Security management

Security Maxims of a Different Breed

Search for “computer security maxims” on any of the top three search engines (Google, Yahoo, Bing) and my articles mostly dominate the results. So I was quite surprised that Security Now Episode #215, entitled “Security Maxims,” gave no mention whatsoever of my contributions to this subject over the past three years. Guess I’ll have to take that up with Steve and Leo. To be fair about it, though, the maxims that Steve talked about in the episode, composed by Roger G. Johnston, Ph.D., CPP of Argonne National Laboratory, Nuclear Engineering Division, are related to “…physical security and nuclear safeguards.” However, according to Johnston, “They probably also have considerable applicability to cyber security.” Many of them are also amusing.

Take this one for instance:

So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.

Or this one:

Schneier’s Maxim #1 (Don’t Wet Your Pants Maxim): The more excited people are about a given security technology, the less they understand (1) that technology and (2) their own security problems.
Comment: From security guru Bruce Schneier.

How about this?

Byrne’s Law: In any electrical circuit, appliances and wiring will burn out to protect the fuses.

In all, there are more than 60 maxims listed. You can download a PDF of “Security Maxims” if you want to see more. I highly recommend you read them. You may learn something new. Like I did.

Now, I’m out of here. Have to go fire off an email to Steve and Leo…

Comments? Let me know what you think.

Microsoft Security Essentials Goes Live

Microsoft Security Essentials is now out of beta and ready for download.

The Microsoft Security Essentials team has this to say:

Microsoft Security Essentials (formerly codenamed “Morro”) is the newest security product from Microsoft that helps protect consumers against viruses, spyware and other malicious software. The program, using the same technology as the Forefront product family, is designed to protect and take the guess work out of you wondering if you are protected or not.

If you’re green, you’re good.

Red or yellow means there is something that needs to be done to keep your PC secure. A single click and the PC is back to the green protected state.

Microsoft Security Essentials is also designed to address cost and other barriers that have prevented many of our customers from running up-to-date security protection on their PCs. Because there are no subscription fees, there is no registration required to collect billing or other personal information.

It also runs quietly in the background scheduling scans when the PC is most likely idle and interrupting the user only when there is an action required to keep their PC secure. It employs practices like active memory swapping and CPU throttling to limit the impact on your PC performance, even on older or less powerful PCs.

Sounds good to me. I’m going to recommend it to some of my less-than-savvy clients and see how it works for them. I’ll even try it myself, though I’m not a good candidate for such a thing, being the security Geek that I am. Still, it can’t hurt. The one thing that’s unclear: Is this going to come standard with every new PC, or does everyone have to make the effort to download and install it?

Stay tuned.

Google Safe Browsing Diagnostic Page

Thanks to Google, there’s a tool you can use to check any site and see if Google lists it as hosting any suspicious files or acting as a malware intermediary. Yes, I know there’s a Firefox extension and that the Google Toolbar for Firefox incorporates the tool, but what if you’re out in the field on a machine that doesn’t have the tool installed and you want to check a site? Simple. Use this URL:

“http://google.com/safebrowsing/diagnostic?site=[URL of site you want to check]” (Leave off the http://).

For example, this URL produced the report shown in the screen shot (click on the image to view it full size):

http://google.com/safebrowsing/diagnostic?site=itknowledgeexchange.techtarget.com

Try it out for yourself on your favorite sites. You might be surprised at what you find out.

(Thanks to Steve Gibson and Leo Laporte of Security Now! for presenting a reader comment that brought this to my attention.)

What do you think? Leave a comment!

President Obama’s Back-to-School Speech: My Advice

Yesterday, Michael Morisy, ITKnowledgeExchange’s community editor, posted “President Obama’s back-to-school speech tells students to pursue technology. What’s your advice?” It contained a transcript of The President’s speech. Ignoring the controversy and the politics, one has to agree that he made some good points; in fact, I found the whole speech inspiring.

One thing President Obama said relative to the pursuit of technology careers stood out: “Students who sat where you sit 20 years ago founded Google, Twitter and Facebook and changed the way we communicate with each other.”  Yes, and before that another generation of students invented the Internet and founded the biggest software company in the world. What he left unsaid is that these technological advances have not been without problems; indeed, they have created entirely new problems that have spawned a separate IT industry: Information Security.

My advice to students who pursue technological careers—particularly IT related—is to realize that the development of new technology also carries with it the responsibility of ensuring that technology is safe to use. The lack of such responsibility in the past, whether through shortsightedness or outright neglect, has given us an Internet that is a haven for a new breed of criminal, that exposes our children to predators, hate propaganda and smut all at the click of a button and often unwittingly. And I haven’t even mentioned the threat to our national security.

President Obama said, “…you become good at things through hard work.” There’s a lot of hard work ahead before we get to the point where anyone can buy a computer, plug it in and use it safely without having to be an information security specialist.

