Paul Wallbank – Brilliant Communications

Category: security

  • Spotting a security charlatan

    Spotting a security charlatan

    Google’s Open Source Programs Manager, Chris DiBona recently pointed out how IT security industry charlatans keep making false claims to push the sales of their software products and consulting services.

    “If you read an analyst report about ‘viruses’ infecting ios, android or rim,” says Chris,  “you now know that analyst firm is not honest and is staffed with charlatans. There is probably an exception, but extraordinary claims need extraordinary evidence.”

    Sadly, the computer press tends to accept these extraordinary claims at face value and allows the charlatans to repeat their snake oil pitches without subjecting them to critical analysis.

    Fortunately for those who care about the security of their home and business IT systems, there are ways to spot the charlatans and their dodgy wares.

    The Big Target theory

    When you read a claim that the Windows malware epidemic of the early 2000s was due to Microsoft being a big target as opposed to the tiny market shares of Apple and Linux, you can be sure they are the words of someone who is at best clueless selling a dubious product.

    This theory is nonsense, as I’ve explained previously, and anyone who genuinely believes this has no experience in dealing with the poorly secured operating systems that were Window98, Me and the early versions of XP.

    If you are confronted by somebody making this claim ask them why, now smartphones are outselling desktop computers, where is the widespread malware promised for mobile systems? It doesn’t exist for exactly the reasons Chris gives in his Google+ post.

    Real Soon Now

    The other key indicator is the “real soon now” claims – that a virus is about to burst onto the scene that will rub the smile off the face of smug Mac and Linux users.

    Invariably the hysterical headlines are backed up with claims, almost always taken from a vendor’s press release, that a security company’s researchers have identified a threat that is about exploit wilfully clueless users.

    Daring Fireball’s John Gruber has done an excellent job of dismantling this rubbish in his classic post “Wolf”.

    His post was provoked by the ‘news’ that a wave of Apple malware was on its way. That was six months ago and we’re waiting. John tracked similar stories back to 2004, none of which came to fruition.

    The modern snake oil men have an advantage in that tech journalists are desperate for page views and in many media organisations they no longer have the resources to critically analyse PR claims.

    Sadly there are real security issues that home and business users need to be aware of. Of course, much of the solution for this doesn’t sell dubious antivirus or expensive consulting services.

    In some respects, the proliferation of these stories is a reflection of the decline of the mainstream media business model.

    As more ‘news’ stories become lightly rewritten PR spin, the less readers take those outlets seriously and once trusted journals of record become little better than online gossip rags.

    Important issues, like information security, deserve more than repeating the lies of those who profit from fear, uncertainty and doubt.

    Similar posts:

  • Avoiding industrial nightmares

    Avoiding industrial nightmares

    The Iranian nuclear program is crippled by a virus that infects their control systems while a hacker claims a Texas waterworks can be accessed with a three word password.

    Any technology can be vulnerable to the bad guys – obscure systems like office CCTV networks and home automation services can be as vulnerable as the big, high profile infrastructure targets.

    While there’s good reasons to connect our systems to the web, we need to ensure our networks are secure and there’s a range of things we can do to protect ourselves.

    Does this need to be connected?

    Not everything needs a Internet or network connection, if there’s no reason for a device or network to be connected then simply don’t plug it in.

    Keep in mind though that threats don’t just come through the web, both the Iranian malware attack and the Wikileaks data breach weren’t due to hackers or Internet attacks.

    Get a firewall

    No server or industrial system should be connected directly to the public Internet, an additional layer of security will protect systems from unwanted visitors.

    All Internet traffic should go through a firewall that is configured to only allow certain traffic through, if the router or firewall can be configured to support a Virtual Private Network (VPN), then that’s an added layer of security.

    Disable unnecessary features

    The less things you have running, the fewer opportunities there are for clever or determined hackers to find weaknesses.

    Shut down unnecessary services running on systems – Windows servers are notorious for running superfluous features – and close Internet ports that aren’t required for normal running of your network.

    Patch your systems

    Computer systems are constantly being updated as new security problems and flaws are found.

