About

Subscribe to InfoSec

  • Enter your email address:

    Delivered by FeedBurner

Bookmark and Share

Recent Posts

Westfield Links

Westfield Blogs

Categories

Blogroll & other links

29 posts categorized "Definitions"

01 July 2010

A Key to Decreasing ID Theft Exposure

No one wants to have their identifying particulars stolen and abused.   To help, there is the security concept of using one secret (a key) to unlock keys to other services.   The concept is simple, here is a real world analogy – in a car dealership, the service area has a bunch of keys to inventory and customer vehicles.  That collection of keys is kept in a locked wall-mounted cabinet.  Upper management are the only people with the keys to the “key locker.”

On your personal computer, there’s another commonly used example, in most browsers you can set your security preferences so that the username and password fields at different web sites are automatically supplied.  They are stored in a browser-managed repository which is the equivalent of the “key locker” described above.  Using this auto-fill feature alone is a net decrease in your security because, once turned on, anyone that can walk up to your computer, start up the browser and instantly be logged into your various web site accounts without having to know any credentials.  But there is simple way to mitigate this risk.  For example, in say FireFox, IE 8 or Opera you can also set a “Master Password” that is used to keep people other than yourself from getting at those passwords.  This master password is the equivalent of the key to the key locker in our physical world example.   This gives you the best of both worlds because now you only have to remember a single password which, in turn, allows you to set the underlying stored passwords to very hard to guess, long, complicated nonsense strings because you are planning to never have to remember/type them!

Another example of this security concept is in the world of payment card (credit, debit, etc.) clearing house services like PayPal, Google Checkout, PaySafeCard.  These are services that you give various credentials to and they provide clearing house service to merchant sites that have signed up to use their services for payments.  Here’s how it works:

First you sign up for the payment service of your choice, let’s say PayPal:

  • you create an account at the payment service using a unique string such as your email address
  • you fill out the payment service’s profile by providing contact information and credit card, debit card or checking account information
  • depending on the service, you may need to verify that a tiny transaction against the card or account in question goes through

That’s it!  Now, you can use any online vendor that supports that payment service (look for, say, the PayPal logo, although it may not be displayed until you go to checkout):

  • go to a merchant site such as Walmart and put some stuff in your virtual shopping cart
  •   proceed to check out and notice that there is a PayPal option, choose it
  • Walmart’s website sends you to PayPal, giving PayPal the bill you need to OK payment of (vendor and dollar amount)
  • you confirm your PayPal password and then tell PayPal which of your accounts to debit
  • when you hit “confirm payment”, PayPal debits your card/account on behalf of Walmart and then transfers the funds (not the payment information!) from your account to Walmart
  • PayPal also sends you email confirmation and tells you what merchant name to expect to see on your credit card statement
  • PayPal sends your browser back to the merchant site where your payment is confirmed in the form of a receipt (and usually another email) and information about order shipment

So, behind the scenes, the payment service deposits the payment (minus their transaction fee) into the merchant’s account without ever sharing your payment information with anyone!

Why bother with that?  In the case of Walmart.com, there is probably little reason for concern but in the case of a small company, say Tom’s LiveBait-by-Mail, you might be a bit leery of giving away your credit card information.  Also, if you signed up multiple credit/debit cards and one or more bank accounts then you can choose which to charge the payment against at checkout time.  So, as long as the payment service is super-secure, it’s a net win because the fewer places that get their hands on your card info the better.

Is there a downside to using these services?  Well, I suppose these particular processors are in a position to know a lot about your cross vendor buying habits and history.  Plus, of course, they are an inviting target for hackers because they store so much account information (although they are extremely aware of and well staffed to store and police said information).

So – keep this “key to the keys” idea in mind when you need to minimize complexity and exposure.

John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust


Posted by John Brady | | Comments (2)

| | | | |

15 June 2010

The Payment Card Industry Data Security Standard (PCI DSS)

There are a number of regulations and standards that have been established to protect the privacy of individuals and to prevent fraud.  One of these standards is called the Payment Card Industry Data Security Standard.  Here is an overview of how it was established and what it is:

Comprised of Visa, MasterCard, American Express, Discover, JCB, and Diners Club, the Payment Card Industry (PCI) developed the Data Security Standard (DSS), initially based on Visa’s Cardholder Information Security Program (CISP), to help prevent payment card fraud and identity theft.  It encourages and enhances cardholder data security and privacy by facilitating a broad adoption of a consistent, global data security standard.

