Search

About

Enter your email address:

Delivered by FeedBurner

Categories

Westfield Links

Westfield Blogs

InfoSec Favorites

« June 2010 | Main | August 2010 »

July 2010

Social Media Concerns Continue

I use social media everyday.  My family and friends use social media every day.  Many of my colleagues use social media everyday.  The point is nearly everyone uses some type of social media, to one degree or another, on a daily basis.  That does not mean, however, it is without risk. 

Unfortunately for Facebook, they are once again garnering the lion's share of attention surrounding information security and privacy concerns around social media.  

According to Yahoo! News, "Security concerns over Facebook have been raised yet again after a security consultant collected the names and profile URLs for 171 million Facebook accounts from publicly available information. The consultant, Ron Bowes, then uploaded the data as a torrent file allowing anyone with a computer connection to download the data."

As always, be mindful of your security and privacy settings regardless of which social media you use.

Robert Salandre on 30 July 2010 | | Comments (0)

| | | | | |

The Problem with Honest People

The problem with honest people is that they don’t think too seriously about how the things that they do or information that they share could be misused or be used against them.

It’s not the nature of good people to think like bad people.  I can hear people saying: “No one cares about my information.  I don’t have anything that people would want to steal.  Bad things happen to other people, not me.  I am just one person in a million; there are better targets out there.  etc…”   It’s not until something actually happens to them, or someone that they know, that they realize the truth.

Please! Please! Please! All you honest and good people living in modern world, think a little bit more about it!  What could a malicious person do with your information if they wanted to?  Even the simple messages you post on Facebook or Twitter.  Malicious people do exist.  I see it regularly in my career as an Information Security professional.  Only in hindsight does the light bulb go off for the victim.  Also, the victim might not be the person who’s information is misueed, many times one person’s information is misused to victimize another who trusts them.  Social networking sites are a ripe field for this kind of information to be harvested.

Here are some tips I ran across that talk about basic security precautions on social networking sites.  These are just some common sense things that can help reduce the probability and impact of information misuse: http://www.bankinnovation.net/profiles/blogs/10-ways-to-prevent-social-1

Even if you don’t think that YOUR information will be stolen or misused, don’t give anyone the opportunity to prove you wrong.  Keep being honest but be "Information Misuse" aware!

Bill Murray leads the IT Risk Security and Compliance team at Westfield Insurance.   Sharing Knowledge. Building Trust

Bill Murray on 23 July 2010 | | Comments (0)

| | | | | |

Phone and Voicemail Security Reminders

With all the recent buzz and excitement around the iPhone 4, Droid 'Incredible', Droid 'X', and similar, there are a number of articles and blogs related to information security and privacy concerns associated with those devices.   ITBusinessEdge.com has an informative 2-part series on aspects of phone security, for example.  But, what people often overlook as a potentional information security and privacy risk is the digital work phone sitting on their desk.

We use our work phone every day.  For some, it is joined to their ear as much as their mobile phone is joined to their hip.  For others, it is simply a paper weight.  Nevertheless, the digital desk phone of today is a fairly sophisticated computing device and should be viewed as a potential access point to your company network and information.  It is for this reason, we should always assume phone and voicemail systems are 'open systems' subject to the risk of unauthorized access.  As a result, many of the mitigating control concepts we apply to laptops, smartphones, and other devices, should also be applied to your digital work phone.

Below are just some of the practices we should keep in mind to help ensure the security and privacy of information when using phone and voicemail systems.


Hardware and Software

  • Do not rely on the phone's default security settings
  • Never alter or disable the phone's authorized software or security settings
  • Ensure the phone's security settings are in compliance with company policies and standards
  • Never alter or disable the phone's authorized security settings
  • Lock down physical ports on the phone if they are not part of your company's standard configuration or usage parameters
  • Never alter or disable the phone's authorized software
  • Never install unauthorized software on the phone

Policy and Awareness

  • Always follow your company's 'Acceptable Use' Policy
  • Do not share your vociemail password
  • Always confirm the individual you are speaking with is authorized to discuss the information
  • Always protect your conversations when in public and in the office
  • Do not leave voicemails containing information that must be kept secure and private
  • Never intentionally alter time stamp, routing details, or other information used to track calls
  • Keep in mind, most organizations have a 'no assumption of privacy' policy

Robert Salandre manages Information Security Policy and Awareness at Westfield Insurance.   Sharing Knowledge. Building Trust

Robert Salandre on 16 July 2010 | | Comments (0)

| | | | | |

A Key to Decreasing ID Theft Exposure

No one wants to have their identifying particulars stolen and abused.   To help, there is the security concept of using one secret (a key) to unlock keys to other services.   The concept is simple, here is a real world analogy – in a car dealership, the service area has a bunch of keys to inventory and customer vehicles.  That collection of keys is kept in a locked wall-mounted cabinet.  Upper management are the only people with the keys to the “key locker.”

On your personal computer, there’s another commonly used example, in most browsers you can set your security preferences so that the username and password fields at different web sites are automatically supplied.  They are stored in a browser-managed repository which is the equivalent of the “key locker” described above.  Using this auto-fill feature alone is a net decrease in your security because, once turned on, anyone that can walk up to your computer, start up the browser and instantly be logged into your various web site accounts without having to know any credentials.  But there is simple way to mitigate this risk.  For example, in say FireFox, IE 8 or Opera you can also set a “Master Password” that is used to keep people other than yourself from getting at those passwords.  This master password is the equivalent of the key to the key locker in our physical world example.   This gives you the best of both worlds because now you only have to remember a single password which, in turn, allows you to set the underlying stored passwords to very hard to guess, long, complicated nonsense strings because you are planning to never have to remember/type them!

Another example of this security concept is in the world of payment card (credit, debit, etc.) clearing house services like PayPal, Google Checkout, PaySafeCard.  These are services that you give various credentials to and they provide clearing house service to merchant sites that have signed up to use their services for payments.  Here’s how it works:

First you sign up for the payment service of your choice, let’s say PayPal:

  • you create an account at the payment service using a unique string such as your email address
  • you fill out the payment service’s profile by providing contact information and credit card, debit card or checking account information
  • depending on the service, you may need to verify that a tiny transaction against the card or account in question goes through

That’s it!  Now, you can use any online vendor that supports that payment service (look for, say, the PayPal logo, although it may not be displayed until you go to checkout):

  • go to a merchant site such as Walmart and put some stuff in your virtual shopping cart
  •   proceed to check out and notice that there is a PayPal option, choose it
  • Walmart’s website sends you to PayPal, giving PayPal the bill you need to OK payment of (vendor and dollar amount)
  • you confirm your PayPal password and then tell PayPal which of your accounts to debit
  • when you hit “confirm payment”, PayPal debits your card/account on behalf of Walmart and then transfers the funds (not the payment information!) from your account to Walmart
  • PayPal also sends you email confirmation and tells you what merchant name to expect to see on your credit card statement
  • PayPal sends your browser back to the merchant site where your payment is confirmed in the form of a receipt (and usually another email) and information about order shipment

So, behind the scenes, the payment service deposits the payment (minus their transaction fee) into the merchant’s account without ever sharing your payment information with anyone!

Why bother with that?  In the case of Walmart.com, there is probably little reason for concern but in the case of a small company, say Tom’s LiveBait-by-Mail, you might be a bit leery of giving away your credit card information.  Also, if you signed up multiple credit/debit cards and one or more bank accounts then you can choose which to charge the payment against at checkout time.  So, as long as the payment service is super-secure, it’s a net win because the fewer places that get their hands on your card info the better.

Is there a downside to using these services?  Well, I suppose these particular processors are in a position to know a lot about your cross vendor buying habits and history.  Plus, of course, they are an inviting target for hackers because they store so much account information (although they are extremely aware of and well staffed to store and police said information).

So – keep this “key to the keys” idea in mind when you need to minimize complexity and exposure.

John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust


John Brady on 01 July 2010 | | Comments (2)

| | | | | |