There hasn’t been any fear as spread as speaking in public. I remember my days in college struggling with simple presentations to get a good score in a course. But in real life, there are no such things a simple presentations. Wether is a job interview or an investors meeting, everyone is involved several times in one kind of presentation.

In the last years there has been some key presentations that have changed, and amazed, the world of technology. And Steve Jobs has been present in many of them, from the Mac redesign, the iPhone, and the latest MacBook Air. He is simply a master of presentations, and here is a very interesing article about simple elements he use to amaze the masses and deliver a great presentation:

Deliver a Presentation like Steve Jobs

XXXXXXXX XXXXXXXXXX

Heroes Happen Here.
That’s the new slogan for the launch of the new 2008 products.
Launch events schedule is already here, and by attending any event you’ll receive a free personal copy of all products.

 For registration go to:

http://www.microsoft.com/heroeshappenhere/default.mspx

See you in San Diego’s!

XXXXXXXX XXXXXXXXXX

During this week I’ve been trying TrueCrypt(http://www.truecrypt.org/) for file/drive encryption and here are my observations:

The best feature of this software is that is the price: free, zero, nada, nulo, nitchs. Thank God for open source programmers.

All the feature list can be found at the website, so I won’t go deep on explanations. I’ll just say that is a very robust software offering several encryption algorithms (AES-256, Serpent, and Twofish) and three hash functions (RIPEMD-160, SAH-1, Whirlpool) all of them yet to be broken (rumors about SAH-1 being compromised have circulated the net but no practical example yet, mathematical and conspiration theories only). Additinally, you can stack the algorithms to create a more complex result (slower process but theorically more secure), so the possible combinations with the corresponding benchmark in my machine are:


(For comparison, unencrypted IDE drives range from 60 to 90MB/s, SATA150 from 90 to 130MB/s and SATA300 from 120 to 200MB/s)

But what concern us about it is the next two features: real time encryption and virtual disk/device configuration.

Virtual disk encryption means you can create a file and mount it as a volume that creates a new drive in windows. While device encryption means you can configure the whole storage device (disk, volume, usb drive, et al) to be encrypted.

Real time encryption means that all encryption work is done on memory, and transparent for the user. You just configure the disk and voila! you have a new drive letter where you can read/write without noticing it’s being encrypted.

I tested with one virtual disk (Quang didn;t allow me to format the disk I borrowed) and here are my impressions:

I created a 10GB virtual file with the AES-Twofish encryption and whirlpool hash and tested the following scenarios:

• big files read/write
  
• network read/write
  
• VPN accessed (mounted the file located @ the office in my home computer )
  
• Media play (mp3, video)
  

Locally I didn’t notice any slowness in the system. Also file access was very quick (22 MB/s is more than needed for file storage) no more noticeable slowness than any other of my drives. Where i found it “slow” was thru the vpn. And that’s due to the network for sure (around 2MB/min transfer speed)

The virtual file gives the flexibility to move around the file and mount it wherever it’s needed. But since I was greedy enough to create a 10GB file I couldn’t put it in a DVD to mount it from there (yes, suposeddly you can mount files from DVD)

So, in conclusion, I consider this a very good candidate to encrypt our backups and/or personal/proyect folders. This software doesn’t encrypt OS drives because it can’t be booted, but there is a work around using bootable CDs wich aren’t very useful for our case.

Next time I’ll review another free software that encrypts all drives an boot the OS, thus having all data in the machine encrypted.

XXXXXXXX XXXXXXXXXX

In today’s internet age, the number of user accounts needed for a “normal” person is enormous. Think for a moment about all the username/password combinations you use: work , personal email account, personal spammable email account, cable/sat company, phone company, all those forums you read, all of your online banking accounts, and a very long etc. Now think how many of you use the same password for 2 or more accounts? If you use a different one for every account, chances are you are a genius with an IQ higher than the normal user. If not, don’t worry, you are just a normal person, either very thrustful or very fool, you decide. And also you are in the right place to learn something useful today.

The assumption that people use the same user/password in several accounts gives attackers an advantage: they don’t have to break into your bank to get your info, they just have to get your username/acount from that shady forum you suscribed 6 months ago.

To prevent this kind of attack, and at the same time prevent our head to explode for all informatino we need to memorize, there is a very simple trick to allow us to use the “same” password for every account we have, but having the peace of mind that by subscribing to that forum with lots and lots of torrent files you won’t be as exposed to account stealing as the normal user.

The solution is to use an algorithm to create our passwords, simple enouhg for us to remember, but giving a complex enough result to have different passwords in every one of our accounts.

First, we start with a “base” password. Something we’ll always remember. It could be your current password you use for all your accounts :). Let’s say for example, that we use “123mambo”. That itself could be a very good password: characters and numbers, not relating to anything specific or giving information about us. But you shouldn’t use it for all of your accounts. So let’s add a simple process to customize it for all of our accounts.

For every website/place we need a password, we take our “base” password, and add some of the letters directly from the name of that site and create something unique for all websites. That’s it… simple, right? Let’s see how it works.
the characters I’ll use to “salt” my password will be the 1st, 2nd and 5th letters of the site’s name, and the total number of characters in the name.

