Image via Wikipedia

Cnet reported Passware, password recovery company, has claimed that FileVault 2 for Mac could be broken under or around 40 minutes.  In case you have never used Mac before, FileVault 2 is similar to TrueCrypt and Windows’ BitLocker.  These three major popular encryption software help computer users to securely wipe (i.e., format hard drives, partitions, external drives, etc…) and then encrypt hard drives and the likes.

Using encryption technology supposes to be helping computer users to secure their data, but it seems companies such as Passware do have ways around the encryption technology after all.  Nonetheless, since we now know encryption software are vulnerable, we can at least understand that relying on encryption software alone to protect our most precious data might not be enough.  This way we only have ourselves to blame and be angry at when we’re not actually going to the extend to protect our precious data beyond the deploying of encryption software.

To the best of my knowledge, I think most software that are designed to break encryptions (i.e., encrypted data) need to have access to the physical machines before such software can actually decrypt the data.  I wonder will this be the case for Passware’s claim too.  If it’s, then as how it has always been so; computer users best protect their precious data by physically secure their machines better.  This way, hackers have to jump more than one hoop to actually attain your precious data.

In the end, I think security is at best when wise computer users go to the extend in deploying whatever that is necessary to protect their computer data, that’s if such computer data are that important to some folks.  For now, let hope Apple, TrueCrypt, and Microsoft can soon come up with better encryption software so computer users know they can rely on encryption technology to protect their data better.  Let hope Passware isn’t claiming to have the ability to decrypt data from the cloud also, because such a scenario might be horrible for people who rely on encryptions to protect their data in the cloud.  So far, I don’t think this is possible yet.

Source:

• http://reviews.cnet.com/8301-13727_7-57369983-263/filevault-2-easily-decrypted-warns-passware/?part=rss&subj=latest-news&tag=title

Related articles

• Lion’s FileVault 2 and disk restore: caveat encryptor (arstechnica.com)
• How to Create a Hidden Encrypted Volume With True Crypt (ghacks.net)
• DiskCrypt turns any laptop storage into a self-encrypted drive (arstechnica.com)
• 2012 resolution: ‘Full disk encryption on all computers’ (zdnet.com)
• Top Methods To Manage Mobile Mayhem (informationweek.com)
• Cloud File Encryption – requirements or compromises (cersys.wordpress.com)
• Protect Files From Unauthorized Access With Encoding Decoding (ghacks.net)

Image by Vítor Baptista via Flickr

Kevin Mitnick was a man who had witnessed his reputation preceded him in ways that he could not have ever imagined.  His past reputation was so prolific in unbelievable manner which had myths built higher in stack, and the myths were about how he had stolen software worth more than $300 million, secrets from covert agencies, and much more.  In fact, he was more of a hacker who had taken the challenges to hack into various phone companies and big tech companies, and the successful penetrations of their servers and networks would most likely be his greatest trophies.  Instead of selling his trophies of source codes of various software he had siphoned away from various well known corporations, he kept them as proofs for how he had hacked into what thought to be digital fortresses.

Even after Kevin Mitnick was able to walk out of the prison, he was forbidden by law not to use any communication technology.  According to Wikipedia and I quote, “Mitnick fought this decision in court, eventually winning a ruling in his favor, allowing him to access the Internet.”  – source:  http://en.wikipedia.org/wiki/Kevin_Mitnick.  Now Kevin Mitnick is living a lifestyle which in a way is way better than how he had lived before, but he can go on hacking without getting into troubles with the law and getting jailed for.  How?  He is making more money by consulting various companies on computer security and ethically hacking into the companies that hire him for his knowledge.  He is currently running Mitnick Security Consulting LLC as a computer security consultancy company.

Kevin Mitnick has a book out which he tells all about his past experiences of avoiding the law and on the run while he was deeply into hacking phone companies and various other tech giants.  Ghost in the Wires was written by two men team.  Kevin Mitnick had teamed up with bestselling author William L. Simon for the writing of Ghost in the Wires.  In the acknowledgements section, Kevin Mitnick called William L. Simon as Bill Simon if I’m not mistaken.  Within this book, Kevin Mitnick described how he was able to social engineer just about anybody on the other end of the phone so he could gain valuable information to further his hacking activities.  With quick thinking and was able to be uncanny in remembering long phone numbers, Kevin Mitnick had no trouble in combining his social engineering and computing skills together to successfully hack into well known phone companies and tech giants.  In fact, Kevin Mitnick was so successful at social engineering and computer hacking, he was able to manufacture his own fake identities.  The book goes on describing how Kevin Mitnick had to hack social security administration, department of motor vehicles, and others so he could manufacture his own fake identities.  Even fake birth certificates were within Kevin Mitnick’s reach.

Ghost in the Wires has some funny moments that describe how naughty Kevin could be with his hacking skill.  I don’t want to spoil such funny moments for you, and so it’s best that you read his whole book on your own and laugh at how naughty Kevin Mitnick was with his social engineering and hacking skills.  Besides the few hilarious moments, I have to admit Ghost in the Wires shows us that determined hackers can accomplish digital magics which we like to think such tricks cannot be done.  Fortunately for those entities which Kevin Mitnick had hacked into while he was living the life of a fugitive, Kevin Mitnick wasn’t out to sell their secrets and made big profits for himself.  Nonetheless, can we say the same for some hackers of today?  Of course, there might be few hackers who have the same spirit as the old and the new Kevin Mitnick, but I think there might be more crackers than hackers.

