Tuesday, November 27, 2012

This just can't be real

Wow, this whole South Carolina Department of Revenue fiasco is just amazing. With all the breaches and attacks that make the news, it's mind boggling there are still major organizations that simply cannot secure their data.

Reports estimate that 3.8 million people who filed taxes in SC may be affected by this breech. In addition, PII related to 1.9 million dependents as well as business info for almost 700K businesses was leaked. All combined they estimate 3.3 million bank accounts and 5,000 credit cards may be compromised. That's a pretty substantial chunk of people impacted by this mess.

So how did this happen? According to the SC governor, it's as simple as the IRS not telling them they had to encrypt SSNs. Hmmm, it's generally cool to bash the IRS, but in this case, I have to say bottom line is that SC dropped the ball big time. It's SC state tax information that was collected by the state of SC and stored for the use of SC Department of Revenue. Sounds to me like SC all the way.

The incident report by Mandiant is a pretty interesting read. Some highlights, or better yet low-lights:

  • Attackers got entry when one or more employees clicked on bogus link in phishing email which caused their machines to become infected
  • It is estimated the attackers had access for 2 months
  • 44 machines were compromised
  • At least 33 different tools were brought in and used by the attackers over those 2 months
  • Attackers installed at least one backdoor
  • Almost 75GB of data was exfiltrated - 15 files that compressed to a little moge than 8GB
  • Estimated cost to SC thus far, $14 million
  • Director of SC Department of Revenue will resign in Dec

So, after 2 months and 75GB data sucked from their network, SC only knew something was going on when contacted by law enforcement. That is a huge fail. Not only did they not provide adequate protection to PII, they apparently did no monitoring of their networks. They had no idea anyone was in their network shipping out huge gobs of data. That is simply irresponsible. It's a textbook attack scenario. Could it have been prevented? Who knows for sure. I'd like to think so. Better network awareness and monitoring could have detected anomalies much earlier and lead to immediate action. Maybe better training and desktop tools could have prevented the initial infection as well? Probably a lot of things should and could have been done differently. Now the big question is will other businesses and organizations use these kinds of events as a wake up call and do some checking on their own to see if something like this could happen to them. I have hoped that for quite some time but the huge breaches still keep coming.

Tuesday, August 21, 2012

Time to get serious

Wow, how does the summer get busier than the school year? Time to get back into the swing of things.  What started as taking two weeks off for vacation quickly turned into almost two months off here. Tons of interesting stuff going on lately.  BlackHat and DEFCON had all kinds of cool news.  Wish I could have gone out there this year.  Anyhow, here are a few of the latest notable items:
  • Here's one to get you thinking.  An article from Reuters entitled Insight: Experts hope to shield cars from computer viruses. Apparently a few research groups have published papers on possible vulnerabilities with vehicle computer systems.  I guess that shouldn't be too surprising.  After all, some form of a computer probably controls most of a car.  You would hope the more critical systems are isolated, but who knows.  Anyone else picturing the scene from iRobot where Will Smith is "experiencing a car accident"?
  • An update on the hotel door lock hacking. Seems the manufacturer came up with several solutions.  First and easiest is to put a cap on the data port.  Ok, it's a start, but far from foolproof.  The second is to replace the circuit board in each lock.  However, as of right now, it appears the lock maker is looking for the hotels and businesses who use these locks to foot the corrective costs.  Not inexpensive to say the least.  How many will?
  • Oh, this is really cool.  So you have probably heard about the iPhone SMS bug, right? The short of it is that it possible to spoof SMS messages to look like they are from your bank or something equally important.  Basically, a potential for many different social engineering attacks.  Well, Apple recently came out with a fix - use iMessage instead of SMS.  So instead of tackling the problem, they just advise you to avoid it.  Super.
  • By now everyone has seen plenty on the Mat Honan hack.  I'd like to say it's hard to believe something like that could happen, but there are more and more stories every day about pwning help desks.  There was a good follow-up article by Kim Zetter on How not to become Mat Honan.  Basic security 101.