The principle goal of the data security standard is to protect cardholder data at all times, whether processed, stored, or in transit.  The PCI DSS has been universally adopted by all major payment card brands and is governed by the PCI Security Standards Council (PCI SSC). 

Unlike laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Leahy Personal Data Privacy Security Act of 2009, and Massachusetts 201 CMR 17, all of which are enforced by federal or state governments, the PCI DSS is NOT a legal or regulatory directive but, rather, a contractual obligation.  The standard is enforced through a mandatory ‘contract chain’, whereby information security and privacy requirements are passed from payment card companies, to merchant banks and card processors, and eventually merchants, via contract language.  As a result, compliance to the PCI DSS transcends both industry and geography and necessitates heavy involvement, if not oversight, from an organization’s legal team.

The PCI DSS consists of 6 main control objectives, is comprised of 12 primary requirements and contains approximately 210 individual controls.  The control objectives address:

  • Building and Maintaining Secure Networks
  • Protecting Cardholder Data
  • Maintaining a Vulnerability Management Program
  • Implementing Strong Access Control Measures
  • Regularly Monitoring and Testing Networks
  • Maintaining an Information Security Policy

Failing to effectively manage and protect information while it is processed, stored, and transmitted, can be unlawful and negatively affect business reputation, customer base, employee morale, and revenue. 

Both customers and employees expect their personal information to be protected by the organizations with which they do business.  They are no longer willing to overlook an organization’s failure to keep their personal information secure and private.  Therefore, it is imperative organizations be aware of and educated on all Information Security and Privacy requirements with which they must be compliant; this includes not only applicable laws and regulations but contractual obligations as well. 

Bill Murray leads the Information Security and Disaster Recovery team at Westfield Insurance. Sharing Knowledge. Building Trust

Posted by Bill Murray | | Comments (0)

| | | | |

05 March 2010

The Overly Eager Bird Catches a Worm

The social network phenomenon has shown many benefits.  These sites, such as facebook (FB), have great potential for people seeking friends to hang out with online.  Businesses too are finding it desirable to create a company presence on FB, myspace, twitter, etc.  Given their explosive growth, however, these sites have also attracted an unsavory element looking to exploit such new fertile ground.

Do you recall, back in the early 2000s, when email phishing was a relatively new phenomenon?  Eventually people became savvy about not following links that arrived in email messages from businesses with which they had no established relationship.  You see, in order to compromise your system, eventually the bad guys have to get you to act on their behalf ... so at some point, they have to present you with some “stuff to click on” ... thereby tricking you into giving your operating system (Windows, MacOS, linux, etc.) the go-ahead to install their evil code.

In a similar vein – have you noticed that when you go to play a game on a social site, say FB, you are presented with a dialog-box saying something like "This application requires access to your FB profile.  Do you wish to grant access?”  This is the FB security layer warning you that this application is trying to access your FB profile.  This is like a stranger asking to look through your wallet and record whatever they feel like while they’re in there browsing.  Alarm bells should be sounding in your head!  Let’s see ... a game that’s all sorts of fun to play and has really nice graphics, and which must have taken some people a lot of time to develop, all apparently, “for free”!  Too good to be true?  Gee whiz -- that's a little like those emails I occasionally get from "banks" promising to consolidate all my debt into a "Zero down, 0% APR loan” ... too good to be true indeed.

So, while most FB applications/games are not bogus fronts for bad guys that want access to your personal information, it is also true that some of those ostensible applications are in fact phony.  So be very careful before deciding to unleash these apps on your private information.

In another example of social networking abuse, there was recently a worm blazing its way through FB accounts called KoobFace ("facebook" spelled sideways, sort of).  KoobFace arrives as a FB message from a FB friend in your FB inbox.  When you open it, you are told to check out a YouTube video.  When you click on the link to the video you are sent to a fake YouTube site.  When you try to start the video playback, you are told that your system is missing an important piece of video playback software called a codec (engineering speak for coder-decoder).  It asks if you want to install the missing codec.