In summary, Ghost in the Wires was a great read for me.  The writing style was down to earth.  I’d moments of laughter as how Kevin Mitnick had coyly tricked the adversaries through his social engineering and computer hacking skills.  The book was written with everyday people in mind, and so even the readers who could not understand the technical details might not have to miss much.  In fact, reading Ghost in the Wires, I thought I was reading a thriller novel or watching a thriller film.  Honestly, it was great to finally read what Kevin Mitnick had to say for himself in his very own book.  I found his details were riveting.  Especially how he had described his encounters with law enforcement.  Hard to forget moments were how law enforcement officials convinced the judge that Kevin Mitnick could start a nuclear war by whistling into a pay phone and how Kevin Mitnick himself would think the judge at one point thought he could connect to the Internet in prison through a laptop which had not a connection to the Internet (she did not allow Kevin Mitnick the use of a laptop to review the evidences that pertained to his case with a lawyer).

Related articles

• Security tips from a legendary hacker (cbsnews.com)
• Facebook ban: “Now I can’t even prove I’m the real Kevin Mitnick.” (news.cnet.com)
• Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker by Kevin Mitnick (deurainfosec.com)
• A Review of Kevin Mitnick’s Ghost in the Wires (q-ontech.blogspot.com)
• Ask Kevin Mitnick (interviews.slashdot.org)
• Kevin Mitnick – ghost in the wires, or scourge of the internet? (nakedsecurity.sophos.com)
• Kevin Mitnick Rates Today’s Blackhats (wired.com)
• Audio on NPR – Master Hacker Kevin Mitnick Shares His ‘Addiction’ (npr.org)
• Master Hacker Kevin Mitnick Shares His ‘Addiction’ (npr.org)
• Master Hacker Kevin Mitnick Shares His ‘Addiction’ (npr.org)
• Legendary Hacker Kevin Mitnick Shares Security Tips (teamshatter.com)
• Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (365.rsaconference.com)
• Computer hacker Kevin Mitnick pens memoir: “Ghost in the Wires” (hightechhistory.com)
• Ghost in the Wires – Review (networkingnerd.net)
• Master Hacker Kevin Mitnick Shares His ‘Addiction’ (npr.org)
• Book Review: Ghost In the Wires (books.slashdot.org)
• Quote: Hacker Kevin Mitnick On Serving Jail Time (newsfeed.time.com)
• Kevin Mitnick Shows How To Access Voicemail Without a Password (laughingsquid.com)
• The Hacktivists: Web Vigilantes Net Attention, Outrage and Access to Your D (powersthatbeat.wordpress.com)
• PaulDotCom Security Weekly Episode 265 – Kevin Mitnick (pauldotcom.com)
• EFF’s Reading List from 2011 (eff.org)

Image via Wikipedia

Just recently, I had touched on how easy it’s for hackers to exploit and acquire PINs from routers that have Wi-Fi Protected Setup feature enabled (Wi-Fi Protected Setup PIN Method Has Flaw, Allowing Hackers To Deploy Brute Force Attack For Valid PIN Number In Lesser Time Than Before), because there has always been a flaw which associates with this particular feature, consequently allowing hackers to deploy brute force attacks and correctly guess PINs in less time than ever before.  It’s not a surprised for us to see someone has already had a tool which could hack a router for Wi-Fi Protected Setup PIN.  In fact, someone is releasing such a tool to the public already.  So, in a way, we can say once the exploits are known, smart hackers who write their own codes usually can come up with new tools to penetrate the flaws of most computer systems.  In this case, it’s no different, because the folks at Tactical Network Solutions has had such a tool known as Reaver which they probably use to do their own penetration tests on their own networks and clients, as a way to stay ahead of the curve so they can prevent their own networks and clients from being hacked.

Since the Wi-Fi Protected Setup exploit has been discussed publicly, the folks at Tactical Network Solutions are now releasing Reaver to the open source community, and this means anyone can download it and start using it.  Of course, like any tool, bad people can use it to break into other people’s networks, or good people can use it to do penetration tests on their own networks so they will know how resilient their networks would be against certain hack attacks.  The folks at Tactical Network Solutions also release Reaver as a commercial version which they claim it would be even more feature rich than the open source version.

Basically, once Reaver allows the hackers to attain the correct Wi-Fi Protected Setup PINs, the hackers can further more use Reaver to recover WPA/WPA2 passphrase in 4 to 10 hours range.  As long the owners of the routers/networks aren’t yet disabling Wi-Fi Protected Setup feature, no matter if the owners change their WPA/WPA2 passphrase to anything, the hackers will always be able to recover WPA/WPA2 passphrase using Reaver.  This is quite serious, because Reaver is just a tool where anyone can download and use freely.  So, if the manufacturers of most routers aren’t going to patch the flaw, then it’s really up to the users of such routers to disable the Wi-Fi Protected Setup feature.

It seems to me that the folks at Tactical Network Solutions suggest that once hackers guess the Wi-Fi Protected Setup PINs correctly, hackers can take control of the routers.  Worse, I think hackers can also insert themselves into the middle of the compromised networks to listen and sniffing and recording, consequently reading the network traffics for plain text data.  Of course, they can also read the encrypted data in encrypted form only, but hackers who have the will to decrypt the encrypted data might also have tools that allow them to decrypt encrypted data in time.