Tuesday, June 19, 2012

Facebook privacy settings

There have been a lot of changes recently to the privacy settings available in Facebook.  I've been asked by a few of my friends what settings should they look at/fix?  Well, here's a quick explanation of the current Facebook privacy settings.

Default privacy setting: This is the audience for which each post will automatically be made available.  This setting can be changed in each individual post as well.
  • "Public".  With this setting, all of your posts will automatically be available to all Facebook users.  Probably not a good idea.
  • "Friends".  Only friends will automatically see your posts.  There may be instances however where friends of friends or others that are tagged in photos may also see those posts.
  • "Custom".  This allows you to more tightly control who automatically sees your posts.  You can create lists of people to see your posts, maybe a subset of your friends, or simply set the default to "Only Me".  If you use the "Only Me" setting, you are the only one ever going to see any of your posts unless you change the settings on each one once you make the post.  There are a few other handy settings in there that allow you to set up lists of specific people to hide your posts from and also a checkbox to hide the posts from friends of people you tagged.
How you connect: There are 3 settings in here that control how you connect with others.

  • Who can look you up using the email address or phone number you provided?  It appears the default setting here is "Everyone".  It would be a good idea to change this to "Friends".  This would actually be a good place for another selection choice that would even narrow the audience down even more or completely opt-out of allowing anyone to search on phone number or email address.  Until then, it may be a better idea not to even supply a phone number or external email address in the first place.
  • Who can send you friend requests?  Really not many choices here - "Everyone" or "Friends of Friends". Take your pick on whether you want friend requests or not.
  • Who can send you Facebook messages?   Spam and messages with malicious content are all over the place.  While Facebook tries to do the best they can to eliminate those messages, a lot still get through.  This is a setting that you should definitely change from the default of "Everyone" to "Friends".
Timeline and Tagging:  These settings allow you to control your timeline posts and people tagging you.
  • Who can post on your timeline?  You can change this to "No One" if you don't want anyone to post anything to your timeline.  Maybe?  See the next option.
  • Who can see what others post on your timeline?  This one allows you to customize from "Everyone" down to specific lists of individuals.  Not sure how this one actually works if you select "No One" else to post to your timeline.  Not allowing others to post to your timeline would mean there is nothing for anyone else to see.  Regardless, at least change this to "Friends"
  • Review posts friends tag you in before they appear on your timeline?  By turning this on, you have to approve all posts that have you tagged before they are published.
  • Who can see posts you've been tagged in on your timeline?  This one also lets you choose from "Everyone" down to specific lists of individuals.  At a minimum, change this to "Friends".
  • Review tags friends add to your own posts on Facebook?  Turning this on allows you to block tags that others may add to your posts.  This is a good idea to prevent a lot of people you don't really know from gaining access to your posts.  Basically, once somebody is tagged in a post, they have access to it and in most cases friends of that person also gain access.
  • Who sees tag suggestions when photos that look like you are uploaded?  If you haven't noticed, Facebook may suggest tags when you post photos that contain recognizable images of other Facebook users. The default seems to be "Friends", but it's a good idea to change this to "No One".  This helps control photos that can potentially get linked to you.
 Ads, Apps and Websites: Settings to see what types of data each installed apps supposedly need.
  • Apps you use.  This displays the apps you currently have installed on Facebook. It's a good idea to check through this list and see if any of the apps are no longer in use.  If that is the case, remove them.  There is an "Edit Settings" button that will allow you to "edit" the settings for each of the apps, but don't get too excited.  Most of the apps simply have this huge list of data they require (really?) and no means to control any of that data except by removing the app itself.
  • How people bring your info into apps they use.  This is a good one to look through.  The default used to be (maybe it still is) that all your info is automatically available to apps your friends may be running.  This is your personal info like your birthday, photos, hometown, etc.  Honestly, I can't think of a good reason to have any of the boxes checked here.  
  • Instant personalization.   This allows you to see and share personal Facebook data when going to sites like Yelp, Bing and Zynga.  Since it's not always clear how any external site will use your data, it's a good idea to uncheck the box here.
  • Public search.  This controls whether internet search engines like Google will display your timeline if somebody happens to search on your name.  Removing the check from the box means that your timeline should not appear in internet searches.
  • Ads.  There are two basic settings involved here.  The first is to possibly show your information in third party ads in the future.  While Facebook claims to not provide this info at the current time, it's curious this choice is even available.  Select "No One".  The second setting involves Facebook ads.  Select "No One" here as well.
Limit the audience for past posts:  This will allow you to change the audience for past posts you have previously made from "Friends of friends" or "Everyone" to "Friends".  It's a good way to go back and tighten up who can see your older posts instead of going to each post and changing the audience setting.

Blocked People and Apps:  This allows you to set up ignore lists for invites, apps and other interaction from Facebook users.

There are also a few other settings scattered around that you should look at:
  • Under Account settings, go to Security.   The first setting listed, "Secure Browsing"should be enabled.  This allows for the use of https by default.  What this does is provides some level of encryption between the browser and the server so the data passed back and forth is not in the clear or easily readable.
  • Control what others see on your timeline/profile.
    • If you really need people to wish you a happy birthday, just list the month and day, not the year.  Your complete birthday is widely used as a means of verification and should never be posted for all to see.
    • If you feel the need to post an email address, use either a Facebook email address or a "throw-away" address that you don't really use anywhere else.
    • Don't post your full address or phone numbers.  It is just safer to not post this stuff where you may not have complete control over who sees it.
    • Please, please, please don't post any information on Facebook or any other public web site that provides clues as to what you might use for passwords or challenge questions.  Don't make it easy for somebody to guess your passwords.
This is by no means an exhaustive list.  Settings and capabilities change from time to time, so be aware of what kind of data you are posting and who may have access to that data.

Wednesday, June 6, 2012

Leaked passwords

Very rarely do you have control over how your password is stored on any web site or external server.  There is always the possibility passwords can be retrieved and then subsequently cracked.  Hopefully most sites take extreme care and perform some sort of encryption, but there are probably still cases where passwords are stored in the clear.  No trick to cracking those.  

The latest LinkedIn password leak (see also here or here), sounds like the passwords were retrieved in a simple, unsalted SHA-1 hash format.  While that makes it a little harder to crack, it is far from impossible.  If that is the case, you can run a "known" word against the SHA-1 algorithm and then see if the resulting hashed string matches anything on the leaked list.  While that could take a long time one-by-one, it is simple enough to automate against any dictionary or list of common passwords.  And as has been publicized in numerous reports, most passwords are a) relatively simple to guess and b) reused for multiple accounts.  You almost have to treat each password as single use, changing it often, making it complex enough to avoid casual cracking yet easy enough to use.  Sounds pretty simple, right?

Monday, June 4, 2012

First Monday in June

Some interesting items from the last week:

Bogus hotel confirmation messages: Email based scam that confirms reservations to a hotel that you did not make.  With more people making summer vacation plans, it is a good time for this scam.  Generally the message looks like almost any confirmation message you would get when booking a hotel, except these tease you with only a hint of the booking information.  To get the "real" information, you need to open the attachment.  The problem is the attachment has embedded malware that infects your machine.  Just resist the urge to click links and read attachments in email.  See more info at Naked Security blog.

New videos they don't want you to see: With all the gruesome headlines over the past few weeks, scammers are taking full advantage and using the lure of "previously unseen footage" to get their marks to click links.  Lots of social networking messages floating around out there.  Resist the temptation to follow any of these links.  I'm beginning to sense a theme here.  Security News Daily article.

Citadel and Reveton ransomware: Apparently this new Citadel malware will direct you to a site that downloads the reveton ransomware.  Once it is in place, you are told you are in trouble with the U.S. Dept of Justice and you need to pay a $100 fine or the computer stays locked and you will be  prosecuted.  Even if you pay the "fine", Citadel stays resident and can be used for bank fraud and other scams.  IC3 published this announcement. More info at ThreatPost.

Roaming around VMware vSphere 5: Researchers have shown it is possible to bust out of an image running on VMware's vSphere 5 and get up into some of the host server information.  With this information and some knowledge of the server layout, it seems possible to gain access to the physical drives on the host server and possibly even parse data out of the other images running on the server.  They note this was all done on ESXi5 server with all current patches.  More detailed info at ENRW blog.

More schools tracking kids: A Texas school district has decided to start a pilot program to issue student ID cards with RFID chips.  The claim is the district is missing out on thousands of dollars in funding because of incorrect attendance figures.  The student IDs will allow administrators to track the location of students within the school buildings when taking attendance.  I guess the old fashioned way of taking roll just doesn't cut it nowadays?  So I'm sure attendance will go up using this method, since all you need to do is give your ID card to a friend to carry around.  Article from the San Antonio Express-News has more info.

Flame: I guess I should say something about Flame.  Everyone else has.  Really not sure what to say, because it seems everything possible has been said about it, over and over and over.  Right now it's too hard to figure out what is fact and what is FUD.

Sunday, May 27, 2012

Head scratchers - May 2012

Some things that make you say ... HUH?
  • Hey, guess what mommy and daddy do - A standardized state test for third graders in New Jersey had a question asking them to write down a secret.  Wow, who would even think that is an appropriate question?
  • Just fill out the form - Apparently the form used by Best Buy to request Geek Squad service asks for the customer to supply a password.  However, because of the placement on the form, it seems they are asking for the customer's email account password. 
  • Smile, you're on TV - This shows password security at it's finest.

Thursday, May 24, 2012

Monday, a few days late

I'm not sure what happened, but it's Thursday already.  Here's a look at some of the more interesting articles from the last few weeks:
  • There's a nasty attack out there hitting some German bank web sites that send customers transaction authorization numbers (TAN) via SMS.  Seems a man in the browser (MitB) attack using the Tatanga trojan creates a bogus web form which the customer then unknowingly enters their valid transaction authorization number (TAN).  From that point, the customer sees a display showing the expected balance and a successful transaction.  Problem is, the trojan sends in an "authorized transaction" that transfers most of the money in the account elsewhere.
  • There was an article or two about hospitals notifying medical personnel they should not associate with patients or discuss medical issues on-line.  I would think this is something that wouldn't have to be explained, but with the explosion of social networking sites, it happens quite a bit.
  • DHS released a report on medical device (in)security.  Lots of concerns ranging from taking over implanted medical devices, to gaining network access, to mobile device use.  
  • If you haven't done so already, check your computers out to see if they have the DNS Changer malware.  According to the those keeping track, there are possibly more than 300K computers world-wide still trying to resolve domain names to the bogus DNS servers.  The DNS Changer Working Group has all the information on how to check your computer and what to do if infected. Another way to check now could be simply going to Google. According to their security blog, Google will now display a banner message if it appears your computer is infected.

Monday, May 14, 2012

Another Monday

Here's a few interesting items from last week:
  • Yet another story about somebody going on Facebook and creating a bogus profile to lurk around.  This time it was a high school principal.  Really?  She apparently took it upon herself to pose as a student and friend as many others from the school as she could.  Not sure what the real motivation was, but it's a violation of Facebook user policy as well as just plain creepy.  Adults pretending to be students?  That usually ends up with the adult having to register their whereabouts.  Maybe she thought it was better than remoting into the laptop cams like a school around Philadelphia did a few years back.  Seems that school administrators are having a hard time understanding where their authority over students ends.
  •  The FBI is worried about getting left in the dark.  With more communication moving to the internet from land-line phones, the FBI is concerned they lack the means to monitor the bad guys.  So the FBI wants social networking, VoIP, messaging and various other businesses to build in back doors specifically for their use. I wonder how they propose to open these holes so that only "authorized" sources can use them?
  • Here's another ridiculous story on a set of breaches that may have exposed as many as 350,000 social security numbers and other personal and financial information for people associated with UNC-Charlotte.  The thing that makes this one stand out is some of the data may have been exposed for over 10 years! The school sent out a release to explain things.  Of course the reason this happened was "system misconfiguration".  The part I like even better is the quote "The University has no reason to believe that any information from either of these incidents was inappropriately accessed or that information was used for identity theft or other crime".  That's awesome!  So after letting data dangling on the internet for over 10 years, you can be absolutely certain none of it was accessed and used inappropriately.  Talk about rose colored goggles.

Saturday, May 12, 2012

Were hotel networks ever safe?

Recently, the FBI put out this warning to travelers about using hotel internet connections.  Basically the warning says that people have found malicious code on their laptops after hooking up to hotel provided internet connections.  Apparently the people encountered popups when setting up their initial connections telling them some program on their computer needed an update.  So once the user agreed to allow the update, they got nailed with the malware.  The warning is kind of vague on details.  No mention of what the users were told to update.  No mention of what specific malware was involved.  No mention of where or how often this occurred.  But it does say to be careful when performing updates when traveling.

Monday, May 7, 2012

It's Monday

Some interesting topics from the last few days ...
  • According to this Computerworld article, if history holds true almost half of all Mac users will stop getting security updates and patches very soon.  Apple is in the habit of dropping support for an OS that is 2 versions older than the new release.  So with the impending release of OSX 10.8 (Mountain Lion), support to OSX 10.6 (Snow Leopard) will cease.  You would think with the extra attention Mac users have been getting recently they would possibly rethink this and continue security updates for such a large chunk of their user base.
  • TrendMicro says that while some malware infested apps have been removed from the Andriod app store (Google Play), others are still being found.  Unfortunately this is something that probably will not get better for quite some time.  The rush to everything mobile has greatly outpaced security.
  • I don't usually pay much attention to anything from Consumers Report, but this report talks about 13 million Facebook users not properly using or even understanding their privacy settings.  While that 13 million is a really small percentage of the total users, it's still a ridiculously high number.  Doesn't help much when the default settings on a new account are blast out everything to everyone.  Would be interesting to see how different that number would be if the default account configuration was more strict.

Friday, May 4, 2012

Social network privacy?

It really doesn't matter what kind of privacy controls are implemented on Facebook or any of the other social network sites.  People just post too much personal information to begin with.  Even if they think are limiting their posts to a small set of "friends", once that info is out there, they have very little control over where it ends up.  Sure, most people will not intentionally leak private information and most sites will try to keep data private (yeah, good one).  That doesn't always happen though.  People just really need to think about what they are about to post. Maybe one little piece of info isn't so terrible, but combine it with other previously posted bits of info and pretty soon you have way too much out there.

Thursday, May 3, 2012

Mobile News Items

Some interesting topics related to mobile devices from the last few weeks:
  • Proof-of-concept work on using the motion sensors on android phones to figure out what might be happening on the touchscreen. The article mentions similar work done last year on iPhones.
  • Starting to find web pages out there that can infect mobile devices.  Lookout Security wrote about it in their blog.  You could almost figure this was about due.  With the explosion of BYOD to work there should be all kinds of fun coming down the road.
  • Might want to check the cool new lock-screen app you just got for your iPhone.  Apparently at least one developer decided to create an app that is just a few wallpapers that look like screen locks.  Even after stating the app really doesn't lock anything and categorizing it as "entertainment", people still bought it to lock their phones.  Now they are surprised it doesn't work and are trying to get their money back.  I'd like to say that surprises me, but sadly it doesn't.

Tuesday, May 1, 2012

Why is Conficker still around?

Seeing this article and this article and this article about Conficker is really kind of discouraging.  How could something that should have gone through it's life cycle a few years ago still be infecting the amount of machines that it is today?  According to Microsoft, infections seem to be steadily increasing ... almost 3 years later.  Yeah, it might be hard to get off of a corporate network, but you would think over time things would eventually get patched and cleaned up enough to slow this thing down.  That's apparently not the case. If it is really as simple as patching systems and using better password policies, why is this thing still running amok?  Part of the problem is that Conficker shuts down Windows updates and a lot of the anti-malware tools.  Then all kinds of other malware can jump right in and set up shop, as this article shows.  Nothing good at all can come from malware working together.  Whether it was intended or not, not cool at all.  Time to get back to basics and take control of our networks.  Find the problems, clean up and closeup the holes.  Yeah, wish it was really that simple.

Sunday, April 22, 2012

Password Rules Explained

So you pull up a really cool web site, or what you think will be a cool web site, only to realize you can’t get to anything without creating an account.  Ok, you really want to get into the site because it’s where all the cool kids are, so you start creating an account.  After trying a bunch of different usernames, you finally find one that isn’t taken.  Almost there, you think.  It’s easy sailing now.  You enter a really simple password and this popup appears with a ridiculously complex list of reasons why your choice is too weak to use as a password.  Reasons like a password must be X characters long, with so many lowercase, so many uppercase, so many special characters, so many numbers and no words from any dictionary from any language.  What?? But you really want to get into that site, so you keep trying all kinds of crazy combinations until you find one that works.  By that time, you probably can’t even remember why you wanted into the site so bad in the first place.

Thursday, April 19, 2012

Teen hacker hits 259 sites

Saw this article about a 15-year old in Austria who was busted for hacking 259 company web sites.  I figured they would say he was working on this for, you know, maybe the last year or two.  Nope, not even close.  The sites were all compromised in a 3-month period at the start of this year!  Some sites were just defaced, other sites had information taken and published.  All kinds of different sites, from all over the world.  Asked why he did it, the response was boredom and a need to prove himself.  How did he do it?  Simple tools and scripts available on the internet.

Here's the big question - why is it still so easy in 2012 to find so many vulnerabilities?  Is there just too much pressure to get an internet presence out there without even thinking about any security?  Probably.  Other times it's just because somebody didn't configure something properly.  It shouldn't be that hard to stop for a minute and think things through.  Do it right the first time.  Then keep up with what's going on within the systems.  With all the high profile hacks and millions and millions of lost dollars, the low hanging fruit should be disappearing.  Somehow it just keeps popping up.  Guess it just means plenty of new opportunities and plenty of work for many years to come.  That's good.  I have too much time before even seriously considering about retirement.

Tuesday, April 17, 2012

Interesting articles from 4/17 (give or take a few days)

Here are some interesting articles I found over the last few days:

Tuesday, April 10, 2012

Hacking medical devices

Recent articles in Wired's ThreatLevel and Toronto's The Globe and Mail discuss concerns over security of personal medical devices. Researchers have shown in the past that insulin pumps, pacemakers and defibrillators could be hacked through their wireless connections.  Wait, huh?  So somebody could be sitting there and their pacemaker could change rhythm or their insulin pump could change the dosage or the defibrillator could fire without warning?  That's uncool.  Really uncool.  Yeah, it is.  But don't these kinds of devices have to undergo all kinds of intense testing and certification before they are marketed?  You bet.  Unfortunately it sounds like there wasn't much security built into these devices in the first place.  Probably a lot of different reasons why - cost, power consumption, and more than likely the thought that nobody would even think to mess with something like this.  It would be nice to think nobody would ever mess with these devices, but as we see more and more each day, that simply isn't true.  People will hack anything.  Hopefully a solution can be found before this becomes a widespread problem.

Friday, April 6, 2012

Week in review

For the first week in April, 2012 ...

  • Researchers estimate as many as 600,000 Macs have been infected with the Flashback trojan.  Apple released a Java patch this week to plug up the vulnerability used in this attack.  Several different articles on the topic here, here and here.
  • A vulnerability in Facebook mobile apps may allow attackers to grab your Facebook identity on iOS and Android devices.  A researcher in the UK has found the Facebook mobile app apparently doesn't encrypt or otherwise protect your login credentials (username and password).  In fact, he found quite a bit of information just using the basic file browser tools.  More information can be found here and here.
  • A story in Wired's Threat Level on Friday talks about a push by the European Union to criminalize "hacking tools".  Sounds like you could get busted for possessing the tools as well as for using them.  This could create serious problems for researchers and pen testers who use these types of tools to show flaws and help people better secure they devices and networks.  Creating laws like this tend to punish the law abiding way more than the criminals.  Hopefully it's not the start of a trend.

Tuesday, April 3, 2012

Quick news and notes

Just a few quick items from the last few days:
  • Researchers suggest Xbox consoles may be storing credit card info on the hard drive.
  • New Facebook login scam asks users to verify their identity by supplying credit card info.  Please don't ever supply credit info in order to verify anything.
  • Interesting article on the possibility of Samsung HDTVs watching you as you watch them.

Another reason not to check-in your location

For those who haven't been keeping up with the latest news, there's an app out there called "Girls Around Me" that allows you do exactly what you think it does - find people who might be right around you.  Say you're out at a bar one night and curious about who may be there with you.  Well, this is the app for you.  Not only will it find people around you, it will possibly give you access to photos of those people.  No, it's not hacking their phones or doing some neat jedi mind thing.  The app is simply going out to social networking sites like Facebook and FourSquare to pull information about people who have checked-in close to where you are.  While the app has recently been blocked from that type of information by FourSquare and the developer has removed it from the App Store, there will undoubtedly be others following along the footsteps. So for those of you who like the idea of checking-in everywhere you go, don't be surprised if a total stranger comes up to you somewhere and seems to know just a little too much about you.  It's a good possibility it's because they have an app just like this.

Sunday, April 1, 2012

Social Network Safety

The amount of personal information easily available on the internet is staggering.  It’s kind of funny, in an odd way though.  Doctors, lawyers, schools and employers get attacked all the time for “leaking” personal information, but an average person will willingly divulge much more potentially damaging personal information on any number of social networking sites.  Just look through sites like Facebook, Twitter, LinkedIn and Pinterest.  You will see people posting about incredibly sensitive and personal information – and sometimes it’s even about themselves.

Don’t get me wrong, social networking is not always a bad thing.  There just needs to be some thought and even restraint before posting information.  Once data is out there on the internet, it’s out there.  There is no magic eraser that will get rid of the post.  No do-over button that gives you a second chance.  Sure, some sites allow you to fiddle with your posted data, but some, maybe even most, will hold onto data even after you click the delete button.  A good rule to follow before you post is what is referred to as the “grandmother’s rule”.  It’s pretty simple.  If you would not go up to your grandmother and tell her what you are about to post, it’s probably something you shouldn’t post in the first place.  Granted, this might not always work for everyone, especially those with grandmothers who are a little on the wild side.  If that’s the case for you, maybe instead of talking to grandmother, think if it is something you would stand in front of a group of strangers and announce.

Tuesday, March 27, 2012

Email safety

2011 saw big time hacks on huge companies that one would think are fairly secure. Unfortunately, some of these attacks could have been prevented or slowed down by exercising a little more caution with email. The RSA breach started with somebody receiving an email and simply opening an attachment. How would something so simple cause such a problem? It’s really quite easy.

Over the last few years companies have spent the majority of their security budgets on perimeter and end point defenses like firewalls, intrusion detection/prevention and anti-virus tools. That kind of takes the fun out of it for most attackers since it makes them have to actually work to get in. So what do the bad guys do? Get into a different line of work? Ah, probably not. They look for an easier way in. And that way usually ends up looking to those who already have access to let them in.

Wireless Home network security

A lot of people have wireless access points set up in home networks. Wi-fi makes it so easy to connect all kinds of devices to the internet – PCs, printers, storage devices, tablets, laptops, even phones. No need for busting holes in walls and running yards and yards of cat5 cable. Just turn the device on and you’re connected. Sure a lot of the tablets and phones have their own internet connections, but for those with limited data plans, wi-fi connections at home give almost unlimited connection time. But how many people take the time to make sure their wi-fi connections are secure?

Mobile phone security

This is an interesting situation I recently read about. It seems law enforcement was stumped when they tried to access a phone that used a pattern lock program rather than the normal password lock. Reading a little more, it turns out that it might not be the complexity of the pattern, but more that the pattern lock program had a better method for dealing with brute-force attempts. After so many failed attempts, the phone remains locked until supplied with the user's Google login and password. Now this may only be the case for the specific combination of phone and pattern lock app, but it shows that it is possible to effectively lock up a device. The bigger question is, why aren't more apps and security features written with this kind of brute-force avoidance in mind?