Let’s see how it works:
take www.hotmail.com for example. Applying my previously decided algorithm, the pasword for my hotmail account would be:
“123mambo” + “h” (1st char) + “o” (2nd char) + “a” (5th char) + 7 (”hotmail” = 7 chars) = 123mambohoa7
Now let’s create the password for a yahoo account:
www.yahoo.com
“123mambo” + “y” (1st char) + “a” (2nd char) + “o” (5th char) + 5 (”yahoo” = 5 chars) = 123mamboyao5
and what about our newspaper subscription?
www.nytimes.com
“123mambo” + “n” (1st char) + “y” (2nd char) + “m” (5th char) + 7 (”nytimes” = 7 chars) = 123mambonym7

Some other website examples and their results:
www.mymail.com - “123mambomyi6″
www.unitedbank.com - “123mamboune10″
www.bankofcalifornia.com - “123mambobao16″
www.usabank.com - “123mambousa7″
Microsoft Money - “123mambomio14″
Outlook - “123mambooul7″
Time Reporter - “123mambotir12″

So, as you can see, we can get pretty much secure passwords without the hassle of using too much of our memory.

I hope this one was useful for you. Be creative, and please don’t use 123mambo ’cause I already use it (j/k) but above all, be safe.

password salt security seguridad XXXXXXXX XXXXXXXXXX

Phising is nowadays one of the most effective attack techniques. It consists in obtaining users information thru a fake copy of a real website. Then send messages to users asking to enter their data (login information usually) in that website. That website will allways fail to validate the users, so users try again and again until they give up. But by then, users already gave away their info to some stranger just waiting for it to get access to the real websites.

Just last week, I was in my home computer when I realized that something had modified my HOSTS file (see modified content below). That with the intent of getting login information for the online banking system of Banamex bank (citi group’s mexican bank).
If I had any account in Banamex and I wouldn’t realized of the modification, I could’ve entered my info in that fake website. And then several days later discover some strange transactions in my accounts, starting the lenghty process of recovery from an identity loss (fight with the banks, trying to get the money back, etc).
As that day’s good action, I decided to inform Banamex bank about what happened, waiting at least that they could try to take the fake website down, alert their cusomers, or anything.. but oh deception!
They only let their stupidity arise. And here is the communication I had with them (in spanish because they are a mexican bank, basically I let them know about the attack and they answered me with a customer service phone number so they can give me a better service… yeah right!):


De: Abraham Vargas (XXXXXX@XXXXX.XXX)
Enviado el: Viernes, 25 de Mayo de 2007 01:07 a.m.
Para: Servicio A Clientes (1) [BNMX]
Asunto: Servicio a clientes (Portal 1)
Modulo de Servicio Clientes
Nombre del usuario :ABRAHAM VARGAS
Mail del usuario :XXXX@XXXXXX.XXX
Teléfono del usuario :000
Fax del usuario :000
Dirección del usuario :USA
Colonia del usuario :USA
CP del usuario :92069
Ciudad del usuario :SAN MARCOS CALIFORNIA
Estado del usuario :OTRO
País del usuario :ESTADOS UNIDOS
Tema de contacto :SERVICIOS EN LINEA BANCANET
Comentario del usuario:QUE TAL LES ESCRIBO PORQUE ALGUN VIRUS DE INTERNET CAMBIO LA CONFIGURACION DE MI COMPUTADORA PARA QUE AL INTENTAR ACCESAR EL SITIO DE BANAMEX ACCESARA A LA SIGUIENTE DIRECCION DE IP 189.180.78.75 PARA QUEINVESTIGUEN PORQUE PARECE SER UNA DIRECCION FALSA PARA OBTENER PASSWORDS DE SUS USUARIOS. LA CONFIGURACION COMPLETA QUE CAMBIO FUE EL ARCHIVO HOSTS Y PUSO ESTO EN LUGAR DE MI ARCHIVO ORIGINAL:
189.180.78.75 WWW.BANAMEX.COM
189.180.78.75 BANAMEX.COM
189.180.78.75 WWW.BANCANETEMPRESARIAL.BANAMEX.COM.MX
189.180.78.75 BANCANETEMPRESARIAL.BANAMEX.COM.MX
189.180.78.75 BOVEDA.BANAMEX.COM.MX
189.180.78.75 WWW.BOVEDA.BANAMEX.COM.MX
ESPERO PRONTO PUEDAN ARREGLAR EL PROBLEMA
SALUDOS

And the answer was:


From: "Atencion Empresarial 3 [BNMX]" (atenempre3@banamex.com)
To: XXXX@XXXXXX.XXX
Subject: SC-Servicio a clientes (Portal 1)
Date: Mon, 28 May 2007 11:30:00 -0500
Estimado Cliente
Buenas tardes, reciba un cordial y afectuoso saludo.
Con el objeto de proporcionarle el mejor servicio , le invitamos a llamar a los teléfonos de atención a clientes (1800 226 2639 (1800 BANAMEX))
Nota:
Este mensaje tiene el carácter de informativo y la falta de recepción de la misma por parte del cliente no implica obligación ni responsabilidad alguna del banco.
** Nota: Le recordamos que Banamex nunca le solicitará información confidencial como su número secreto, password, información personal y de sus cuentas vía correo electrónico. Si recibes un correo solicitando esta información, sospecha de su origen, no conteste o de click en ligas de estos correos y reenvíelo a la dirección de correo electrónico giso@banamex.com
Gracias y Saludos!!
ATENCION EMPRESARIAL 3
Tel.: 1800 226 2639 (1800 BANAMEX)
La información contenida en este mensaje esta destinada únicamente para el uso de la persona o entidad identificada como receptor. Cualquier uso no autorizado es responsabilidad del receptor. Si usted recibe este mensaje por error favor de notificarlo inmediatamente al remitente y hacer caso omiso de la información ahí contenida.
The information contained in this e-mail message is only for purposes of the intended recipient. Any unauthorized use is responsibility of the receiver. If you have received this e-mail message in error, please immediately notify the sender and delete it from your computer.
What can we wait from a customer service like that?
Thank you, but that’s useless to me… so, do you have an account with Banamex?

banamex bank phishing security seguridad XXXXXXXX XXXXXXXXXX