We’ll know we’re there when the PC is as safe to use as a TV.

14 Golden Rules of Computer Security

In celebration of (almost) being close to releasing my first eBook to the general public, I’m releasing the list of the 14 Golden Rules of Computer Security in hopes that any last minute errors will be spotted by my peers here at IT Knowledge Exchange. Here’s the list:

#1: The best security measures are completely useless if you invite attackers into your PCs or networks.
#2: A first, important step in securing your PC is to install  and configure a NAT router.
#3: Always change the default username and password of any configurable device you put on your home network.
#4: Use an un-guessable, or difficult-to-guess password always.
#5: A vital part of PC security is keeping up with software patches for ALL of the software on your system, not just the operating system. Where it is available, use the software’s automatic updates feature.
#6: Always disable any message preview or auto-open features in your e-mail client. View messages as text-only until you know they are safe.
#7: If you store sensitive information on a PC or laptop, even if it’s only personal information, encrypt the
folders or drives where the information is stored and use an un-guessable passphrase as  the encryption key.
#8: Physical security is  almost as important as data security. Make it as difficult as possible through any
physical means for a thief to steal your hardware. Rules of thumb: Lock it up and lock it down; out of sight, out of mind.
#9: When surfing the web, testing unknown programs, or engaging in other activities with the potential to harm your computer, use a sandbox or virtual machine to protect your base system from harm.
#10: When using external removable media for backups, either encrypt the backup files or make sure the media is taken offline after the backup has been completed.
#11 Never enter sensitive information into any web page unless you have verified that the information is being sent over a secure connection signified by https:// in the address bar and a lock icon in the browser’s status bar.
#12: Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.
#13: When it comes to securing a WiFi network, the only way is WPA.
#14: If your email address will be visible to the public, obfuscate it.

In the book, each one of these rules is explained in detail with links to tools and other information.

I value your comments, so if I’ve left anything out, or you have issues with what I’ve posted here, let me know. I want this to be the best first edition it can be.

Twitter Security: TwitBlock Blocks the Spammers

Besides being a security Geek, I’m also an Internet marketer (no, not the bad kind—the good kind—I actually try to help people with what I sell). Twitter, at first blush, appears to be a great way to get your message out; it probably is, if done right, but it’s also easily abused. Yes, Twitter gets spam, too. The spammers are relatively easy to spot; you see them sending out multiple marketing messages in rapid succession, often using different profiles for the same message.

Here’s the rub: Because Twitter only allows 140 characters per tweet, the URLs are always shortened, therefore it’s difficult to identify their target. My policy is to never click on a link in a tweet from someone I don’t know, especially when I see them sending multiple tweets trying to get me to take action of some sort. That’s a dead giveaway that the person or persons controlling the profile are spammers or scammers.

Enter TwitBlock, a junk filter and bulk blocking tool for Twitter users. Here’s what they say:

You may think you have a loyal following of people who find you interesting, or amusing, but they’re probably not all real people. Among your followers will be a wide spectrum of fully automated, or computer aided Twitter accounts. They will range from reputable companies looking to profile and market to you, to fake profiles directing you to adult websites. At the very worst you will find the spammers and phishing gangs - the same junk you get in your email inbox, designed to sell you fake pharmaceuticals, or trick you into parting with your passwords or credit card numbers.

An easy way to spot the spammers on your own is to look for duplicate profile images. I have my own handsome mug posted on my Twitter profile and I’m sure no one else is using it. Spammers tend to use pics of attractive women, often “R” rated, or generic photos. TwitBlock maintains a list of the top 20 duplicate profile pics (Warning: some are inappropriate for young viewers!)

The application is still in alpha, but consider testing it. Just give it some thought before you block “Annette552” who may just be your next door neighbor in disguise, but who is more likely to be a spammer out to get your credit card info. You be the judge.

I Use LastPass

OMG! I just opened that box that Pandora gave me. I have often said that I don’t like password managers because I don’t consider them secure. That goes double for the password managers built into the browsers. I don’t like anything to reside directly on my system, so that leaves a remote location. These days, “remote location” equates to “The Cloud.”

That’s why I use LastPass and have been using it for more than a year now. All of my passwords are stored online, encrypted, and I only have to remember one master password to unlock the vault. I don’t have to carry anything with me on a thumb drive or install any programs on someone else’s computer in order to access my stuff when I’m not using my own PC.

Don’t take my word for it, check out this list of features. And then decide for yourself.

Oh, by the way, you can generate very secure passwords with LastPass and you don’t have to worry about remembering them, because LastPass will do it for you. Firefox and IE add-ons make things even easier. When you come to a new site you need to set up an account with, LastPass offers to generate a password for you. Then, when you log in, LastPass offers to save all information for the site. If you do that and then come back to the site later, LastPass will give you the option to either auto-fill the information or perform an auto login.

