Category: security

Securing the USB stick

There are some risks with carrying around private data on a portable drive

While I’m always reluctant to publicise security company’s media releases – believing many of them to be hysterical hype – a quick study by Sophos on lost USB keys has some interesting lessons for all of us who use thumb drives to carry data.

Sophos bought 50 USB drives at Sydney’s CityRail unclaimed lost property auction and analysed them for malware and security risks.

The study – not yet online – found more than 4,400 files including photos, CVs and job applications. Confidential material that could be used for identity theft, stalking or commercial advantage.

Encryption

If you are moving confidential data between computers, it may be a good idea to consider encryption software that protects files from unwanted visitors. Mac OS X has encryption software built in as does  all but the home versions of Windows 7 and Vista.

Should you have a computer that doesn’t come with encryption, or you’re taking the drive between different venues, then you may need a third party encryption program like TrueCrypt. Note you’ll need administrator rights to install the software on every machine you use.

The Malware threat

As a security company Sophos leaned heavily towards the malware aspect with a headline that 66%, or 33, of the drives had some sort of malware on them.

While that statistic is suspiciously high, it does illustrate the risk of plugging USB sticks into school, office and internet cafe computers. Like unsafe sex, the likelihood of catching something nasty increases with the more partners you have.

Perversely Apple Macs could be helping spread the malware as Mac users generally don’t use or need anti virus sofware and any viruses picked up on someone else’s Windows system can sit undetected and dormant until they are used on another PC.

Consequently, its good practice to wipe a drive when you’re finished with it so along with deleting malware you are also not keeping unnecessary and possibly out of date files on your drive.

Overall, Sopho’s survey illustrates why cloud services like Dropbox and Box.net are best for sharing data although the USB stick still has an important role when everything else goes wrong.

Similar posts:

Spotting a security charlatan

The tell tale signs of technology and web falsehoods

Google’s Open Source Programs Manager, Chris DiBona recently pointed out how IT security industry charlatans keep making false claims to push the sales of their software products and consulting services.

“If you read an analyst report about ‘viruses’ infecting ios, android or rim,” says Chris,  “you now know that analyst firm is not honest and is staffed with charlatans. There is probably an exception, but extraordinary claims need extraordinary evidence.”

Sadly, the computer press tends to accept these extraordinary claims at face value and allows the charlatans to repeat their snake oil pitches without subjecting them to critical analysis.

Fortunately for those who care about the security of their home and business IT systems, there are ways to spot the charlatans and their dodgy wares.

The Big Target theory

When you read a claim that the Windows malware epidemic of the early 2000s was due to Microsoft being a big target as opposed to the tiny market shares of Apple and Linux, you can be sure they are the words of someone who is at best clueless selling a dubious product.

This theory is nonsense, as I’ve explained previously, and anyone who genuinely believes this has no experience in dealing with the poorly secured operating systems that were Window98, Me and the early versions of XP.

If you are confronted by somebody making this claim ask them why, now smartphones are outselling desktop computers, where is the widespread malware promised for mobile systems? It doesn’t exist for exactly the reasons Chris gives in his Google+ post.

Real Soon Now

The other key indicator is the “real soon now” claims – that a virus is about to burst onto the scene that will rub the smile off the face of smug Mac and Linux users.

Invariably the hysterical headlines are backed up with claims, almost always taken from a vendor’s press release, that a security company’s researchers have identified a threat that is about exploit wilfully clueless users.

Daring Fireball’s John Gruber has done an excellent job of dismantling this rubbish in his classic post “Wolf”.

His post was provoked by the ‘news’ that a wave of Apple malware was on its way. That was six months ago and we’re waiting. John tracked similar stories back to 2004, none of which came to fruition.

The modern snake oil men have an advantage in that tech journalists are desperate for page views and in many media organisations they no longer have the resources to critically analyse PR claims.

Sadly there are real security issues that home and business users need to be aware of. Of course, much of the solution for this doesn’t sell dubious antivirus or expensive consulting services.

In some respects, the proliferation of these stories is a reflection of the decline of the mainstream media business model.

As more ‘news’ stories become lightly rewritten PR spin, the less readers take those outlets seriously and once trusted journals of record become little better than online gossip rags.

Important issues, like information security, deserve more than repeating the lies of those who profit from fear, uncertainty and doubt.

Similar posts:

Avoiding industrial nightmares

How we can harden our computer networks from hacking attacks

The Iranian nuclear program is crippled by a virus that infects their control systems while a hacker claims a Texas waterworks can be accessed with a three word password.

Any technology can be vulnerable to the bad guys – obscure systems like office CCTV networks and home automation services can be as vulnerable as the big, high profile infrastructure targets.

While there’s good reasons to connect our systems to the web, we need to ensure our networks are secure and there’s a range of things we can do to protect ourselves.

Does this need to be connected?

Not everything needs a Internet or network connection, if there’s no reason for a device or network to be connected then simply don’t plug it in.

Keep in mind though that threats don’t just come through the web, both the Iranian malware attack and the Wikileaks data breach weren’t due to hackers or Internet attacks.

Get a firewall

No server or industrial system should be connected directly to the public Internet, an additional layer of security will protect systems from unwanted visitors.

All Internet traffic should go through a firewall that is configured to only allow certain traffic through, if the router or firewall can be configured to support a Virtual Private Network (VPN), then that’s an added layer of security.

Disable unnecessary features

The less things you have running, the fewer opportunities there are for clever or determined hackers to find weaknesses.

Shut down unnecessary services running on systems – Windows servers are notorious for running superfluous features – and close Internet ports that aren’t required for normal running of your network.

Patch your systems

Computer systems are constantly being updated as new security problems and flaws are found.

Unpatched computers are a gift to malicious hackers and all systems should be current with the latest security and feature updates.

This is a lesson the Iranians learned with the Stuxnet worm that was almost certainly introduced through an unpatched system – probably one running an early version of Windows XP or even 98 – which was vulnerable to known security problems.

Have strong passwords

Passwords are a key part of a security policy, they have to be strong and robust while being different to those you use for social media and cloud computing services.

It’s also important not to share passwords and restrict key log in details and administrator privileges to those who require them for their work.

With online services like social media, cloud computing and other web tools becoming a part of business and home life, we have to take the security of our systems seriously. Hardening them against threats is a good place to start.

Similar posts:

The digital inheritance

Our online possessions are valuable and now matter.

Our digital footprint – what appears about us online in websites and social media services – is becoming more important as we’re judged by what people find out about us on the web.

As what we store on the web becomes more important, the need to plan for what happens to that data when we pass away becomes more important. “Generation Cloud”, a survey in the UK by hosting company Rackspace and the University of London looked at how Britons were dealing with these issues.

Information left online can cause problems as social media sites will send suggestions and reminders which can distress others if the suggested contact has passed away.

Equally, a web site or Facebook page could even serve as a memorial. The final blog post of Derek K. Miller is a particularly touching memorial.

To create a “digital tombstone”, for your loved ones to remove inappropriate posts or just to access your digital personal effects like email or photos stored on a cloud service, they will need your passwords.

In the Generation Cloud survey, 11% of the participants planned to leave their online account details and passwords in their wills and half considered some of their ‘treasured possessions’ are stored online.

Once again we’re finding our online data has real value that’s worth passing down. It’s another reason to guard your data safely and not give it away lightly.

Similar posts:

Password protection

Our passwords are valuable, how should we protect them?

The suspension of eighty students from a suburban Sydney high school once again illustrates how careless we often are with passwords and the access to our computers. In an era of Internet banking, online shopping and social media sites holding our personal details, we have to take web security seriously.

In many ways the teacher who let their password slip to their students was lucky. In the United States, authorities haven’t always been so forgiving these sort of mistakes, and in this case the kids and the system administrators were a lot more adult and responsible than their Connecticut counterparts.

What the incident does show is how the weakest points of our technology networks are ourselves – the most secure systems, toughest passwords and best anti-virus protection won’t help us if we don’t take care.

We looked at protecting organisations in an earlier post, Protecting your data, and here’s some steps on how to take care with your personal details.

Shut down computers

When you’re finished working, make sure you log out of email programs, secure sites, social media services and shut your computer down.