In summary, if your router hasn’t yet had Wi-Fi Protected Setup feature disabled, it’s currently an easy target for just about anyone who has the will to download Reaver and use it for hacking your router.  Usually, if someone hacks your router, they might have an even more insidious intention than just stealing your bandwidth.  Perhaps, they might use your bandwidth to do some serious hacking against some big corporations, and you would be the one to take the blame.  After all, once the hackers done with what they had to do, they could always clean up their trails and leave almost no trace of theirs behind.  The authorities would have a hard time to believe your story as in “It wasn’t me,” kind of thing.  So, I recommend you to turn off Wi-Fi Protected Setup feature at all cost and wait till the manufacturer who produces your router to come up with a patch that can address this particular exploit.

Sources:  https://threatpost.com/en_us/blogs/attack-tool-released-wps-pin-vulnerability-122911,
http://www.tacnetsol.com/news/2011/12/28/cracking-wifi-protected-setup-with-reaver.html,
http://code.google.com/p/reaver-wps/

Related articles

• Cracking WPA in 10 hours or less (devttys0.com)
• Wi-Fi Protected Setup PIN Method Has Flaw, Allowing Hackers To Deploy Brute Force Attack For Valid PIN Number In Lesser Time Than Before (essayboard.com)
• Attack Tool Released For WPS Setup Flaw (mobile.slashdot.org)
• US-CERT Issues Warning About Current Wi-Fi Protected Setup Standard – ITProPortal (itproportal.com)
• Wi-Fi Protected Setup is Busted (zdnet.com)
• Researcher reveals flaw in Wi-Fi Protected Setup (digitaltrends.com)
• Wi-Fi Protected Setup Flaws Make Wireless Network Brute-force Attacks Feasible – PCWorld (pcworld.com)
• Two New Tools Exploit Router Security Setup Problem (pcworld.com)
• Wi-Fi Pin Vulnerability Discovered By Research Team (inquisitr.com)
• Wi-Fi ‘protected set-up’ not so protected after all (news.cnet.com)
• Attack Tool Released for WPS PIN Vulnerability (thesecuritypub.com)
• WPA Brute-Force and Design Flaws….. (netsecurityit.wordpress.com)
• A chink in the armor of WPA/WPA2 WiFi security (hackaday.com)
• Researchers discover Wi-Fi router PIN vulnerability (electronista.com)

I’ve always disabled my Wi-Fi Protected Setup, because it seems to me as if it’s just another door for hackers to break into.  When reading the piece from threatpost, I’m glad that I’d been careful all along.  Most modern routers provide Wi-Fi Protected Setup feature so users don’t have to actually enter long WPA2 passphrase for connecting to a wireless network, because Wi-Fi Protected Setup requires a PIN number (e.g., 1234567…).

I’m no expert on Wi-Fi Protected Setup, because I had avoided using it from the very beginning.  It seems to me Wi-Fi Protected Setup feature has several methods which it’s associated with.  One involves in pushing the Wi-Fi Protected Setup button on the router and then on the client in a short time frame (i.e., less than 2 minutes or so).  After the user pushes the Wi-Fi Protected Setup buttons, user can just stand idle by and wait for the client and the router to automatically communicate with each other, allowing the client to connect to the router, thus the client would be able to surf the Internet using the wireless network which the router provides.  The second method requires PIN number registration, but this very method has two sub methods of its own.  The first sub method requires less work for users, because the users can just hand their devices’ Wi-Fi Protected Setup PIN numbers (i.e., printed on the back of their devices or generated by their devices’ software) to the administrators.  The administrators then have to enter users’ Wi-Fi Protected Setup PIN numbers into a router or access point‘s administration control panel (e.g., https://192.168.1.1) to register users’ Wi-Fi Protected Setup PIN numbers with the access point, consequently allowing users’ devices to connect to the particular wireless network.  The second sub method requires the users to enter the Wi-Fi Protected Setup PIN number of the router or access point onto their devices’ software, consequently allowing the client devices and the router or access point to communicate with each other (i.e., granting wireless network access).  The piece from threatpost emphasizes the weakness in the second sub method of the Wi-Fi Protected Setup PIN number method, because the hackers only need the Wi-Fi Protected Setup PIN number and not having to be within certain distance of the access point or the router.  The third method of Wi-Fi Protected Setup feature involves with Near Field Communication method.  Wikipedia‘s article “Near field communication” explains rather well on how Near Field Communication method works.

threatpost suggests that most modern routers tend to enable Wi-Fi Protected Setup feature by default.  If you are aware about the flaw of Wi-Fi Protected Setup PIN number method, then you might want to disable Wi-Fi Protected Setup feature so the hackers won’t be able to use brute force attack to acquire the Wi-Fi Protected Setup PIN number of the specific access point or router.  threatpost suggests many well known brands are all being affected by Wi-Fi Protected Setup flaw; as long any router has Wi-Fi Protected Setup feature with PIN method enabled, then the hackers who aware of the Wi-Fi Protected Setup PIN number flaw can brute force attack the router for the Wi-Fi Protected Setup PIN number in less time than ever before.

Sources:  https://threatpost.com/en_us/blogs/wifi-protected-setup-flaw-can-lead-compromise-router-pins-122711
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
http://www.wi-fi.org/knowledge_center_overview.php?docid=4614

Related articles

• Wi-Fi Pin Vulnerability Discovered By Research Team (inquisitr.com)
• New WiFi Setup Flaw Allows Easy Router PIN Guessing (mobile.slashdot.org)
• Researchers discover Wi-Fi router PIN vulnerability (electronista.com)
• How Internet Changes Way We Remember (platopress.com)
• Installing Brother HL-2170W Wireless Laser Printer (binglongx.wordpress.com)
• Netgear Universal WN3000RP Wi-Fi Range Extender (cellularaddons.com)
• How Wi-Fi Works (mycricket.com)
• Edimax launches the EW-7711UAn 150Mbps Wireless High-Gain USB Adapter in India (edimaxindia.wordpress.com)
• Edimax launches the EW-7711UAn 150Mbps Wireless High-Gain USB Adapter in India (changeagentspr.wordpress.com)
• Protect Your Home Office With a Wireless Security Camera (bizsecurity.about.com)

Image by tuchodi via Flickr

According to Associated Press article “AP IMPACT: When your criminal past isn’t yours” on Yahoo News, the irony of digitizing citizens’ records is the inaccuracy of such digital records have and had screwed some people’s lives big time.  The many purposes of turning background records and other sensitive information of citizens on papers into digital records are probably to speed things up, make things more accurate and easier to update, and to efficiently manage such records in ways that paper record filing system would not be able to compete against this modern filing system.  Unfortunately, as we find out that the advantages of having digital records store in sophisticated databases are sometimes fall short.  For an example of how our modern filing system has fell short, Associated Press reported a woman named Kathleen Ann Casey had a hard time of finding job as various background check companies had pulled up her digital background which filled with incorrect information.  It turned out that the criminal charges of the other Kathleen Ann Casey was filed onto the digital background record of the real Kathleen Ann Casey (i.e., real is a relative term in this case).  Data entry went badly?  Perhaps!  But could it be related to the carelessness of the background check companies?  Nobody would know for sure, but mistakes came from background check companies had real consequences to real people.

The whole idea of having digital records so the filing system could be more effective in ways that paper filing system could not offer, but it turns out humans are prone to make mistakes as always.  After all, it’s still the humans that have to convert or enter the information into the digital records, whether that be background records or other stuffs entirely.  What is more troubling is that the records that background check companies scour from public resources cannot not always be accurate, and the pile up of wrong information can digitally stack up, higher and higher.  So much for filing records digitally, right?

Perhaps we can always cruelly say to the people who are unlucky enough to have their background records file incorrectly by background check companies — “tough luck,” but what if you’re the one who have to go about correcting your background record?

I think background check companies do serve good purpose.  Companies do not want to hire criminals, and so background check companies provide a must needed service for companies that care about hiring clean employees as in without criminal records.  As background check companies become evermore crucial to the whole hiring process for most companies, I think someone must come up with a way to audit background records better.

We cannot ignore the damages that might be caused by mistaken identities.  Also, we cannot go back to old day where we would file records on papers, because the whole filing process which involves with digitizing records are way more efficient and faster.  With such efficiency and speed, I think there must be a way to double check and audit the background records so mistaken identity won’t be so easily occurred.

Of course, it’s easy to say so, but how to come up with a solution and implementing it?  I’m not a genius and not having any experience in the field of addressing something like this, therefore I won’t know if there is a solution to this current problem.  Nonetheless, I do feel it’s crucial that someone else must be the hero and steps up to provide a solution to address the errors while digitally filing background records.

Let not forget about implementing high computer security standard to prevent unauthorized access to such sensitive digital records.  It’s not because digital background records cannot be seen, but it’s more of preventing someone with hacking skill to be able to manipulate such digital records.  After all, these digital records such as background records are having real effects on people’s lives.

At a time when our economy is still struggling and job isn’t easy to find, people are not going to be very capable on carrying on with their lives, and bad luck such as having to be identified with wrong background information might just make the whole idea of surviving the hard time much worse.  To make matter worse, Associated Press reported few background check companies refused to update the correct information on certain background records.  Furthermore, Associated Press reported some states wanted to bring in more revenues by selling data of criminal files in bundles to several background check companies, and the worse part was that such data might have errors and therefore might lead to more problems.

In summary, I think background check companies are useful to corporations and small businesses, but these background check companies must work with a higher standard in auditing people’s background records to prevent background check mistaken identities.  The whole modern approach of digitizing records is here to stay, and I don’t see anything wrong with this.  Nonetheless, since digital records have made the update and search process much easier and faster, I think such efficiency should provide more than enough extra time for someone or an entity with the power to audit important digital records such as background records to actually prune through these records evermore carefully.  It’s great to actually know digital records aren’t always accurate, and in the case of wrong background record one can be reminded of the not always accurate digital records and look up their digital background information to see if their background is indeed their actual background.  The real question is, can one go about convincing background check companies that you are who you are and not who they claim you to be?

Source:  http://finance.yahoo.com/news/ap-impact-criminal-past-isnt-182335059.html

Related articles

• AP IMPACT: When your criminal past isn’t yours (seattletimes.nwsource.com)
• Charity organizers should face criminal checks (cbc.ca)
• Physicians Background Check – Perform a Criminal Record Search on a Doctor (microphone-film.net)
• University background checks to cut number of middle-class students (telegraph.co.uk)
• Pa. college: Sandusky worked with team despite failing background check (cbssports.com)
• Weaknesses in America’s training of foreign pilots (economist.com)
• Flawed Data – Mined by Corporations Online Provides Background Checks Riddled With Errors – Attack of the Killer Algorithms Part 7 (ducknetweb.blogspot.com)
• Jerry Sandusky Apparently Still Coached At A Small College Last Year Even Though He Failed The Background Check [Penn State Scandal] (deadspin.com)
• City Room: City Finds Willing Gun Sellers Online (cityroom.blogs.nytimes.com)
• Private Gun Sellers Knowingly Break Rules: Report (abcnews.go.com)
• Yahoo News, AP, ever so sloppy with the facts (bokertov.typepad.com)

Image by portfolium via Flickr

You need to create a personal file server and remote cloud.  Personal file server has become easy to create nowadays.  What you need is the right solution.  I used to love Pogoplug, but I noticed how Pogoplug required your local data to be trafficked through its network from remote locations from time to time, this would not be a good idea for slow Internet connection or data security.

In our specific case, we want a personal backup file server solution to help boost our data redundancy, and we don’t really have to have our file servers to stay up 24/7 as how businesses do.  With this in mind, we can just use a virtual machine as a webDAV or rsync or FTP server.  We can then clone our main virtual machine.  We’re going to store our important backup data onto the main and clone virtual machines.  We can place the clone virtual machines onto different external hard drives so we can access our clone virtual machines as easy as how we can access our main virtual machine.  Each time we have new backup data, we have to sync or copy the new backup data onto the main and clone virtual machines.  Even if our main virtual machine goes bad, we can rely on our clone virtual machines to recover our backup data.

For security purpose, our backup data must be encrypted.  Nonetheless, you don’t really have to encrypt your external hard drives since such a process would take too long, but I recommend you to encrypt one big backup partition within the main virtual machine once.  To encrypt one big partition for backup data we can use Truecrypt.  Using Truecrypt to encrypt one big backup partition within our main virtual machine once can speed the encryption process up tremendously, and yet the backup data can still be super secure.  We don’t have to create newly encrypted backup partitions for clone virtual machines since we are going to clone our main virtual machine anyway.  We only clone our main virtual machine right after we have completely saved our backup data onto the encrypted backup partition (i.e., using Truecrypt to encrypt data) within our main virtual machine.

To go about creating a main virtual machine, you can use VirtualBox or Parallels or VMware.  I recommend VirtualBox since it’s free and as capable as the paid products.  Next, you have to know which operating system you want to use for your main virtual machine.  I recommend you use an operating system you know best so you can set up a webDAV or FTP as fast as you can.  For the people who care about the planning process more and want to learn something new at the same time, I recommend Ubuntu as the operating system for the main virtual machine.  Why?  Ubuntu and any other Linux distribution can allow you to rsync backup files easily, and so by using Ubuntu or any other Linux distribution you get not just the webDAV and FTP capabilities, you also get the rsync capability.

The obvious next step is to set up the file servers for our main virtual machine so we can backup our important data onto it.  If you want to have a lot of choices, you can set up both webDAV and FTP servers for your main virtual machine.  If you want only one choice, I recommend you to set up webDAV.  webDAV is better since it allows you to map network drives to your webDAV folders.  This way, you can just copy, paste, drag, and drop the files and folders from local hard drives onto the network drives.

Ubuntu comes ready with rsync capability, and so you can just use rsync to sync your backup data from your desktop or laptop to the main virtual machine. Rsync will sync only new backup data, and so it can update your backup partition faster than otherwise.  You can also use rsync to delete old backup data from the backup partition, this way you will be able to keep the backup partition of your main virtual machine identical to the backup structure of your desktop or laptop and the clone virtual machines.

The obvious last step for the creation of personal file server solution is to clone the main virtual machine.  I think Parallels and VMware and VirtualBox all have their own special method to allow you to clone a virtual machine.  After having clone the main virtual machine more than once, you can then place the clone virtual machines onto separate external hard drives.  Each time you backup the new backup data, you have to fire up the main and the clone virtual machines to do so.  The good thing is that you don’t have to fire up all virtual machines at once, because you can always fire up the main virtual machine first and each subsequent clone virtual machines later.

By having proper local/personal backup file server solution, your backup data are now more resilient against data loss than before.  Still, local/personal backup file server solution is susceptible to fire, flood, power surge, hardware failures, and other unfortunate catastrophic events.  When such unfortunate events happen, your backup data will forever be lost.  This is why we must also backup our data to a remote cloud.

There are several remote cloud solutions you can look into, but most remote clouds require you to pay certain amount of monthly fee for a certain size of cloud storage space.  You can use free remote cloud solutions such as Skydrive, Ubuntu One, and Dropbox.  With that being said, sometimes it’s better to go with a premium cloud solutions since free cloud solutions usually come with limitations.  One good example of the limitations of using free cloud solutions is not enough cloud storage space.

Besides using remote cloud solutions through third parties, you can create your own remote cloud solution such as renting a web hosting server.  This requires you to be knowledgeable in securing your web hosting server.  After renting a web hosting server, you can turn it into a personal webDAV or FTP or rsync backup server.  This way it acts as if it’s your remote cloud, but it will be a private remote cloud.  With that being said, some web hosting companies will not allow you to use their web hosting servers as remote file servers or remote cloud solution.  This is why you need to read up on their terms of use before implementing this solution, OK?