    Unpatched computers are a gift to malicious hackers and all systems should be current with the latest security and feature updates.

    This is a lesson the Iranians learned with the Stuxnet worm that was almost certainly introduced through an unpatched system – probably one running an early version of Windows XP or even 98 – which was vulnerable to known security problems.

    Have strong passwords

    Passwords are a key part of a security policy, they have to be strong and robust while being different to those you use for social media and cloud computing services.

    It’s also important not to share passwords and restrict key log in details and administrator privileges to those who require them for their work.

    With online services like social media, cloud computing and other web tools becoming a part of business and home life, we have to take the security of our systems seriously. Hardening them against threats is a good place to start.

    Similar posts:

  • The digital inheritance

    The digital inheritance

    Our digital footprint – what appears about us online in websites and social media services – is becoming more important as we’re judged by what people find out about us on the web.

    As what we store on the web becomes more important, the need to plan for what happens to that data when we pass away becomes more important. “Generation Cloud”, a survey in the UK by hosting company Rackspace and the University of London looked at how Britons were dealing with these issues.

    Information left online can cause problems as social media sites will send suggestions and reminders which can distress others if the suggested contact has passed away.

    Equally, a web site or Facebook page could even serve as a memorial. The final blog post of Derek K. Miller is a particularly touching memorial.

    To create a “digital tombstone”, for your loved ones to remove inappropriate posts or just to access your digital personal effects like email or photos stored on a cloud service, they will need your passwords.

    In the Generation Cloud survey, 11% of the participants planned to leave their online account details and passwords in their wills and half considered some of their ‘treasured possessions’ are stored online.

    Once again we’re finding our online data has real value that’s worth passing down. It’s another reason to guard your data safely and not give it away lightly.

    Similar posts:

  • Password protection

    Password protection

    The suspension of eighty students from a suburban Sydney high school once again illustrates how careless we often are with passwords and the access to our computers. In an era of Internet banking, online shopping and social media sites holding our personal details, we have to take web security seriously.

    In many ways the teacher who let their password slip to their students was lucky. In the United States, authorities haven’t always been so forgiving these sort of mistakes, and in this case the kids and the system administrators were a lot more adult and responsible than their Connecticut counterparts.

    What the incident does show is how the weakest points of our technology networks are ourselves – the most secure systems, toughest passwords and best anti-virus protection won’t help us if we don’t take care.

    We looked at protecting organisations in an earlier post, Protecting your data, and here’s some steps on how to take care with your personal details.

    Shut down computers

    When you’re finished working, make sure you log out of email programs, secure sites, social media services and shut your computer down.

    In an office context, this is very important if you’re going away for a meeting or a break as people have been known to use co-workers computers to access prohibited sites or sensitive information.

    Should you be using Internet cafes, hotel business centres or airport lounges you should be doubly careful to make sure you’ve logged off completely before walking away from the shared computer.

    Hide your passwords

    As the teacher at Prairiewood High found, your password is gold. Do not divulge it under any circumstances.

    Often doing so is almost certainly a breach of your organisation’s Acceptable Use Policy and sometimes this can mean disciplinary action or dismissal from a job. With your online banking, disclosing your password or PIN can mean you won’t be compensated if money is stolen from your account.

    Even a seemingly trivial social media site can cause trouble for you if crooks can get onto it.

    Having a complex password is good and we look at a neat little trick for memorable but tough passwords in our Protecting Your Data post, it’s worthwhile making sure your logins are both easy to remember while being secure.

    Understand your AUP

    An AUP, or Acceptable Usage Policy, is part of the conditions of you using a computer or online service. Many government and corporate networks have a box pop up forcing you to agree every time you login. Take time to occasionally read this.

    Should you accidentally give away your password, say to a site that’s fooled you that it’s your bank or a social media site, the AUP will usually have a clause or a sentence on what to do in that situation. Understanding this will give you piece of mind if something does happen.

    We’re now in an age where our personal information is more valuable than ever before and we need to guard what who has access to it. Passwords are going to be part of protecting our data for some time to come so understanding how to use them properly is essential.

    Similar posts:

    • No Related Posts
  • The Lulz are on us

    The Lulz are on us

    Last weekend’s announcement that the LulzSec group of jolly hackers was breaking up was met with bemusement at what has been one of the most mysterious, albeit entertaining, chapters in the information wars of 2011.

    It’s quite clear that 2011 is the Year of the Hack with organisations ranging from electronics company Sony who now appear to be the joke of the online security world through to major banks, the FBI and even Google’s Gmail service being the subject of serious online attacks.

    That many of these attacks were successful is a reminder to all of us how important online security is and it is our responsibility to protect our customers’ and staff details by taking basic precautions.

    Take security seriously

    Many of the business hacks appear to have been because of slack security practices including out of date software and default passwords being used.

    Even if you don’t have a server yourself, make sure your computers have all current updates installed and that strong passwords are in place.

    Password Security

    A basic precaution is to have robust passwords. A combination of letters and numbers is the best.

    One nice little tactic is to use a phrase as a password and separate the letters with a character, for instance using “mary$has$a$little$lamb”, although you might want to choose a more intimate phrase.

    Keep in mind too that strong passwords aren’t much help if an incompetent corporation leaks them onto the web, along with your banking details. So use a layered approach where critical passwords for bank accounts are different to those that you might use for an online game or social media site.

    Restrict access

    The real risk to our security lies with our own staff, many “hacks” are actually employees erasing or give away data, which could be deliberate or accidental.

    Don’t give passwords or access to people who don’t need them, keep the business accounts away from your sales staff and lock employment records away from the IT folk. Private client information shouldn’t be shared around the office and particularly not with outside parties.

    Backup, backup, backup

    The DistributeIT debacle, which one is hesitant to describe as a “hack” as their complete loss of hardware, client data and backups sounds more like an internal problem than an outside attack, shows how important it is to keep your own backups.

    As we move our businesses to online and cloud based services, we have to put a lot of trust into those who provide those products. It’s good insurance to have easily available copies of mission critical data in case a problem.

    Invest in technology

    We’ve all heard CEOs and ministers claim they will save millions in outsourcing their IT departments. Those savings come from somewhere and information security is one of those corners that’s cut when reducing operating costs.

    Experienced tech workers have plenty of examples where management cries of “we’ve been hacked” have actually been hardware failures or staff mistakes bought on by poorly trained staff working with inadequate equipment.

    Sony appear to have fallen for this, having reportedly sacked many of their security specialists before the hacks began.

    Make sure you are making sensible investments in your technology and not going for the cheapest, or free, option simply to save a few pennies.

    Obey standards

    Nothing is more embarrassing than losing clients’ confidential data, particularly banking details.

    If you are taking customer payments, make sure you are complying with the DSS-PCI standards for card payments by giving the work to a reputable payment gateway.

    Have a contingency plan

    “There but for the grace of God….” is a good phrase to keep in mind when you see another business affected by a hacker, hardware failure or any of the millions of other unfortunate things that could stop your business.

    Even with the best planning in the world sometimes dumb luck just doesn’t go your way. You need to have a fall back plan to keep your business running if the unexpected happens.

    Be honest

    One thing that jumps out in a number of the stories is how some organisations are simply not honest with their customers.

    The process starts with misrepresenting how they secure and protect customer data. When an outage hits, they hide behind a call centre and often lie, or at least understate, the effects of the problem.

    In an age of social media, blogs and user forums trying to spin your way out of trouble is not the answer. If customers are going to trust you, they need to have confidence you won’t mislead them.

    As consumers, the various data breaches we’ve seen so far this year should make us pause before we give valuable personal data to businesses. It’s quite clear that some don’t deserve our trust.

    For businesses we need to show that we are worthy of our customers’ trust. The first step of that process is taking their privacy seriously.

    LulzSec, anonymous and all the other various hackers, anarchists and general troublemakers on the web are reminding us that we need to take our online responsibilities as seriously as any other others.

    Make sure you’re protecting your own business and your customers’ data.

    Similar posts:

    • No Related Posts