Ang Paglalakbay...

The Ten Most Dangerous Online Activities

2008-03-18T00:55:00.001+08:00

Most computer users have no idea how dangerous their online behavior is.

No matter how many times you warn them, employees still manage to poison their computers with new malware because they "just couldn't resist looking at the attachment." Other common goofs: downloading software for personal use, lowering firewalls to speed up a connection and even leaving their passwords stuck to their laptops.

The following is our list of the ten most dangerous things people do online, along with some explanation of the risks associated with each. The list is based on input from information technology professionals and is arranged in descending order of danger.

Stick this list up on your office door. Better yet, post it to the company bulletin board. If it keeps just one person from making a big mistake, it will have been worth the effort.

The Ten Most Dangerous Online Activities.

1. Clicking on e-mail attachments from unknown senders

Haven't we beaten this one to death already? With all the computer training courses, news reports, magazine articles and memos from the IT department, are there any Internet users left out there who don't know they aren't supposed to open e-mail attachments from strangers?

Apparently, there are. IT managers, consultants and other experts maintain that of all the dangerous things corporate end users do, opening e-mail attachments is still the most potentially damaging. Even with today's new range of exploits, e-mail attachments continue to be the most likely means of contracting viruses, worms, Trojan horses and other digital infections. And because these attachments usually contain applications or executable files, they have the greatest potential to instigate the complete takeover--or destruction--of an enterprise PC.

But shouldn't end users know this by now? An August survey by security software vendor Finjan offers an interesting perspective. In a straw poll of 142 U.K. office workers, Finjan found that 93% of respondents knew that attachments and links found in e-mail messages could contain spyware or other forms of malicious code embedded in them.

The problem isn't that users don't know the risks--it's that they can't help themselves, Finjan said. In the survey, 86% of the workers admitted they open attachments and click on links without being sure if it's safe to do so. And despite frequent warnings, 76% of those surveyed said they routinely open what they assume to be viral marketing files, such as funny videos, jokes or Web sites.

"It's still the most dangerous thing end users do," says Richard Stiennon, founder of IT-Harvest, an IT consulting firm.

2. Installing unauthorized applications

What do you mean, "No IM?"

If you're like many organizations today, prohibiting instant messaging is out of the question. IM is rapidly becoming a standard corporate communication tool, even as the number of IM exploits rises. Like any other peer-to-peer application, instant messaging comes with some serious risks, but once your users are hooked on IM, they are hooked.

"IM is too useful to completely restrict. If you try to lock it down but don't provide any outlet for employees to stay in touch with the outside world, users will find a way around your security policy," says Thomas Ptacek, a researcher with Matasano Security. "It's 2006. Your users are going to use IM."

IM isn't the only peer-to-peer app your users may be installing on their desktops. There's also Kazaa and other free file-sharing utilities that let users share documents, software and music. But this freedom has its cost. "These applications can increasingly be the source of new viruses," says Rob Enderle, principal analyst with the Enderle Group, an IT consultancy.

And like other unauthorized or unregulated communication, peer-to-peer apps create the risk of bad stuff coming in and sensitive corporate or personal stuff going out.

It's safest to standardize by using one of the popular IM platforms, such as AIM and MSN, says Ptacek. "The only question is whether you're going to be able to monitor and control it or not."

The best defense is to ensure employees have only user--not admin--privileges on their machines, says Daniel Peck, a security researcher with SecureWorks. And have a written corporate policy about what users can and can't do with these apps.

"And never install programs unless you know what they do, whether they are 'comm' programs or otherwise," says Gary McGraw, chief technical officer of Cigital.

Your desktop firewalls can block specific ports, for instance, and a host-based information processing system can also help you lock down your desktops. "But that's not foolproof," warns Peck. If your organization can't live without instant messaging, you can require IM sessions to be encrypted, he says.

3. Turning off or disabling automated security tools

It still happens: A user, frustrated by the slow performance of an Internet service provider link or the constant exclusion of specific types of files, finds a way to turn off the firewall on his remote PC--or even at a branch office. Then, as if that's not bad enough, he "forgets" to turn the firewall back on, leaving that site open to all sorts of attacks until someone from IT finally recognizes the problem and reactivates the barrier.