In an office context, this is very important if you’re going away for a meeting or a break as people have been known to use co-workers computers to access prohibited sites or sensitive information.

Should you be using Internet cafes, hotel business centres or airport lounges you should be doubly careful to make sure you’ve logged off completely before walking away from the shared computer.

Hide your passwords

As the teacher at Prairiewood High found, your password is gold. Do not divulge it under any circumstances.

Often doing so is almost certainly a breach of your organisation’s Acceptable Use Policy and sometimes this can mean disciplinary action or dismissal from a job. With your online banking, disclosing your password or PIN can mean you won’t be compensated if money is stolen from your account.

Even a seemingly trivial social media site can cause trouble for you if crooks can get onto it.

Having a complex password is good and we look at a neat little trick for memorable but tough passwords in our Protecting Your Data post, it’s worthwhile making sure your logins are both easy to remember while being secure.

Understand your AUP

An AUP, or Acceptable Usage Policy, is part of the conditions of you using a computer or online service. Many government and corporate networks have a box pop up forcing you to agree every time you login. Take time to occasionally read this.

Should you accidentally give away your password, say to a site that’s fooled you that it’s your bank or a social media site, the AUP will usually have a clause or a sentence on what to do in that situation. Understanding this will give you piece of mind if something does happen.

We’re now in an age where our personal information is more valuable than ever before and we need to guard what who has access to it. Passwords are going to be part of protecting our data for some time to come so understanding how to use them properly is essential.

Similar posts:

  • No Related Posts

The Lulz are on us

What can we learn from the recent wave of security hacks?

Last weekend’s announcement that the LulzSec group of jolly hackers was breaking up was met with bemusement at what has been one of the most mysterious, albeit entertaining, chapters in the information wars of 2011.

It’s quite clear that 2011 is the Year of the Hack with organisations ranging from electronics company Sony who now appear to be the joke of the online security world through to major banks, the FBI and even Google’s Gmail service being the subject of serious online attacks.

That many of these attacks were successful is a reminder to all of us how important online security is and it is our responsibility to protect our customers’ and staff details by taking basic precautions.

Take security seriously

Many of the business hacks appear to have been because of slack security practices including out of date software and default passwords being used.

Even if you don’t have a server yourself, make sure your computers have all current updates installed and that strong passwords are in place.

Password Security

A basic precaution is to have robust passwords. A combination of letters and numbers is the best.

One nice little tactic is to use a phrase as a password and separate the letters with a character, for instance using “mary$has$a$little$lamb”, although you might want to choose a more intimate phrase.

Keep in mind too that strong passwords aren’t much help if an incompetent corporation leaks them onto the web, along with your banking details. So use a layered approach where critical passwords for bank accounts are different to those that you might use for an online game or social media site.

Restrict access

The real risk to our security lies with our own staff, many “hacks” are actually employees erasing or give away data, which could be deliberate or accidental.

Don’t give passwords or access to people who don’t need them, keep the business accounts away from your sales staff and lock employment records away from the IT folk. Private client information shouldn’t be shared around the office and particularly not with outside parties.

Backup, backup, backup

The DistributeIT debacle, which one is hesitant to describe as a “hack” as their complete loss of hardware, client data and backups sounds more like an internal problem than an outside attack, shows how important it is to keep your own backups.

As we move our businesses to online and cloud based services, we have to put a lot of trust into those who provide those products. It’s good insurance to have easily available copies of mission critical data in case a problem.

Invest in technology

We’ve all heard CEOs and ministers claim they will save millions in outsourcing their IT departments. Those savings come from somewhere and information security is one of those corners that’s cut when reducing operating costs.

Experienced tech workers have plenty of examples where management cries of “we’ve been hacked” have actually been hardware failures or staff mistakes bought on by poorly trained staff working with inadequate equipment.

Sony appear to have fallen for this, having reportedly sacked many of their security specialists before the hacks began.

Make sure you are making sensible investments in your technology and not going for the cheapest, or free, option simply to save a few pennies.

Obey standards

Nothing is more embarrassing than losing clients’ confidential data, particularly banking details.