Let’s step back here.  At the request of a site that looks like YouTube, you are about to install and run some piece of software!  Are those internal alarms bells clanging loud and clear yet?  They should be.  The supposed missing codec is really a worm.  If you OK installation -- your system is infected.  The worm begins executing immediately, making a few "adjustments" to your Windows Registry to make sure it gets restarted whenever you reboot.  It then proceeds to wander about in your browser cookie cache finding out which social networking sites you belong to.  For each site, it authenticates and then sends messages, in your name, to all your friends!  Of course, those messages are just more infect-o-grams like the one you fell for.  And so the worm turns...

The lesson here is: think twice before accepting requests to "access" your social networking profile(s) from applications, games and gifts.  Moreover, think three times about saying yes when some web site that you have followed a link to recommends you OK installation of software you supposedly need!  If you believe you really might be running an old version of a plug-in, anti-virus program, etc., you should still always refuse the unsolicited pop-up style request.  Instead, you should explicitly type in the URL for the software maker and check if there you are missing codecs or updates to the software.  If there are updates then update your software and retry playing the video. 

If your software is already up-to-date, or if you get the pop-up again after updating, then assume the pop-up is malicious and just skip playing it!  It cannot be worth the inherent risk.  You might even go the extra step to inform the sender of your suspicions.  For example, in this particular case, the “sender” would be surprised you even got an email from them!  You’ll recall, in our scenario, it was the worm that sent it.  This is often how people find out their system is infected so you are doing them a big service.

To read further, here is a link to a technical explanation of how the koobface worm works.

Posted by John Brady | | Comments (0)

| | | | |

08 February 2010

Your information security "chain" breaks at its weakest link

I have been reading a lot of articles lately about information being stolen by foreign intelligence agencies, e-mail systems getting hacked into and millions of dollars of intellectual capital lost  Here are some current examples of this happening:

http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved

http://www.msnbc.msn.com/id/34923887/ns/technology_and_science-security/

This led me to think about the activities we should be doing to reduce the risk of things like this from happening to our companies or ourselves.  There are some very simple common sense things that can be done to protect information that you care about.

I have broken this down into three basic steps:

Step 1: Understand what you need to protect

The first (and most important) thing that you need to do is identify what information is critical to your company and what information you legally need to protect.  Really take the time to think about it.  Most state privacy breach laws state that you need to protect peoples names in association with their Social Security Numbers, any account numbers that have a PIN and any credit card numbers.  These are easy ones, but how about your customer contact lists?  new product ideas?  customer order histories?  etc… What information do you really need to ensure that you don’t lose and doesn’t get out of your control?  In addition to data loss, think about data integrity.  When you open a spreadsheet, how confident are you that someone has not accidentally or intentionally changed some numbers?   How important are the decisions you make from your data.  The controls you place around preserving the integrity of data need to match its importance.

Step 2: Inventory where it is stored

The next thing to do is to identify where all of this information is located.  In addition to the primary location, system or application, also identify where copies, backups, extracts and derivatives are stored. You may have great security around your PeopleSoft system, for example, but store all the reports that are generated out of it on a share drive that is readable by everyone.  Ask yourself these questions:

  • Are there any reports, spreadsheets or extracts produced by core systems that contain critical information?
  • Is the same level of security placed on these reports, spreadsheets or extracts as on the original information itself?
  • Where do you store and how do you protect your system backups?
  • Could someone gain access to a system backup and restore the information to their computer?
  • Can you reduce the number of locations that your critical information or copies of it are stored?
  • Are you relying on third parties to protect your information when it is in their systems?  Do they have the appropriate security controls in their environment?

Step 3: Align security controls with business risk

Finally, assess the security controls that you are using to protect your information.  You should align your controls across systems based on the value of the information you are trying to protect.  You must take a holistic view of your data and approach its protection aligned with its risk of loss or corruption wherever it is stored.  Do not haphazardly place security controls on systems just because they have some checkboxes in their setup screens to allow them to do fun things like expire passwords, disable accounts after failed attempts, etc... Don't apply extra security where it is not needed.

Know what information you want to protect and protect all locations that this information is stored consistently.  Your information chain will break at its weakest link.

The bottom line is that if you know exactly what you need to protect, have identified and minimized the locations that this information is stored and are confident that the controls in place to access or modify that information are appropriate, you have significantly reduced the chances that your information will be lost, stolen or altered.

Posted by Bill Murray | | Comments (0)

| | | | |

26 January 2010

4 steps to protect your data in an online transaction

Hello readers of the Westfield Insurance Information Security Tips blog!  I am new to Westfield, joining the InfoSec team in the capacity of Information Security Architect.  Previously, I was an information security consultant working predominantly in banking and pharmaceuticals.

 

You may be asking, "What is Information Security (IS) Architecture?"  In its broadest sense, architecture in the IT industry involves marrying an enterprise's business objectives to its current and future technology capabilities.  A good architecture does this by leveraging what is already present, or when needed, carefully introducing new types of technology.  When properly architected, the IT environment adapts smoothly to constantly changing business demands.  Information Security Architecture tries to achieve these same outcomes but within the specialized domain of information security.

 

What tips does an architect have regarding day to day information security?  Well, let’s take a security architecture concept and apply it to your situation.  For example, consider the idea of ensuring the confidentiality of sensitive information.  This idea is broadly applicable everyday on the web.  From an architectural perspective it is helpful to think about the two states of confidential information, namely, at rest (e.g., stored in a file) and in transit (e.g., whizzing across the Internet from server to laptop).

 

Take a scenario where you keep your credit card and expiration date in a file on your PC (you can remember your CVV, that three digit code on the back of your credit card, because it's so short).  Doing this makes it so much easier for you go shopping on the web because you can just cut and paste your information quickly, conveniently and without worrying about typing errors, etc.  So you surf to your favorite shopping site, find the widget you want to buy, follow the checkout process, open the credit card file, cut and paste your credit card information, submit it, and in a few days your stuff arrives.

 

Let's talk about your information's confidentiality during the 4 steps in an online transaction:

 

1)   In your computer file: First, if you saved your credit card information on your computer, it is sitting in a file.  Here it definitely should have been encrypted in such a way that only you could decrypt and read it, for example, using a password protected file encryption such as the free GNU Privacy Guard.

2)   On the merchant's order form: Next, you cut and pasted it to the online merchant’s checkout page.  Did you make sure the browser was indicating that the communications were protected by verifying that there were no browser warnings about unrecognized or expired digital certificates?  These certificates are used to help you make sure that you’re really at the web site of the merchant you think you are.  Some browsers use a color coding scheme in the URL field and green is usually the color indicating the site’s authenticity has been successfully verified. 

3)   In transit on the web: When you submit your credit card information, the data will suddenly be in transit across the Internet!  Prior to submitting anything, make sure it is protected in transit by confirming the URL of the page where you entered your personal data begins with the string https://... Instead of the normal http://... .  That extra ‘s’ in https is for security and it means the data stream between your browser and the merchant’s web server is encrypted.

4)   On the site receiving your info: And finally, after you press Submit, if you get any browser warning about information being sent unsecured, your browser is warning you that, although the page you were on was secure, the place you’re submitting the credit card info. to may not be.  When you recieve such warnings while transacting confidential information you should cancel out of the transaction and perform your purchase via a different medium (e.g., over the phone).

 

So, from an InfoSec architecture perspective, assuring that the encryption infrastructure is guarding your information at rest and in transit is all part of your personal information security architecture.

Posted by John Brady | | Comments (0) | TrackBack (0)

| | | | |

12 January 2009

Web certificates - defined

This tip is part of Westfield's occasional series on general security definitions. To look up other topics, follow the Definitions at left.

You just got a popup on your computer that "there is an error with XYZ's certificate" and asking whether you'd like to accept the certificate forever, accept it only for one visit, or choose not to accept it. (See the example below) What exactly is a web site certificate and should you accept it or not?