Of course, don’t forget to encrypt your backup data using Truecrypt when you have to backup your data to a remote file server or cloud.  Encrypting data is much more important when you are actually sending your backup data out to a remote file server or cloud, because you don’t actually have a complete control over the security of the remote file server or cloud.  We’re talking about the whole enchilada here.  Ideally, the physical location of the file or cloud servers has to be secure from unauthorized access; the file or cloud servers have to be secure with firewall, antivirus and antimalware software, and so on; physical preventive measures and means to prevent hardware failures and so on; the list can go on pretty much.

Another thing to make sure is that your remote file or cloud servers have to be able to churn 24/7.  It’s important for you to be able to reach your backup data at any time, remotely.  You never know what will happen to your backup data if you cannot reach the file or cloud servers that host the backup data, right?

In summary, it costs some money to protect data.  Even if you’re just protecting some private data, it is still going to cost you some money such as buying external hard drives.  For everyday people like us, we might not even need the remote file or cloud solution.  Still, if people who are paranoid enough about protecting their backup data, then I think these people need to deploy a remote file or cloud solution.  It’s smart to go about using virtualization to deploy local backup file server solution since the virtual machines can be cloned easily and stored on external hard drives for data redundancy purpose.

Related articles

• Tech Thursday (Dec 15) – Dropbox, Carbonite, Bitdefender, Staples, Knovio (smallbiztechnology.com)
• Here Is How I Retrieve iPhoto Library From A Local Network (essayboard.com)
• SMEStorage adds support for EMC Atmos & PogoPlug to its Cloud Appliance (themactrack.com)
• EaseUS Todo Backup Workstation Review [Giveaway] (ghacks.net)
• Enabling WebDAV On Fedora 16 (essayboard.com)
• A basic non-cloud-based personal backup strategy (hanselman.com)
• Small Businesses Are On the Road to Virtualization (biztechmagazine.com)
• Disk Quota not working … or is it? (edugeek.net)
• CA Jumps Into Hybrid Cloud Data Protection (informationweek.com)
• Check Whether Virtual Directory Path Exists on IIS Using WebDav (stackoverflow.com)
• Reclaim Disk Space With Spacie (juixe.com)
• My New Favorite Portable Image Storage Device – ioSafe 500 GB External Hard Drive (photofocus.com)
• Defining a “Cloud” or is it “Fog”? (jhlui1.wordpress.com)
• Backify Offers 512 GB Free Online Backup Storage (tomshardware.com)
• Seagate, Western Digital slash hard drive warranties (geek.com)
• Basic Ubuntu VPS server backup via FTP or SSH SFTP (mikebeach.org)
• Pogoplug Cloud offers free 5GB cloud with local sync (slashgear.com)
• Common backup mistakes in virtualisation (c24.co.uk)
• Even The FBI, CIA, And NSA Admit That Full Disk Encryption Is Hard To Crack (essayboard.com)
• LogMeIn Ignition Adds Direct Integration with Dropbox, Google Docs, WebDAV Servers (macstories.net)
• Facebook use HipHop virtual machine for faster PHP (h-online.com)
• Arkeia Software Joins the NetApp Alliance Partner Program (prnewswire.com)
• Setting Up webDAV For Windows 7 Home Premium (essayboard.com)
• What Type of Data Recovery Service is Required in Your Particular Case? (yepthatsme.com)
• WordPress Security: Which is more secure? A VPS or a VHost? (markmaunder.com)
• Apricorn outs Aegis NetDock aimed at MacBook Air owners (electronista.com)
• Why Texas Schools Implemented A Disaster Recovery SAN (informationweek.com)
• Pogoplug offers free cloud storage for mobiles (ubergizmo.com)
• A New Cloud Drive With a Twist From Pogoplug (readwriteweb.com)
• Pogoplug’s Series 4 offers personal cloud storage for $99 (zdnet.com)
• SSD vs HDD (ergarage.wordpress.com)
• Your Gmail Backup Strategy: Part 1 – Cloud or Local? (backupify.com)
• Heroku database backup strategy? (stackoverflow.com)

Image via Wikipedia

Windows 8‘s newest feature yet that Windows 7 and other major operating systems won’t have is to allow users to sign into their accounts with picture password.  Before you say, “Hey, that doesn’t seem to be that secure,” it turns out Microsoft is coupling touch gestures with picture password so it won’t be too easy as in just selecting the correct picture password.  If I’m not straying too far from facts, then each user should be able to log in faster with picture password by gesturing with at least three different touch gestures on a specific picture password.

Administrators can turn off the picture password feature if they favor text password feature.  To prevent hackers from illegally attaining easy remote login, Windows 8 automatically disables picture password for remote login.  It makes sense, users should be able to have a way to log in to their accounts faster and less problematic but still be considered as secure as usual, and so Microsoft’s answer is picture password for local network only.

I’m hoping Microsoft would add one more layer of security such as simple pin number or face recognition or voice recognition just to make logging into one’s account would be even more secure.  Of course, face and voice recognitions aren’t hard to hack, because hackers could always photo someone’s face and record someone’s voice to bypass face and voice password recognitions.  This is why I think such additional password recognition measures are good only if these are coupling with each other in layers.  This way hackers must attain more than one things to bypass the layers of authentication.

