Security Corner


January 15, 2013  1:14 AM

Renegade executives can wreck security

Ken Harthun Ken Harthun Profile: Ken Harthun

There is probably nothing more frustrating to an IT professional than having the security of his network compromised by a renegade executive who refuses to consult IT before ordering the installation of untested applications. Case in point: A recent help desk ticket read, “[Executive] told me to install Dropbox on my system, but I need administrative rights on my machine to do it.” WHAT? Where did that come from? No one mentioned this to IT, particularly the exec in question. Dropbox is blocked on our networks.

The weirdest part about this whole thing is that we have SharePoint 2010 and we are running Live@Edu (soon to migrate to Office 365) that has 25GB of storage. Why would anyone want to use an insecure service that provides only 2GB of storage in the free version? I asked that question. Answer: Preference. Huh?

Needless to say, I responded rather strongly:

The real issue here is that IT was not consulted before someone decided to start using an application that had not been vetted for both security and performance. There could be a workable process (pre-egress encryption using a proven encryption algorithm) formulated, but this should be driven by IT, i.e., those of us who know and understand the potential risks and benefits.
 
The Net Admins are responsible for the reliability, performance and security of our networks and the data flowing on them. I take this responsibility seriously and I’m sure my fellow Net Admins and assistants do as well. To ask me to put my network and data – and thereby my job – at risk because of some preference is just not acceptable to me.

What is your opinion? Hit the comments and let me know.

December 31, 2012  11:50 PM

Be careful out there tonight

Ken Harthun Ken Harthun Profile: Ken Harthun

This is a repeat of another post I made, but it bears repetition. New Years Eve is one of the most dangerous nights of the year. Be careful out there tonight.

I know I don’t have to tell you, but if you drink, don’t drive, especially tonight. There are going to be plenty of revelers out there who don’t heed such advice. If you don’t have to go out, don’t. If you want to party hearty, do like my wife and I do every year and stay home, maybe with a few friends or family members who can spend the night.

That said, if you do plan to go out and party, leave your wallet or purse at home. Carry only your ID (driver’s license) and sufficient cash to get you through the night. Keep everything in your front pockets and rather than a large wad of bills, break it up into a couple of smaller batches. Drinking sensibly will keep you from doing something completely stupid. Better option is to carry cash for a cab ride home (or at least a tip–many cab companies will offer free cab rides tonight) and pay your bar tab with a credit card. You could lose all your cash; a credit card is replaceable.

Have fun. Celebrate. But be safe, okay?


December 31, 2012  11:45 PM

Happy New Year!

Ken Harthun Ken Harthun Profile: Ken Harthun

New Year Resolutions Graphic

What are your New Year resolutions for 2013. Here are a couple of mine related to security:

  • Clean up my passwords and get a higher score on LastPass security assessment.
  • Continue to educate users on strong password creation and management.

Have a safe, prosperous and Happy New Year!


December 31, 2012  11:40 PM

Ten New Year security resolutions

Ken Harthun Ken Harthun Profile: Ken Harthun

We all do it at this time of the year: We make resolutions to do things better in the New Year. And why not? It’s a great thing to do, starting with fresh goals and a resolve to do better. Here are some ideas for you choose from with a security twist:

  • I will change my critical passwords.
  • I will finally start using a password manager (such as LastPass or KeePass).
  • I will adopt an algorithm for generating strong passwords (at least 12 characters).
  • I will use two-factor authentication where it is available (YubiKey and Google Authenticator come to mind).
  • I will use encryption for all sensitive personal files on my digital devices, including thumb drives, laptops, smart phones, etc. (Rohos Mini-drive, AxCrypt, TrueCrypt, Wickr).
  • I will establish a regular backup routine for all my devices that uses two different media and at least on copy off-site.
  • I will encrypt my backup.
  • I will become aware of physical security and make sure that my digital devices are always either in my possession or safely stowed.
  • I will not blindly click on links in email, nor will I respond in any way to pop-ups or messages I am not sure about without checking them out first.
  • I will not open any attachment in any email from anyone unless I am expecting it or absolutely sure of what it contains.

There is new or Earth-shattering here, at least nothing that I haven’t mentioned and advocated for years. Hit the comments and add your own.

Happy 2013!