Certificate

Certificates are small bits of code used by organizations to show that they are who they say they are online. Certificates are generally purchased from third parties called 'certificate authorities – trusted companies who give the on-line equivalent of a Good Housekeeping seal of approval on the connection. Note: Certificate authorities do not evaluate the company, the website or their products. A certificate does not mean that the site is free of viruses or other malicious content. Certificate authorities merely verify that the web address actually belongs to the organization buying the certificate. When you type a URL or follow a link to a secure web site, your browser will check the certificate to make sure that the web site address matches the address on the certificate and that the certificate is signed by a certificate authority that the browser recognizes as a "trusted" authority.

If the organization wants to set up a secure website (that is, one that uses https instead of just http and has the yellow padlock in the bottom right of the window), they will need a site or host-certificate to set up the encryption. By making sure that the website encrypts your information and has a valid certificate, you can reduce your online risks.

The problem is that almost anyone can create the piece of code that looks like a certificate. Many legitimate companies want to set up secure connections but don't want to pay extra to the certificate authority for verification so they self-generate a certificate. Hackers can generate certificates, too, and use them to more closely mimic the legitimate secure site.

If the certificate is not from a trusted authority that your browser recognizes (there are about 100 trusted authorities loaded into your browser by default) or has some error or inconsistency, you have to decide whether or not to trust the web address and allow the connection.

To verify a certificate, look for the certificate feature in the browser's menus. In Internet Explorer, you can find it under File/Properties when you are on the secured site. When you click on the certificate button, it should show:

  • who issued the certificate - Make sure that the issuer is a legitimate, trusted certificate authority.
  • who the certificate is issued to – This should match the owner of the web site.
  • expiration date - Most certificates are issued for one or two years. Be cautious of certificates that are valid for longer than two years or that have expired.

If you want to see all of the certificates currently on your machine, try Tools/Internet Options/Content and look for the certificate button.

If you have the time and need, you can verify every aspect of the certificate by contacting the company or the certificate authority. For most sites, you don't need to bother. But if it's a connection that you're using for highly confidential information (like your banking website) or if you have a reason to be suspicious of the site (perhaps a phishing site), take the time to verify the certificate. You'll only have to do it once – your computer will remember your decision thereafter.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

22 September 2008

Rootkits - defined

Every once in a while, security geeks talk about "rootkits" in tones of fear or loathing. Here's what we're talking about and why we worry about them (and why you should, too).

A rootkit is a particular type of malicious software. It is different from an ordinary virus in that it is specifically designed to seize control of your computer at the highest possible level. (In the old unix terms, this was called 'root' access - the equivalent level of authority in Windows is 'administrator'.) Once the hacker has a rootkit on your computer, he/she has full access to everything on the computer. More than that, the hacker can usurp control of the computer and make it run other malicious programs (perhaps as part of a botnet) or can use it as a jumping-off point to attack other data on your network. The hacker can do anything on the computer that you can do – and many things that most of us can't.

Rootkits are also different in that they generally limit themselves to seizing and holding control of one system - a virus, on the other hand, is will try to spread itself to other computers. Rootkits are also often kits, that is, combinations of multiple malicious programs that work together. Ordinary viruses are usually single programs. That said, an ordinary virus can be sent out to infect your computer and can, as its first act, load a rootkit onto your computer. Using a virus as a component of a rootkit is a fairly common attack now. According to some researchers, as many as one in five PCs are infected with a rootkit.

Rootkits frequently masquerade themselves as other files and/or deliberately hide files from programs that are used by legitimate administrators to hunt for viruses. This makes them particularly difficult to clean out once your computer has become infected.

Not all rootkits are created by hackers. In 2005, Sony BMG included rootkit software on some music CDs in an attempt to prevent music piracy. Unfortunately, the rootkit exposed every one of their customers' computers to exploitation by anyone who knew to look for the backdoor the rootkit created.

