have to use the tools exactly as outlined. For example, the Drupal CMS platform is (with the help of plugins) an outstanding tool for creating a powerful company Web site.

    3: Crowd-source development

    One of the nice things about open source is that it's possible to get people involved in your project. This, of course, isn't limited to open source – but it's a great place to start. If you have a specific need for a project, or if you have a feature you'd like to get rolled into a currently existing project, reach out! I have done this on a number of occasions -- contacted developers and asked for a feature to be added. Sometimes it works and sometimes it doesn't. You can always host your project on Google Code, which offers free hosting for collaborative, open source projects. Other services, such as theZohoMarketplace, allow you to post your requirements, to which developers will submit to develop your app.

    4: BYOD

    BYOD is not new, nor is it all that creative. But for many smaller companies, it can be a real boon for getting technology in the hands of employees. This is especially true when you'd like to have the power and flexibility of tablets and other mobile devices. This doesn't mean you simply tell your employees, "If you want to use a computer, bring your own!" Instead, you let them know it's okay for them to bring their own devices to add a level of familiarity to their everyday usage. You will want to make sure that all devices brought in meet certain criteria (e.g., all Windows-based devices must have antivirus and anti-malware).

    5: Google Apps or Zoho for business productivity

    Google Apps is quickly becoming a standard by which businesses measure cloud-based software, butZoho offers a host of software and services that can do wonders to expand your business. Zoho offers tools like invoicing, email/social marketing campaigns, CRM, bug tracking, reports, recruiting, and finances.

    6: Cloud-source backups

    Maybe you won't be backing up a server's worth of data, but you can use the likes of Dropbox, SpiderOak, and UbuntuOne to sync your data to multiple computers. It's not a be-all, end-all backup solution (I would add some form of local back as well). But if disaster strikes, you can at least rest assured that certain folders and files can be retrieved easily. You can even get away with the free version of these tools. Although you are limited to 2 to 5 GB of data per service, you can get creative by installing multiple cloud-based tools and have them each sync different folders.

    7: Interns

    This is a rather touchy subject, but for some companies, bringing in undergraduate interns can help on a number of levels. First, you're bringing in new ideas. These students are typically just about to come out of their CIS or Comp Sci programs and need the internship hours. This means you get fresh minds, with fresh ideas, at a pittance. This isn't taking advantage of a system, because both sides have a need. Just make sure you don't work your interns too much or ask more from them than originally agreed upon.

    8: Social networking

    Social networking can play a huge role in expanding your IT. If you remove the "social" aspect of social networking, you're left with "networking." Being able to network means you have a large resource for help and information. If you're stuck with a problem, get on Facebook, LinkedIn, or Twitter and try to get help. I realize that anyone in the IT industry knows that the classroom and Google are your best friends -- but honestly, sometimes connecting with others is better than scouring Google or the Microsoft Knowledge Base.

    9: Resisting lock-in

    Don't fall for lock-in. Microsoft and other big companies are going to do everything they can to lock you into their products. The problem is, once you're locked in, it's a costly endeavor to get unlocked. Instead of falling for the typical tactics of the big software companies, understand that the world of computing has become very homogeneous. This is especially true as everything migrates to Web-based and cloud-based platforms. At some point in the near future, the operating system is going to be an afterthought. Keep this in mind as you begin purchasing new hardware and software. Avoid lock-in, and expansion will be much easier.

    10: Agility

     "Expand by remaining agile" might sound like a buzz-filled catch phrase. But when you give it some thought, one of the most remarkable characteristics of small businesses is that their size lends them an agility that big business doesn't have. By remaining small, you remain agile. And if you apply this to your IT, you will continue to operate that way. So in the end, thinking small can really be thinking big.
Subscribe to: Posts (Atom)