Highly recommended if you don’t want to do your own password management. You can still use all of the methods I’ve proposed for generating secure passwords, but you’ll never have to worry about remembering them.  Use my methods to generate the most secure password you can for your LastPass master password and encode it so you can write it down securely, but use LastPass for all your password management needs.

Un-guessable Passwords—How to Make Them

The sheer number of passwords most of us have is a big problem. Even if we have hints written down, how do we know which one created the password for which login? It would appear as though we’re back to writing them down or using a password manager. Don’t worry, though. Here’s how to create secure passwords that you can safely write down; yes, write them down, give them to all your friends–even your enemies–and still be safe. Post them on your monitor at work. Leave them lying around on the bus or train. A simple trick based on cryptographic techniques will conceal your actual password in a form that almost anyone will mistake for the password itself.

Let’s say you found a piece of paper that had this written on it:

Work BDAbe%x#
Home 1941phx!n
email fon!%m

What would you think it was? Bet you’d think you’d found someone’s password list, eh? That’s exactly the deception we want: What those strings of characters really mean is known only to you. So, what DO they mean? Let’s take the first example; in my Ask the Geek blog, my article How to Write Down Your Password and Not Worry About Someone Stealing Them, I explain:

[It's] a substitution cipher based on a date. This one uses two levels of secret "keys": 1. a clue or mnemonic for the date; 2. an abstraction of the encoding algorithm. We’ll use Abe Lincoln’s birthday in numeric form–02/12/1809–for our plaintext, leaving out the slashes, i.e., 02121809, which will result in a strong, eight character password. Now, for the first key, we can use "BDAbe." This immediately reveals the plaintext, but means little or nothing to anyone else. (NEVER use your own birthday, for obvious reasons.) [Note: even if someone guesses that it's Abe's birthday, they still have a long way to go to figure out how it was used - Ken]

Next, we decide to use alternating shifted characters, beginning with the first character. So, for key two, we make an abstraction of that: %x#, for example. It doesn’t matter what characters you use, only that they clearly represent shifted and lower-case characters; you could just as easily use AyT or !2@. The pattern of shift-lowercase-shift on the keyboard is what matters to you; the characters mean nothing else. Put the two keys together and you have this: BDAbe%x#. That’s your cipher pattern, the "something only you know," with an added level of complexity: it’s something only you know (the plaintext) and only you know what it means (the encoding pattern).

Pretty slick, eh? This should give you a clue as to what the second one is: 1941ph means (to me) 12/07/1941, the date of the attack on Pearl Harbor that led us into WWII. Based on the pattern, the actual password is 1@0&1(4!. Can you figure out what the last one might mean? (You won’t guess the actual password unless you know what I know about the first part, but you can figure out what the code hint is.) Post your comments and we’ll see how you do.

I don’t recommend you use these examples, for obvious reasons; you’ll want to come up with your own ways of doing things and your own hints using things that mean something only to you.

Patch Tuesday – 19 Windows Security Flaws Fixed

It’s that day of the month again and this time Microsoft has patched 19 security holes, 15 of which have a “critical” rating. The good news is that none of the vulnerabilities affect Windows 7. As usual, a bunch of the flaws stem from ActiveX controls, probably the worst thing Microsoft’s developers ever came up with (with the possible exception of Microsoft Bob).

At least one of the vulnerabilities, MS09-037 - Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908), is currently being actively exploited on the Internet; exploit code for MS09-043 - Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638) has been posted publicly.

Get those patches installed ASAP!

Tsk, Tsk! Weak Passwords Allow Congressional Web Site Defacements

This is simply idiocy—or gross negligence—of the highest degree. In the last week, more than a dozen US Representatives’ websites were defaced by hackers who posted digital graffiti on the home pages. The graffiti read, “H4ck3d by 3n_byt3 @ Indonesia H4ck3rs” (see screen shot). There was not other damage to the sites.

The method used to break in? Password guessing. The hackers compromised the site administration passwords at Web design and hosting firm GovTrends of Alexandria, VA which provides Web hosting for about 100 House sites. Not all were affected.

According to GovTrends founder Ab Emam, passwords assigned to member offices were never changed. Now, it’s typical for a Web hosting company to assign default admin passwords, but those passwords should be strong. In this case, they weren’t. “Most of these passwords could be guessed, they were obvious,” Emam said. “That’s been changed, and each of these sites is now required to have strong passwords.”

Really? Should have been required all along. There’s simply no excuse for this. I have written numerous articles over the years about how to generate strong, un-guessable passwords and I’m not the only one: a Google search brings up 61,800 results for that term. Will they ever learn?

(In all fairness, I have to report that there is some question as to whether password guessing was actually the cause of the breach. This article by Brian Krebs has been updated to suggest that SQL injection may have been the method.)

No matter; there’s no excuse for that, either.