To defend against rootkits:

  • Practice safe surfing - don't go to virus-infected websites. Music-sharing, video, software, porn, hacker and other 'gray' websites are frequently loaded with virus-infected downloads. While there are some legitimate freeware sites, "there ain't no such thing as a free lunch". If they're not making money through sales or advertising, they're probably getting something else out of the deal – don't let that something be your computer.
  • Keep your antivirus program on and up-to-date. But recognize that this is probably incomplete. Rootkits are specifically designed to defeat the major antivirus programs.
  • Keep all the applications on your computer fully patched.
  • Keep your firewall turned on and locked down as far as you can go. This won't necessarily stop you from picking up that first infection but it might prevent the virus from sending out the command to download the rest of the kit.
  • Turn off your computer when you're not using it. First, restarting the computer each day triggers a number of cleanup activities. More importantly, the computer isn't exposed to exploit while it's turned off.
  • If you are infected, take your computer to an IT specialist. Rootkits are especially difficult to clean out and will often reinstall themselves if part is missed. The usual practice is to wipe and rebuild the machine – they're that hard to get rid of.
based in part upon content from Wikipedia

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

18 August 2008

Filesharing - defined

All the kids are doing it. And depending on which news reports you read, it's either the inevitable wave of the future or another sign of the collapse of our society - or both. But what is filesharing really?

Filesharing is the term for software designed to make it easier for you to share stuff through your computer with other people. (I use the technical term "stuff" here because you can share literally any electronic file through these tools but the most common shared files are documents, music files and videos – and viruses. More on that in a minute.) The most common form of filesharing is "peer-to-peer" (P2P) sharing, a way to share files directly from your computer to someone else's computer without needing to store it on a server somewhere. If I want to download a file that you've offered up for sharing, I reach through the internet and grab it directly off your computer.

This kind of filesharing requires special software such as Limewire, BitTorrent or Kazaa. These applications create an index of the files that you've offered for sharing and publish the index to the Internet so others can find your files. They also let you access the index and download the files you want. Filesharing is an easy way to publish documents widely and can get you access to all kinds of free content. Music is especially easy to find.

The problem with filesharing is that it exposes you and your computer to all sorts of risks that are not disclosed by the filesharing network or those "friends" who are pressuring your kids.

  • When you use P2P, it is essentially impossible to verify that the file is trustworthy. Hackers hide spyware, viruses, worms and trojan horses and other malicious code into the files. When you download the file, you infect your own computer.
  • P2P also opens up your computer to outsiders. The applications claim to only expose certain directories but 1) you don't know if the application is locking the folders down properly and 2) it's too easy to misfile a confidential document in a shared folder. Any little mistake opens up your confidential information to the world.
  • Most P2P applications require you to open up certain ports on your firewall so it can send or receive the files. Hackers exploit those open ports to attack your computer directly anytime it is connected to the internet.
  • And, of course, the big risk that got so much press when Napster was being sued into bankruptcy is the phenomenally high proportion of copyrighted material being illegally offered for "sharing". If you download pirated content, even unknowingly, you could face fines or other legal action. The Recording Industry Association of America (RIAA) is especially aggressive about finding and suing individual users who have illegally copied content on their computers.

If you run a network, either at a business or at home, I strongly recommend that you block filesharing sites. Remember, you go to jail or pay the fine whether they downloaded the illegal software with your knowledge or not. If you have kids, turn on your computer's parental controls and block those sites. Teach your kids to buy their music legitimately.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

04 August 2008

Domain registration "alerts"

Westfield has recently started receiving "alerts" about internet domain registrations from a company in Asia. This company claims to have received an application for internet domains that are close to Westfield's main domain, westfieldinsurance.com, but carry different suffixes such as westfieldinsurance.net.cn, westfieldinsurance.hk or westfieldinsurance.asia. The email claims that the company "discovered" that the brand keyword matched our company's name and trademark and asks someone to contact them "before we finish the registration" for the other company.

On the Internet, the domain naming system treats every combination of domains as a unique destination. Owning example.com gives you no special rights to example.org. And while you may be able to make a case for trademark infringement, the domain naming system has a strong bias in favor of "first-come, first-served." If a domain name is important to your brand, you need to act to protect it.