I think it’s a good thing if users don’t have to remember long text passwords, because they might write down long passwords and leave such passwords in obvious places that anyone could have access to their passwords, consequently defeating the whole purpose of strong passwords.  I think Windows 8′s picture password feature might not be adequate in protecting users’ logins even though Windows 8 is coupling picture with touch gestures to create stronger picture password.  This is why I emphasize that picture password and touch gesture combination as an authentication method for Windows 8′s new password feature might need one or more layers of authentication such as face recognition.  As long the additional layers of authentication are accurate and fast to execute, I don’t see there will be a problem of allowing users to log into their accounts fast, safe, and easy.

Source:  http://www.ghacks.net/2011/12/17/windows-8-to-support-picture-passwords/

Related articles

• cPanel forums have been hacked (brizoma.wordpress.com)
• Microsoft details Windows 8′s new picture password feature (winrumors.com)
• Windows 8 Tackles Password Fatigue With Pictures (mashable.com)
• Windows 8 To Have Sweet Password Management (gizmodo.com.au)
• Microsoft details Windows 8 picture passwords (slashgear.com)
• Windows 8 Is Going to Have Some Super Sweet Password Management Features [Windows 8] (gizmodo.com)
• Three Important Ways Windows 8 Provides Password Protection (pcworld.com)
• Windows 8 aiming to take the pain out of managing passwords (news.cnet.com)
• Windows 8 aims to take pain out of managing passwords (news.cnet.com)
• Microsoft details its plans for identity protection on Windows 8 (liveside.net)
• Microsoft goes in-depth on Windows 8′s picture passwords (electronista.com)
• Password Security Is Broken (q-ontech.blogspot.com)
• Dear User: Your Password Stinks, Love IT (biztechmagazine.com)
• How To Use A Picture Password Or Pin As Your Windows Password (ghacks.net)
• How to Create a Picture Password in Windows 8 (munirshahzad1971.wordpress.com)
• LastPass Password Manager Now With Google Authenticator Support (ghacks.net)
• Lumia Voice Recognition Good Enough for Texting (insideview.ie)
• Six guidelines for registration and login usability (marketing.yell.com)
• Password Improvements Coming To Windows 8 (ghacks.net)
• Microsoft reveals its own password store for Windows 8 (winrumors.com)

Once you got all the elements in place, it is easy as pie to locate your missing iOS devices virtually; you can then remote wipe your iOS devices if you feel your data are at risk, remote lock your iOS devices if you think some stupid thieves won’t be able to hack your easy passcodes.  How about remote lock first and then keep sending remote sounds and messages to annoy the thieves?  Remote wipe your iOS devices with Find iPhone app will prevent you from locating your iOS devices virtually.

Once log into the Find iPhone app, you can actually see the physical addresses on Google map that your iOS devices currently reside.  In the case of stolen iOS devices, you obviously have the knowledge of where your devices are on Google map.

Smart thieves definitely are going to delete Find iPhone app in case you try to locate them with your iOS devices.  Of course, they can’t do so if you have strong passcodes that lock your iOS devices from prying eyes.  Even though the app is known as Find iPhone, it actually works for all iOS devices.  This means if you install Find iPhone iPad app on your iPad, you will be able to locate your iPhone with your iPad (make sure the iPhone does have Find iPhone app installed, or else it won’t work).  To find your iPad, you need to install Find iPhone app on iPad and on iPhone, then use your iPhone to find your iPad in seconds.

I think this app is using the Internet and some sort of GPS capability, therefore the distances between iOS devices might not matter much.  If it’s in fact just that, no matter where the thieves who stole your iOS devices currently hide, as long they won’t be able to delete the Find iPhone app on the iOS devices, you will be able to sneak up on them and demand your iOS devices back.  Of course, don’t fight them if they have more than just iOS devices in their hands, OK?  Call the police instead!

To see if Find iPhone app actually does work for you, try sending a sound and text message to an iOS device.  You can also try unlocking an iOS device first, then using the remote lock feature of Find iPhone on another iOS device to see if the feature does actually lock the targeted iOS device.  Don’t use the remote wipe feature just yet, because once testing this feature out, you actually really wipe all your data on an iOS device, therefore this feature is for an emergency usage only and not for testing purpose.  So, you have been warned!

You do have to know your Apple ID and password before you can log into Find iPhone app and use it.  If you haven’t had an Apple account, you definitely have to sign up for one before this app can be any used to you.

In summary, with Find iPhone app installed on all of my iOS devices, I think I’m a tad safer in term of protecting my data.  At least, I know it’s easy as pie to locate my iOS devices and remote wipe or remote lock them.  You should try this app out to protect whatever important data you have on your iOS devices.  Have fun with it!

Related articles

• Apple updates iMovie, Remote, and Find My iPhone apps for iOS 5 (9to5mac.com)
• Personal Cloud Provider Box Beefs Up its iPhone & iPad Apps (readwriteweb.com)
• iPhone App of the Year Is… Instagram (newser.com)
• Zite now available in iPhone version (macworld.com)
• How To Find Your Lost iPhone (informationweek.com)
• It’s Insanely Hard to Make a Kick-Ass iPhone App (georgesaines.com)
• NumPad Remote Turns Your iPhone or iPad into a Number Pad [Mac Downloads] (lifehacker.com)
• Apple updates iWork, Find My iPhone, Remote iOS apps (macworld.com)
• Video Vault: Best of the Web – iPhone App Release Announcement (themactrack.com)

Image via Wikipedia

Some of us love to virtualize Windows 7 inside a host, because we think we need the host to be as secure as it could be and the virtualization would be a sort of sandbox to add one extra layer of security for the virtual machine.  Of course, the security of the sandbox would give a false sense of security for whoever runs it if he or she isn’t keen on securing the virtual machine also.  Some hackers could be so smart and create a hack which allows him or her to leap from the virtual environment into the host environment.  Plus, what the use for a virtual machine if it isn’t secure enough to be used, right?  I think you get the gist.