December 30, 2012  10:38 PM

The risks of using social media

Ken Harthun Ken Harthun Profile: Ken Harthun

Chances are, you use social media and if you are like many others, you have a presence on more than one site or service. Have you considered the security risks?

Trend Micro posted an interesting infographic called The Risks of Posting in Social Networks that lays out the whole picture. If you’re not careful what you post, you could be subject to:

  • Social engineering attacks
  • Cyber bullying
  • Identity theft
  • Damaged reputation
  • Targeted advertising
  • Real world threats (such as burglary & stalking)

Besides being careful what information you post, be sure that your privacy settings are up to date and only allow those people you trust to see your posts. Anything that is visible to the public should consist only of information that does not reveal things that could be used in any of the above.


December 30, 2012  2:37 PM

What you can do about the 25 worst passwords of 2012

Ken Harthun Ken Harthun Profile: Ken Harthun

Every year, I take a look at the published list of worst passwords. I gave you this list back in October, but it occurred to me that there is something you can do about it if, heaven forbid, you are using any password on this list. Surprisingly, the list changes little from year to year, usually with just a few new ones being added. I guess people don’t change their passwords very often, if at all.Here is an excerpt from a TIME report posted at CNN Tech:

SplashData, which makes password management applications, has released its annual “Worst Passwords” list compiled from common passwords that are posted by hackers. The top three — “password,” “123456,” and “12345678″ — have not changed since last year. New ones include “jesus,” “ninja,” “mustang,” “password1,” and “welcome.” Other passwords have moved up and down on the list.

And here is the list showing what has changed:

1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja (New)
24. mustang (New)
25. password1 (New)

So, what can you do about it if you are using any of these passwords? There is a simple fix: Append or prepend a pattern of characters that you will remember. I call this a Personal Password Pad and discussed it in “A simple password recycling method” back on January 16, 2012. You don’t have to come up with a bunch of different ones as that article suggests, though. You could use the method I suggest in “Another way to create easy-to-remember complex passwords.”

You will want to use a minimum of four characters for your pad. For example, let’s say you choose a year: 1988. Your pad could be !(** or 1(8* or !9*8. You get the idea. Now, just stick that on the front or back or both of the worst password, e.g., !9*8password1, and you have a strong, easily remembered password that will probably never show up on any such list.

 


December 25, 2012  2:29 PM

Merry Christmas!

Ken Harthun Ken Harthun Profile: Ken Harthun

Have a very Merry Christmas and enjoy a safe and secure gathering with those you cherish.


December 16, 2012  3:54 PM

The Art of [Cyber] War: Introduction

Ken Harthun Ken Harthun Profile: Ken Harthun

More than 2000 years ago, Sun Wu wrote Sun Tzu – The Principles of Warfare (The Art of War), a book that has been used by military generals and other savvy leaders ever since. While I don’t know if our modern techno-generals are applying this to the new cyber-warfare theater, I have to assume that savvy cyber-warriors have their own  interpretation. I am in the process of writing a book that applies my interpretation of the principles of The Art of War to cyber-warfare and combat. Granted, I won’t be the first one to look at this, but there’s always room for a fresh viewpoint. I will be posting key excerpts here as the book progresses.

Here is more information from sonshi.com, who claim to have the most accurate translation from the original Chinese text, the reference I will be using as source material. :

Sun-tzu ping-fa (Sun Tzu The Art of War) is one of those rare texts that transcends time. Though it was written more than 2,000 years ago, it is arguably still the most important work on the subject of strategy today.

Written by a brilliant and experienced Chinese general named Sun Wu, The Art of War was intended only for the military elite of his time period. However, this treatise would later be absorbed by others of influence — from the fearless samurai in feudal Japan to the shrewd business leaders of the 21st century.

The new title will be: Sun Tzu Sai Bo: The Art of Cyber War


December 1, 2012  3:24 PM

Video: Internet Explorer sucks… less

Ken Harthun Ken Harthun Profile: Ken Harthun

I can think of nothing better than starting off a new month with an amusing video. The jury’s still out as far as I’m concerned, but I haven’t really tested the new version of IE yet.


November 30, 2012  8:14 PM

Video: How to solve the Skyfall #sophospuzzle

Ken Harthun Ken Harthun Profile: Ken Harthun

Here is a video showing you how to solve the Skyfall #sophospuzzle, which I introduced on this blog last week.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: