President Obama’s Back-to-School Speech: My Advice

Yesterday, Michael Morisy, ITKnowledgeExchange’s community editor, posted “President Obama’s back-to-school speech tells students to pursue technology. What’s your advice?” It contained a transcript of The President’s speech. Ignoring the controversy and the politics, one has to agree that he made some good points; in fact, I found the whole speech inspiring.

One thing President Obama said relative to the pursuit of technology careers stood out: “Students who sat where you sit 20 years ago founded Google, Twitter and Facebook and changed the way we communicate with each other.”  Yes, and before that another generation of students invented the Internet and founded the biggest software company in the world. What he left unsaid is that these technological advances have not been without problems; indeed, they have created entirely new problems that have spawned a separate IT industry: Information Security.

My advice to students who pursue technological careers—particularly IT related—is to realize that the development of new technology also carries with it the responsibility of ensuring that technology is safe to use. The lack of such responsibility in the past, whether through shortsightedness or outright neglect, has given us an Internet that is a haven for a new breed of criminal, that exposes our children to predators, hate propaganda and smut all at the click of a button and often unwittingly. And I haven’t even mentioned the threat to our national security.

President Obama said, “…you become good at things through hard work.” There’s a lot of hard work ahead before we get to the point where anyone can buy a computer, plug it in and use it safely without having to be an information security specialist.

We’ll know we’re there when the PC is as safe to use as a TV.

14 Golden Rules of Computer Security

In celebration of (almost) being close to releasing my first eBook to the general public, I’m releasing the list of the 14 Golden Rules of Computer Security in hopes that any last minute errors will be spotted by my peers here at IT Knowledge Exchange. Here’s the list:

#1: The best security measures are completely useless if you invite attackers into your PCs or networks.
#2: A first, important step in securing your PC is to install  and configure a NAT router.
#3: Always change the default username and password of any configurable device you put on your home network.
#4: Use an un-guessable, or difficult-to-guess password always.
#5: A vital part of PC security is keeping up with software patches for ALL of the software on your system, not just the operating system. Where it is available, use the software’s automatic updates feature.
#6: Always disable any message preview or auto-open features in your e-mail client. View messages as text-only until you know they are safe.
#7: If you store sensitive information on a PC or laptop, even if it’s only personal information, encrypt the
folders or drives where the information is stored and use an un-guessable passphrase as  the encryption key.
#8: Physical security is  almost as important as data security. Make it as difficult as possible through any
physical means for a thief to steal your hardware. Rules of thumb: Lock it up and lock it down; out of sight, out of mind.
#9: When surfing the web, testing unknown programs, or engaging in other activities with the potential to harm your computer, use a sandbox or virtual machine to protect your base system from harm.
#10: When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed.
#11 Never enter sensitive information into any web page unless you have verified that the information is being sent over a secure connection signified by https:// in the address bar and a lock icon in the browser’s status bar.
#12: Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.
#13: When it comes to securing a WiFi network, the only way is WPA.
#14: If your email address will be visible to the public, obfuscate it.

In the book, each one of these rules is explained in detail with links to tools and other information.

I value your comments, so if I’ve left anything out, or you have issues with what I’ve posted here, let me know. I want this to be the best first edition it can be.

Un-guessable Passwords—How to Make Them

The sheer number of passwords most of us have is a big problem. Even if we have hints written down, how do we know which one created the password for which login? It would appear as though we’re back to writing them down or using a password manager. Don’t worry, though. Here’s how to create secure passwords that you can safely write down; yes, write them down, give them to all your friends–even your enemies–and still be safe. Post them on your monitor at work. Leave them lying around on the bus or train. A simple trick based on cryptographic techniques will conceal your actual password in a form that almost anyone will mistake for the password itself.

Let’s say you found a piece of paper that had this written on it:

Work BDAbe%x#
Home 1941phx!n
email fon!%m

What would you think it was? Bet you’d think you’d found someone’s password list, eh? That’s exactly the deception we want: What those strings of characters really mean is known only to you. So, what DO they mean? Let’s take the first example; in my Ask the Geek blog, my article How to Write Down Your Password and Not Worry About Someone Stealing Them, I explain:

[It's] a substitution cipher based on a date. This one uses two levels of secret "keys": 1. a clue or mnemonic for the date; 2. an abstraction of the encoding algorithm. We’ll use Abe Lincoln’s birthday in numeric form–02/12/1809–for our plaintext, leaving out the slashes, i.e., 02121809, which will result in a strong, eight character password. Now, for the first key, we can use "BDAbe." This immediately reveals the plaintext, but means little or nothing to anyone else. (NEVER use your own birthday, for obvious reasons.) [Note: even if someone guesses that it's Abe's birthday, they still have a long way to go to figure out how it was used - Ken]

Next, we decide to use alternating shifted characters, beginning with the first character. So, for key two, we make an abstraction of that: %x#, for example. It doesn’t matter what characters you use, only that they clearly represent shifted and lower-case characters; you could just as easily use AyT or !2@. The pattern of shift-lowercase-shift on the keyboard is what matters to you; the characters mean nothing else. Put the two keys together and you have this: BDAbe%x#. That’s your cipher pattern, the "something only you know," with an added level of complexity: it’s something only you know (the plaintext) and only you know what it means (the encoding pattern).

Pretty slick, eh? This should give you a clue as to what the second one is: 1941ph means (to me) 12/07/1941, the date of the attack on Pearl Harbor that led us into WWII. Based on the pattern, the actual password is 1@0&1(4!. Can you figure out what the last one might mean? (You won’t guess the actual password unless you know what I know about the first part, but you can figure out what the code hint is.) Post your comments and we’ll see how you do.

I don’t recommend you use these examples, for obvious reasons; you’ll want to come up with your own ways of doing things and your own hints using things that mean something only to you.

Is Linux Security as Bad as Microsoft Windows “Security?”

Linux proponents often gloat over the seeming lack of security vulnerabilities in the Linux kernel when compared to Microsoft Windows; Windows proponents counter saying that Linux is just enjoying “security through obscurity.” Seems the Windows people may be justified to some degree as reports of a Linux vulnerability puts most versions of the Linux kernel built in the last eight years at risk of complete takeover.

According to The Register, “The bug involves the way kernel-level routines such as sock_sendpage react when they are left unimplemented. Instead of linking to a corresponding placeholder, (for example, sock_no_accept), the function pointer is left uninitialized. Sock_sendpage doesn’t always validate the pointer before dereferencing it, leaving the OS open to local privilege escalation that can completely compromise the underlying machine.” This means that it’s trivial for an attacker to put code in the first page and that code will get executed with kernel privileges. You can read a full rundown of the vulnerability at the CR0 Blog.

All Linux kernel 2.4 and 2.6 versions since May 2001 are affected. The vulnerability has been patched, but “this is the second time in less than a month that a serious security vulnerability has been reported in the Linux kernel. In mid July, a researcher alerted Linux developers to a separate "NULL pointer dereference" bug that put newer versions at risk of complete compromise,” according to The Register.

There’s no question that Microsoft has ongoing security issues; it’s no surprise that Linux is beginning to show the same. The only difference lies in the attack surface; Microsoft is still the biggest target. As Linux continues to gain market share, however, we’ll be seeing more researchers focusing their attention on the Open Source OS; as they do, they’ll find more and more vulnerabilities there, too.

There’s a technology called “secure coding” that still hasn’t been fully developed, much less implemented on a grand scale; until programmers fully get this concept, we’re saddled with insecure OS’s and applications.

Panda’s Cloud Antivirus (Beta) is a Winner!

I’ve been using Panda Security’s free Cloud Antivirus for awhile and I must say I’m impressed. It’s there, but you’ll never know it unless you look (the little panda icon in the system tray). I rarely get malware of any kind, but Cloud AV has caught a couple of things that were probably drive-bys. It’s so transparent that I actually had to go check on it before I noticed that malware had been caught. This is a perfect set-it-and-forget-it AV for the regular user. It’s free, self-updating and doesn’t require any decisions on the part of the user. You can believe what they have to say:

Are YOU a Hacker?

Are you? It’s not necessarily a derogatory term. Neither is “geek.” But what does “hacker” really mean? Here’s one opinion:

Someone that is looking to work outside the normal parameters. The media grabs the term and turns it into something bad. Like all hackers are evil and looking to steal your identity, your money and bring down the system in some [sort of]  anti-government/corporate protest. Sure there are always extremist[s] on the either side of nearly any issue…For a true hacker, statements like, "Never do this…" or "one use only" or even better the golden "authorized users only" tend to get us thinking. What is behind that interface, that door, that piece of tape that will void my warranty if removed you are trying to keep me from learning.

Folks, I’m a hacker. I hack computers and networks—it’s part of my job—I  don’t do anything malicious, but I dig into things I probably shouldn’t. I’ve always been the kind of guy who takes things apart to see what makes them tick. Usually, I get them back together the way they were. Sometimes, I break them; but, I always come away with a better understanding of how things work.

If more people were “hackers,” if more people knew how things work, if more people *understood* how this universe is put together, if more people even cared to look, this world would be a better place.

I’m a hacker. Are you?

Search for Screensavers at Your Own Risk

Enter “screensavers” into any major search engine and there’s better than a fifty percent chance that any result you click on will land you on a malicious website. According to McAfee’s recently released report “The Web’s Most Dangerous Search Terms,“ that search term carries a maximum risk of 59.1 percent. Furthermore, lyrics and anything that includes the word “free” have a high risk of exposing users to malicious or fraudulent web sites. Health-related search terms have the lowest risk profile. Check out The Web’s most dangerous keywords to search for on ZDNet.com.