And it isn't just firewalls: Every day, users reschedule automated virus updates, remote security patch installations or requests to change their passwords. Security stuff, they say, is an administrative hassle and keeps them from doing their "important" work.

The disabling of carefully evaluated, state-of-the-art security technology might be the most dangerous thing that users regularly do, according to the Enderle Group's Enderle. "This is what keeps many of us [IT and security professionals] up at night," he says. "Security applications take some overhead and may lower performance [of the end station]. Folks will turn them off as a result."

Cigital's McGraw agrees. "Sometimes you just have to postpone the old monolithic virus scan so you can get some work done," he notes. "There's always a trade-off--make sure you make the right one."

Most enterprise firewalls and antivirus applications now contain configuration options that enable IT to eliminate the "turn it off" option from the user's desktop, McGraw observes. In many cases, it may be better to force the user to accept a patch or a slow ISP connection--and deal with the complaints--than to leave the company's systems open to remote attack, experts say.

4. Opening HTML or plain-text messages from unknown senders

While most end users today are aware, if not respectful, of the dangers associated with opening e-mail attachments from strangers, many are not aware of the threats that may lie in a normal, everyday text or HTML message that contains no enclosure. Most of these users are those who have not updated their computer training lately and still labor under the illusion that only e-mail attachments can contain malware.

Many experts now believe that HTML mail poses a threat that may eventually be as serious as the traditional e-mail attachment. HTML text--and increasingly, images--can be infected with spyware, and in some cases, executable code. In July, experts at iDefense Labs, the security research arm of Verisign, discovered a new, relatively simple method of embedding shell code into commonly-loaded Web images, such as computer graphics, online photos or PDF documents.

HTML files may contain Javascript, ActiveX controls or macros that can allow an attacker to gain control of a PC or turn into a remotely controlled zombie, noted Finjan in a white paper issued last month. "The vast majority of Web pages contain one or more types of active content, with an unmistakable trend toward increasing use of active content in Web pages," the company said.

In a study of the Web-surfing habits of some 15,000 business users, Finjan found that about 6.9% of HTML traffic contained at least one content type that violated the security policy of the enterprise involved. Studies such as these have caused some enterprises to restrict the use of HTML e-mail, or even disallow it altogether.

"There is plenty of active-content spam out there, and phishers use it, too," says Cigital's McGraw. "When in doubt, delete it without looking at it. If it's important, real mail, the sender will try again--or maybe even pick up the phone."

5. Surfing gambling, porn or other dicey Web sites

One of the oldest abuses of corporate Internet links, the downloading of porn, gambling and other objectionable data, is another still-popular activity that falls into the "I thought we had that fixed" category.

Most companies today have established that such content, even when technically legal for consumers, could create a hostile working environment for employees, subjecting the company to legal or punitive action. Any human resources department will tell you that these pursuits are a major no-no, and most IT professionals will tell you that they have deployed some sort of content filter to restrict access to objectionable content.

However, the problem still runs rampant in some organizations. In fact, an investigation of the U.S. Department of the Interior published last month turned up some alarming data regarding the online surfing habits of its 80,000 employees.

In a study of one week's worth of computer logs, the U.S. Office of the Inspector General discovered over 1 million log entries in which 7,763 DOI computer users spent more than 2,004 hours accessing game and auction sites. Extrapolated over the course of a year, these shopping and gaming binges could account for 104,221 hours of lost productivity--amounting to more than $2,027,887 in lost costs, the OIG said.

The OIG also found that a significant number of employees were accessing pornographic sites, many for periods of 30 minutes to an hour. Four employees were found to have downloaded egregious volumes of pornography, including child pornography, and each was prosecuted and sentenced for anywhere from 10 months to eight years in jail.

The DOI had implemented Web site monitoring and blocking software, but users were able to get around it, the OIG said. In a final spot check of the DOI systems in August, OIG investigators were able to access both pornographic and gambling sites on three of the department's four main computer systems, despite the presence of content filtering and blocking tools.