If you are taking customer payments, make sure you are complying with the DSS-PCI standards for card payments by giving the work to a reputable payment gateway.

Have a contingency plan

“There but for the grace of God….” is a good phrase to keep in mind when you see another business affected by a hacker, hardware failure or any of the millions of other unfortunate things that could stop your business.

Even with the best planning in the world sometimes dumb luck just doesn’t go your way. You need to have a fall back plan to keep your business running if the unexpected happens.

Be honest

One thing that jumps out in a number of the stories is how some organisations are simply not honest with their customers.

The process starts with misrepresenting how they secure and protect customer data. When an outage hits, they hide behind a call centre and often lie, or at least understate, the effects of the problem.

In an age of social media, blogs and user forums trying to spin your way out of trouble is not the answer. If customers are going to trust you, they need to have confidence you won’t mislead them.

As consumers, the various data breaches we’ve seen so far this year should make us pause before we give valuable personal data to businesses. It’s quite clear that some don’t deserve our trust.

For businesses we need to show that we are worthy of our customers’ trust. The first step of that process is taking their privacy seriously.

LulzSec, anonymous and all the other various hackers, anarchists and general troublemakers on the web are reminding us that we need to take our online responsibilities as seriously as any other others.

Make sure you’re protecting your own business and your customers’ data.

Similar posts:

  • No Related Posts

How safe is your net connection?

It pays to be careful on the web when travelling.

Reports last week that foreign “hackers” had intercepted emails between Australian government officials and miners raised the issue of email security, just how private are our online messages?

When the media uses the word “hacking” it’s always worth taking a step back and finding out the facts. Often a security breach is the result of a simple setup mistake or the information and passwords have walked out the building with a disaffected, lovestruck or just plain dumb employee.

That’s not to say hackers aren’t a risk organisations should to be conscious of, it’s just that often the security risks are more mundane than we would expect. A good example is the simple matter of logging onto a wireless or hotel network.

We assume when we log into our networks that the data is secure though often the user names and passwords are exchanged in “clear text”, which anyone with access to the network can view your passwords with the use of a “packet sniffer” that reads each bundle of information sent across the internet.

Poor security isn’t just a feature of unprepared computer users, every year the world’s leading hackers and security experts gather at that Las Vegas DEFCON conference which since 2001 has featured the Wall of Sheep, an embarrassing display of user information captured off the convention’s network.

This is a surprisingly common security problem made more frequent with the rise of unencrypted wireless networks which can be sniffed by anyone who can be bothered logging on, this is a common problem when you’re connecting onto free wireless networks at the local coffee shop or fast food restaurant.

The answer to all of this is to use Secure Socket Layer encryption, which creates a secure link between your computer, mobile phone or iPad and the servers. For email use, your system administrator can set this up or if you use the popular web mail services it’s a matter of ticking the box.

A similar service works when you’re browsing the web, on visiting a secure site the address should start with https instead of the usual http, the “s” on the former stands for “secure”. A padlock symbol will also appear – in the bottom left hand corner of Firefox or beside the site address at the top of both Chrome and later versions of Internet Explorer.

Before logging onto any secure service, including social media platforms, both the https address and the padlock symbol should appear before you enter passwords or sensitive information like credit card or banking details.

Sadly, the secure websites are not always foolproof as sometimes the site will use a secure connection for your password details then once you’ve logged in, return to an unsecured version. This is how the Filesheep program that was released last year works by sniffing cookies and other stored information from unsecured websites.

It’s surprising how many tourists and backpackers get caught out while doing online banking, checking their email or using social media while on the road.

Without logging into a network securely, then logging out when finished and making sure their details haven’t been saved, it’s quite common to see travellers getting their details stolen.

Assuming you’re safe because the network belongs to a high priced hotel or resort doesn’t always work either; a few years ago passengers on a major cruise liner had their bank accounts compromised when one of the crew was stealing data passing through the ship’s Internet cafe.

You don’t need to be a mining executive in China or Julian Assange to fall prey to the Internet snoops, whole industries and criminal organisations are built around using your data so it’s a good idea to be making sure your information is secure while taking a little bit of caution and using some judgement before logging onto a network.

Similar posts:

  • No Related Posts