Anyhow, the idea for those who want to virtualize Windows 7 inside VirtualBox 4.1.2 could hit a snag if they also want to run Guest Additions for Windows 7 virtual machine.  How do I know this?  I tried to install Guest Additions the normal way by clicking on Device > Install Guest Additions, but this method failed me as it could not find Guest Additions anywhere.  I guess for an unknown reason, VirtualBox 4.1.2 failed to include Guest Additions somehow.  Of course, this might not happen to everyone, but it might be just me.  Nonetheless, if you are one of those people who experiences this exact situation, don’t sweat.  Just go to download.virtualbox.org/virtualbox/4.1.2/, and then you need to download VBoxGuestAdditions_4.1.2.iso.  Get back to VirtualBox window, click on the Windows 7 virtual machine, click on Settings > Storage, and make sure you add VBoxGuestAdditions_4.1.2.iso as virtual CD/DVD disk file.  It helps if you remember where you had saved your VBoxGuestAdditions_4.1.2.iso on the host machine.

During the installation of your Guest Additions for Windows 7 virtual machine inside VirtualBox on a host machine, you might hit another snag where an error would complain that it could not find or open d3d9.dll file.  It might be the permission for d3d9.dll file is too strict.  You need to allow write permission for d3d9.dll file before Guest Additions could finish the installation.  So, when you see d3d9.dll error, don’t exit the Guest Additions installer, but make sure you are inside your Windows 7 virtual machine, go to Windows\System32\ and search for d3d9.dll file, right click on it and choose Properties, click on Security tab, and then from here you need to allow write permission for all users.  Get back to Guest Additions installer and try to finish installing the Guest Additions.  When done installing Guest Additions, don’t forget to remove write permission for d3d9.dll file for all users so this file can once again be secure as before.

In conclusion, Windows 7 virtual machine inside VirtualBox on a Linux host is ideal for security.  Nonetheless, if he or she forgets to secure Windows 7 virtual machine, he or she is not that secure in term of allowing Windows 7 virtual machine to be hacked easily.  If he or she is lazy, it’s best to use NAT network, but it’s always better to use Bridge network as it’s much more flexible.  NAT network hides the virtual machine inside a host’s network (i.e., not using the router’s DHCP or manual IPs), therefore one could say as long the host has a strong firewall, the virtual machine too could be protected by the same firewall.  Without the installation of Guest Additions, he or she could not open Windows 7 virtual machine in fullscreen mode, and so don’t forget to do this.

Related articles

• How-To: Start VBox VM Using Scripts / Command Lines (kindlevsmac.wordpress.com)
• imabonehead: How to configure VirtualBox to Auto start and stop Guest VM | CentOS | Linux Tutorial (kernelhardware.org)
• Creating Access to Virtual Box from the Windows 7 Start Menu (ghacks.net)
• The Best Virtualization App for Windows [Windows App Directory] (lifehacker.com)
• VirtualBox for Windows is a Free Useful Program (beast4romtheeast.wordpress.com)
• How To: Run OSX in Virtual Box (modteck.wordpress.com)
• virtual box networking with mobile brodband (stackoverflow.com)
• 5nine Software Announces Release of 5nine V2V Easy Converter 1.0 – Free, Fast and Easy-to-Use VMware to Hyper-V Virtual Machine Conversion Tool (prweb.com)
• VMware Fusion 4: Run Windows on Your Mac, Lion-Style (mac.appstorm.net)
• VirtualBox 4.1.6.74713 (jaskarantrickscentre.wordpress.com)
• How To: Run Windows 7 (Bootcamp) in VirtualBox (kindlevsmac.wordpress.com)
• Symbian with the Linux desktop in 2011 (allaboutsymbian.com)
• eApps Hosting Now Offers ISPmanager Control Panel, by ISPsystem, in Virtual Machine in the Cloud Service (prweb.com)
• Apogee Duet 2 in Windows using VirtualBox (gearslutz.com)
• 5 Creative Uses For A Virtual Box That You Probably Never Considered (makeuseof.com)
• Bryan Quigley: Windows Cant Handle the Hardware (bryanquigley.com)
• Compatible virtual environments for Windows 8 Developer Preview (obieosobalu.wordpress.com)
• VMware: Installing a Guest Operating System (Windows 2008 R2 64bit) on Virtual Machine (clean-clouds.com)
• Explained: How Windows protects your PC (techradar.com)
• eApps Launches Load Balancer Service for High Availability (prweb.com)
• Review: VMware Fusion 4 makes Windows-on-Mac easy (macworld.com)
• VMware: Installing a Guest Operating System on Virtual Machine (cleanclouds.wordpress.com)
• VMware Player 4.0.1 (jaskarantrickscentre.wordpress.com)
• Take Control Of VIrtual Machine Sprawl, New Low Cost Management Tool Released (prweb.com)
• Webcast – When is virtual machine software the wrong choice? (zdnet.com)
• Security by virtualization: where is the secure OS? (securitybalance.com)
• VirtualSharp Upgrades Virtual Machine Disaster Recovery (informationweek.com)