Online gambling and pornographic sites also are "becoming a frequent source of infection via 'drive-by downloads' and 'zero-day exploits,'" observes Richard Stiennon, president of IT-Harvest.

6. Giving out passwords, tokens or smart cards

The password problem is as old as computers themselves. Despite years of trying, however, no one has come up with a workable solution.

In a study published just this week by global research firms Nucleus Research and KnowledgeStorm, companies' attempts to tighten IT security by regularly changing and increasing the complexity of passwords is having no effect on security.

Despite years of IT warnings to the contrary, about one in three people still write down their computer passwords somewhere near the machine, either on a piece of paper or in a text file on a PC or mobile device, the researchers said.

"This is really a lot like Mom and Dad buying a great new security system for the house, and Junior leaving the combination under the doormat," said David O'Connell, senior analyst at Nucleus Research, in a published interview. "Passwords are high maintenance: People forget them; people lose them; they have to be reset."

Some experts also say that employees can be too trusting of acquaintances, colleagues and family members who may "borrow" their passwords or authentication tokens, exposing them even more broadly to loss or theft. This is a particular risk among telecommuters or road warriors who may give out their passwords to help a friend or relative. "You might trust the employee, but you have to draw the line at friends and family," says one expert.

The researchers at Nucleus Research and KnowledgeStorm suggested that enterprises should look to increasingly improving authentication technologies, such as single sign-on and biometrics, as potential answers to the age-old problem of password management. Online payment vendors Pay By Touch and UPEK earlier this month unveiled a finger-sensor payment service, TrueMe, which lets users access account information through a biometric fingerprint scanner.

7. Random surfing of unknown, untrusted Web sites

Browser-based vulnerabilities are becoming one of the most popular targets of attackers on the Web. Just ask Microsoft and Mozilla, which have been busy patching new vulnerabilities the past few months. If your organization gives users free reign to surf the Web during or after business hours from the corporate network, beware.

In addition to the well-documented cross-site scripting (XSS) vulnerabilities floating around, there's also a lot of adware and spyware. You shouldn't put it past that 20-something intern to download music, for instance, and inadvertently contract some malware as a result.

Even if your corporate policy restricts Web access, the 20-somethings may not honor it. "This is something that young employees, bored security guards and interns are more likely to do," says the Enderle Group's Enderle. "It's an attractive nuisance and one of the reasons for a proxy server."

Internet Explorer 7.0, which was released by Microsoft on Monday, and Firefox 2.0, which was released on Tuesday, are expected to help browser security--at least until attackers start cracking them. But that may be wishful thinking: IE7's first bug was reported just hours after it went live, although Microsoft says the issue is a component in Outlook Express rather than in IE7.

"Attackers have started to compromise enterprises through the use of browser-based and other client-side vulnerabilities," says David Goldsmith, president of Matasano Security. "This also applies to home users who are becoming increasingly more security-savvy. Hopefully, the releases of Internet Explorer 7.0 and Firefox 2.0 will make it even more challenging for attackers to compromise the browser."

So if you're going to restrict Web access, how do you determine what sites you can trust? "If you're really paranoid, surf with active content disabled, use Opera or Firefox, and run your browser with very little permission [settings]," says Cigital's McGraw.

8. Attaching to any old Wi-Fi network

There's nothing more soothing than a good cup of java (lowercase) and a free Wi-Fi connection at your local coffee shop. But watch that guy sitting at the next booth--he may be hacking into your laptop over that very same Wi-Fi link.

Your network's users are even more at risk if their wireless card uses the Wireless Access Protocol, which is notoriously simple to hack. A hacker can use a sniffer and grab your corporate user name and password, for instance, or infect you with a worm, says Daniel Peck, a security researcher with SecureWorks.

Even if your employee is only sipping coffee and working offline, an attacker could use that employee's wireless card to access his machine--and eventually, your corporate network.

It's tempting for a user on the road to jump on the closest Wi-Fi connection they pick up while waiting at the airport or some other public place, but "there is no way of ensuring that the networks they connect to aren't run by a malicious attacker," says Matasano Security's Goldsmith. "While the unsuspecting user surfs the Web, an attacker could be using a man-in-the-middle attack to monitor their traffic--or even worse, use a client-side attack toolkit to compromise their machine."

A personal firewall can help, says the Enderle Group's Enderle--as long as your users keep it turned on.

"Attach away. Just tunnel through with SSH or a VPN client," says Cigital's McGraw. "Also be aware of low-level attacks, and don't do anything too sensitive."

But the only way to ensure that your users won't get hacked via Wi-Fi is to have them disable their wireless card altogether while they work from public places, says Matasano Security's Ptacek. "The safest reasonable attitude right now is that even browsing available wireless networks is risky."

9. Filling out Web scripts, forms or registration pages

If your users could actually see a hacker looking over their shoulder as they logged onto a Web site or typed sensitive data into a registration page, maybe then they would think twice. But since keyloggers and XSS don't have a human face, you'd better hope your users are hanging out on sites encrypted using secure sockets layer (SSL)--and know just what constitutes sensitive corporate data.

"Most Web sites handling sensitive info use SSL to protect the data in transit--check for that," says Cigital's McGraw.

Users are more likely to get hacked if they use the same user name and password for most every site they visit--a habit that puts their personal data in jeopardy, as well as the company's.

And even a trusted site can have an XSS exploit embedded in it. All it takes is for a user to read a message on a bulletin board that contains malware, and an attacker could gain control of the user's browser session.

Remote sessions should be encrypted using SSL. But SSL isn't foolproof--it has its own litany of problems and weaknesses, such as its susceptibility to man-in-the-middle attacks and keystroke loggers. "SSL has had some issues, but it's the best thing out there," says SecureWorks' Peck.

The bottom line is that consumers are more likely to enter sensitive data into Web scripts or registration pages than enterprise users, says the Enderle Group's Enderle. "Employees seldom have the opportunity to do this," he says. "Of course, we probably don't know about it when they do, suggesting this problem could be vastly worse than it looks."

10. Participating in chat rooms or social networking sites

The very same parents who frantically try to keep their kids off of MySpace are now flocking to business-oriented social networking sites like LinkedIn, either from home or at the office. They join a colleague's "network" on LinkedIn, post messages and maintain their own presence on the site. That's much safer than MySpace, because it's just like a professional organization, right?

Wrong. Social networking sites are a malicious social engineer's dream come true.

"The biggest security challenges businesses face with business social networking like LinkedIn is the sheer amount of information that a social engineer can learn by doing simple searches," says Matasano Security's Goldsmith. "Attackers can find out who your business partners, vendors and clients are simply by viewing your shared connections."

There's simply no way for LinkedIn and other sites to validate a member's employment record, so an attacker can claim to work at Matasano and find out which current and past employees are on the site. "Services like LinkedIn try to guard sensitive employment information by restricting it to colleagues--you have to have worked with Dave Goldsmith before to be able to click on him and see his work history, or have him come up in a search for 'Matasano,'" says Matasano's Ptacek. "But anyone can sign up to LinkedIn and claim to have worked for Matasano."

Users can also inadvertently leak sensitive company data in a message board post with a buddy, for instance. It may reach eyes for which it wasn't intended, or they may not realize that chatting about what they're doing at work today may lead to a corporate data breach. "It's different than having drinks with a buddy after work," says SecureWorks' Peck.

Aside from a chatty user, a browser can also be a weak link. "ActiveX controls and their browser can be used by an attacker to get into the corporate network," Peck says. "There are a lot of Web app vulnerabilities we've seen."

Even if you have a "closed circle," that doesn't mean you don't touch the outside world. Just clicking onto the site of a buddy's buddy can get you into security trouble. "Every subpage you go to in LinkedIn or MySpace is like going to a whole different Web site," Peck says. "It's most risky when you're going to the sites of people you don't know."

Aside from the social engineering threat, there's also the very real threat of getting infected with XSS, keyloggers, worms and spyware (just ask MySpace users). "There's going to be vulnerabilities in the software," Peck says.

If an enterprise allows access to social networking sites, it must ensure that users are wary of whom they're communicating with and what type of sensitive information they may be exposing. The bad news is that you may not know until it's too late.

"You should assume that anything you post to a social networking site is public," says Matasano's Ptacek.

-forbes.com

The Ten Most Dangerous Online Activities

2008-03-18T00:55:00.000+08:00

"It's still the most dangerous thing end users do," says Richard Stiennon, founder of IT-Harvest, an IT consulting firm.

2. Installing unauthorized applications

What do you mean, "No IM?"

And like other unauthorized or unregulated communication, peer-to-peer apps create the risk of bad stuff coming in and sensitive corporate or personal stuff going out.

It's safest to standardize by using one of the popular IM platforms, such as AIM and MSN, says Ptacek. "The only question is whether you're going to be able to monitor and control it or not."

"And never install programs unless you know what they do, whether they are 'comm' programs or otherwise," says Gary McGraw, chief technical officer of Cigital.

3. Turning off or disabling automated security tools

Cigital's McGraw agrees. "Sometimes you just have to postpone the old monolithic virus scan so you can get some work done," he notes. "There's always a trade-off--make sure you make the right one."

4. Opening HTML or plain-text messages from unknown senders

5. Surfing gambling, porn or other dicey Web sites

Online gambling and pornographic sites also are "becoming a frequent source of infection via 'drive-by downloads' and 'zero-day exploits,'" observes Richard Stiennon, president of IT-Harvest.

6. Giving out passwords, tokens or smart cards

The password problem is as old as computers themselves. Despite years of trying, however, no one has come up with a workable solution.

7. Random surfing of unknown, untrusted Web sites

8. Attaching to any old Wi-Fi network

Even if your employee is only sipping coffee and working offline, an attacker could use that employee's wireless card to access his machine--and eventually, your corporate network.

A personal firewall can help, says the Enderle Group's Enderle--as long as your users keep it turned on.

"Attach away. Just tunnel through with SSH or a VPN client," says Cigital's McGraw. "Also be aware of low-level attacks, and don't do anything too sensitive."

9. Filling out Web scripts, forms or registration pages

"Most Web sites handling sensitive info use SSL to protect the data in transit--check for that," says Cigital's McGraw.

Users are more likely to get hacked if they use the same user name and password for most every site they visit--a habit that puts their personal data in jeopardy, as well as the company's.

10. Participating in chat rooms or social networking sites

Wrong. Social networking sites are a malicious social engineer's dream come true.

"You should assume that anything you post to a social networking site is public," says Matasano's Ptacek.

-forbes.com

whatever things

2007-06-04T21:45:00.000+08:00

I Try to Remember

1. Everybody Doesn't Have to Love me
Not everybody has to love me or even like me. I don't necessarily like everybody I know, so why should everybody else like me? I enjoy being liked and being loved, but if somebody doesn't like me, I will still be okay and still feel like I am an okay person. I cannot make somebody like me, any more than someone can get me to like them. I don't need approval all the time. If someone does not approve of me, I will still be okay.

2. It is Okay to Make Mistakes
Making mistakes is something we all do, and I am still fine and worthwhile person when I make them. There is no reason for me to get upset when I make a mistake. I am trying, and if I make a mistake, I am going to continue trying. I can handle making a mistake. It is okay for others to make mistakes, too. I will accept mistakes in myself and also mistakes that others make.
3. Other People Are Okay and I am Okay

People who do things I don't like are not necessarily bad people. They should not necessarily be punished just because I don't like what they do or did. There is no reason why other people shoud be the way I want them to be, and there is no reason why I should be the way somebody else wants me to be, and I will be whatever I want to be. I cannot control other people or change them. They are who they are; we all deserve basic respect.

4. I don't Have to Control Things
I will survive if things are different than what I want them to be. I can accept things the way they are, accept people the way they are, and accept myself the way I am. There is no reason to get upset if I can't change things to fit my idea of how they ought to be. There is no reason why I should have to like everything. Even if I don't like it, I can live with it.

5. I Am Responsible for My Day
I am responsible for how I feel and what I do. Nobody can make me feel anything. If I have a rotten day, I am the one who allowed it to be that way. If I have a great day I am the one who deserves credit for being positive. It is not the responsibility of other people to change so that I can feel better. I am the one who is in charge of my life.