One of the biggest problems is that the bad guys, using Black Hat SEO techniques, grab onto the trending search terms of the moment and use their popularity to get links to compromised sites placed high in the search engine rankings. This, coupled with the fact that 77% of Websites carrying malicious code are legitimate sites, make for an increasingly dangerous environment for the casual surfer.

This is yet another reason to continue to beat my drum: If you use IE, disable scripting and ActiveX (IE8 has increased security, so consider upgrading). Better yet, switch to Firefox and use the NoScript plugin. Tell the users who trust you to do the same, will you? And make sure they have the latest security patches on their systems. Most people are trusting souls; on the web, they shouldn’t be. Let’s instill the “trust no one” (except for us white hats, of course) mentality into everyone we can.

It’s Not Your Fault

I’m going to take a lot of heat for this post. Maybe. Unless I’m right (which I usually am). So, let me just get it out of the way: The state of security on the Internet today is NOT YOUR FAULT. Neither is it the fault of the clueless surfers who click on any and every link in their email and say “yes” to every popup on their screen. It’s not the fault of those who love to install the “little bitty kitty” screensavers that are loaded with adware and the ones who use the “fun web products” emoticons and stationery with similar bent. No, it’s not your fault.

It’s M….no, it’s U….no, it’s…hell,  it’s the software developers who don’t have a clue on how to write a secure application. The end user—be she a geek or a regular consumer user—has no way of knowing that there are security holes on the software she uses. And she shouldn’t have to be concerned about it, now, should she? NO.

The more I have to deal with the malicious–and sometimes just crappy–stuff that people manage to get on their systems, the more I want to grab the programmers, web app developers, and insecure software purveyors by the throat. Conspiracy theorists speculate that since the anti-malware software industry is a multi-billion dollar cash cow, we don’t have a chance of ever seeing truly secure software. I don’t think that’s true. There’s enough crap out there to keep the anti-malware industry busy for a long time.

But it does make one wonder, doesn’t it?

Another Little Known Tool to Securely Delete Files, Folders, and Volumes

Why, all of a sudden, is everyone concerned about secure file deletion? I hesitate to say it’s a sign of the poor economy, but perhaps people consider it even more important to protect their personal information when the idea of losing control of their assets—and their lives–through the incompetence of corporate “managers” and well-intentioned but clueless politicians is more abhorrent than losing control through the outright thievery of Internet gangs. It’s weird. I harped on people about securing their data all along and mostly, my advice fell on deaf ears. Now people are worried. And it’s not because they see more spam email phishing attempts, it’s because they feel they can’t trust anyone anymore, not their formerly respected captains of industry, and certainly not their elected officials.

But, I digress. This post is about security tools, not politics, so I’m now officially off of my soapbox.

I recently posted an article about SDelete, a tool that can be used to securely delete files and folders on a hard drive. There’s another little known, useful tool that has been built into the OS since Windows 2000: cipher.exe. Microsoft provides the following in Knowledge Base article 315672:

How to Use the Cipher Security Tool to Overwrite Deleted Data

To overwrite deleted data on a volume by using Cipher.exe, use the /w switch with the cipher command. Use the following steps:

1. Quit all programs.
2. Click Start, click Run, type cmd, and then press ENTER.
3. Type cipher /w:driveletter:\foldername, and then press ENTER. Specify the drive and the folder that identifies the volume that contains the deleted data that you want to overwrite. Data that is not allocated to files or folders will be overwritten. This permanently removes the data. This can take a long time if you are overwriting a large space.

One more tool you can use to mollify your paranoid clients.

Will They Ever Learn to Patch?

The latest mass infection to hit the Internet is the Win32/Conficker/Downadup Worm, estimated to have already infected between 500,000 and 8.9 million PCs, depending on whose numbers you believe. This is astounding, considering that the worm exploits a vulnerability in Windows that Microsoft Security Bulletin MS08-067 addressed back in October 2008. Microsoft issued an emergency out-of-cycle patch to address the vulnerability. Windows users who have automatic updates enabled would have received the update so the hole is patched. But there are plenty of people and organizations who, for one reason or another, have automatic updates turned off.

Why any individual PC user would put themself at risk by having automatic updates turned off is beyond me. Organizations are another story; they want to test patches before deployment to ensure they don’t break critical applications or disrupt the network. But in this case, the patch should have been applied without question by every sys admin on the planet. Had this happened, the furor surrounding Conficker.A–the original worm–probably would have died down. Instead, enough sys admins left the hole open that a particularly ferocious variant–Conficker.B–surfaced; it’s the one responsible for the current mass infection.

You can read all about Conficker.B and its blended threat in this post at the Microsoft Malware Protection Center, so I won’t burden you with all the gory details about its blended threat here. I will, however, burden you with my informed opinion: Sometimes you have to heed the warnings and go ahead and patch, regardless of what problems that patch could potentially cause. A network taken down by a malware infection is much worse and potentially more costly to repair than a couple of broken apps here and there.