6. I can Handle It When Things Go Wrong
I don't need to watch out for things to go wrong. Things usually go just fine, and when they don't, I can handle it. I don't have to waste my energy worrying. The sky won't fall in; things will be okay.

7. It is Important to Try
I can. Even though I may be faced with difficult tasks, it is better to try than to avoid them. Avoiding a task does not give me any opportunities for success or joy, but trying does. Things worth having are worth the effort. I might not be able to do everything, but I can do something.

8. I Am Capable
I don't need someone else to take care of my problems. I am capable. I can take care of myself. I can make decisions for myself. I can think for myself. I don't have to depend on somebody else to take care of me.

9. I Can Change
I don't have to be a certain way because of what has happened in the past. Every day is a new day. It's silly to think I can't help being the way I am. Of course I can. I can change.

10. Other People Are Capable
I can't solve other people's problems for them. I don't have to take on other people's problems as if they were my own. I don't need to change other people or fix up their lives. They are capable and can take care of themselves, and can solve their own problems. I can care and be of some help, but I can't do everything for them.

11. I Can Be Flexible
There is more than one way to do something. More tahn one person has had good ideas that will work. There is no one and only "best" way. Everybody has ideas that are worthwhile. Some may make more sense to me than others, but everyone's ideas are worthwhile, and everyone has something worthwhile to contribute.

Footprints in the sand

2007-06-04T19:28:00.001+08:00

"To know oneself, one should assert oneself."
-Albert Camus

FOOTPRINTS

You left footprints on my soul.
One day unexpectedly
Your feet stepped onto
The sands of my soul
And left footprints of love
At the bottom of my heart.

In your own way
You showed me that people
Aren't always what they seem.
Because of you
I give people the benefit of the doubt
And look much further
Than just skin deep.

You are my safe haven.
When my world is falling apart
Or everything is just right
It's you I turn to.
I cry out to you in the night
Sending my words on the wind
Hoping, that somehow, they reach you.

From the moment I laid eyes on you
I knew I'd seen an angel in disguise.
You didn't know it then
And might not realize it now, but

You left footprints on my soul.
One day unexpectedly
Your feet stepped onto
The sands of my soul
And left footprints of love
At the bottom of my heart.

You are my rock
My stronghold
The one who catches me when I fall.
You are my hope
My guidance
The one who picks the pieces up off the ground.

Your voice is music to my ears
Your name a symbol of unforgettable memories.
I keep you in my prayers
As well as my heart.
There's no possible way
That I could forget about your unique personality.
My memories of you
Live on inside me.

How will I ever thank you?
How will I ever show you my appreciation?
I'll have to send it along the breeze
Hoping that it finds you
No matter where you are.

Panimula

2007-05-23T16:27:00.000+08:00

Di ko alam kong paano ko 'to simulan.Basta't ang alam ko, ito ang mga karanasan ko buhay na di ko malimutan. Dito ko rin ilalahad ang lahat na ngyari sa akin (na di kanais-nais). Naisip ko lang gumawa ng Blog, upang mailabas ko ang lahat... Ang mga hinanakit ko sa buhay... ang mga pasakit...Sabagay, Ito'y isang pagsubok lang. sabi nga nila, hindi ka raw matoto kung hindi mo raw mapagdaanan ang lahat ng bagay dito sa mundo. Oo, nandon na ako.. pero bakit lahat puro negatibo. kaya nga minsan, sinisisi ko ang Diyos.Bakit nya pa ako binuhay kung ganito rin man lang. pero di pa rin ako nawawalan ng pag-asa. kahit anumang problima na dumating...pinipit kong maging positibo. pasalamat na lang ako marami ang gumagabay sa akin. Ang mga kaibigan na bumigay sau ng lakas at tibay ng loob. di na naman lahat ng bagay sa kanila umaasa. tanging panalangin lang siguro ang makatulong sa akin.mahina ako pagdating sa kanya. ang nais ko lang kasi ang mamuhay ng walng gulo, msaya, walang inisip na problema...

Kung anuman ang maging resulta sa aking Paglalakbay... Sana gabayan ako nang maykapal...