If you're not already monitoring internet domain registrations that are similar to your trademark and business, you really should start. There are several good monitoring services out there, some that will send daily alerts for free. Remember, however, that you can't commandeer every possible variation of your domain – there are just too many possibilities. Get the domains that you think are most important and monitor the rest.

The message from the Asian company, however, is a scam. We have traced two different types of these messages so far. In the first case, it was a straightforward con for a credit card number. In the second case, it was an actual domain registrar using questionable tactics to generate business. In both cases, we investigated the company - a Google search on some keywords from the email will often return examples of others who have run into the same con - and decided not to respond to their phishing attempt.

If someone registers a domain name similar to yours, look at the domain registration. (There are several excellent lookup tools on the web. I tend to use whois.domaintools.com). If the other person registering the domain appears to be a legitimate business that just happens to have a similar name to yours, don't worry too much about it. We regularly bump into the the Westfield Group that owns Westfield Shoppingtown Malls (an Australian firm). We also know about domains registered to a car repair shop on a Westfield Road in Indiana. There's no connection and no evidence of fraud – and they got to the domain first. As long as they keep the domain out of the phishers' hands, I can live with that. I also don't worry too much about the domain resellers who buy the domain name then "park" it with some generic ads. (Here is an example.) As long as there's no evidence of misuse and no obvious confusion with my brand, I'm willing to let most of those sit.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

21 July 2008

Metadata - defined

Metadata is getting a lot of press lately, especially among companies that are wrestling with the new electronic discovery standards issued by the US Supreme Court. But what is it really?

Technically, metadata is data about other data. If the customer's address is data, the number of entries in your address book is metadata. If the body of a Word document is data, the date you last opened the file is metadata. If the values in an Excel spreadsheet are data, the formulas in each cell are metadata.

From a legal point of view, metadata is everything about the document that's not immediately visible when the document is printed. It includes all the MS Office "properties" like file size, author and character count. It also includes any hidden features such as the old versions that are still buried in the document when you leave the Track Changes option on. It includes formulae in spreadsheets and formatting commands like the print area.

For most normal uses, the metadata about a document is just background. We take it for granted and almost always ignore it. But if your metadata reveals facts that you wanted to keep private, it can be embarrassing and expensive. In one case, a major pharmaceutical company deleted some study data from a report – and got caught when the New England Journal of Medicine looked in the Tracked Changes to show the deleted comments. In another case, a confidential White House policy paper about Iraq was outed when a quick command revealed the report's author. In yet another case, officials covered up classified information with black bars, not realizing that readers could easily uncover the text by copying it from under the black and pasting it elsewhere.

When you get into a legal situation, metadata becomes even more important. Metadata is used to show "who knew it and when they knew it" – to provide the context around the document in question. Metadata can either clear you or convict you. Because of its importance, metadata must be preserved and unaltered when you are collecting documents that will be used in court. This is hard because routine Windows operations will change the metadata just by opening the file. Make sure that you have the tools you need to keep metadata intact before you get into the lawsuit.

And, of course, be very careful before you post a document publicly. Make sure you clean out the metadata that you don't want public.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

14 July 2008

What your footprints say about you

Most people surf the web and chat online thinking that they are hidden behind the anonymity of the computer screen. Few people realize that they are leaving footprints all over the web anytime they go online. Here are some of the things that are automatically sent to the website's computer whenever you visit the site:

  • Your IP address - Every computer on the internet is assigned a specific, unique IP (internet protocol) address. That IP address can't be easily traced to a name directly except by your internet service provider but it can be correlated with your other online activity. So if you disclose your name in a blog or when writing a book review, someone might be able to trace that back and match it to your other internet habits. You can look up your current IP address at showmyip.com.
  • Your computer's software load - Many websites want to know what web browser you are using (including which version). Legitimate sites use this information to adjust for differences between the way browsers display the webpage. A page that looks fine on Internet Explorer may not display properly through Mozilla's Firefox so the website developer adds code to tweak the display based on your browser. Unfortunately, the information sent to the website does not end with the browser. They may also be able to read your operating system and other details.
  • Your page visit history - The website can often track which pages you visited, how long you stayed on a given page and where you were just before you came to the website. (This is often helpful for companies who want to know if you came to the site from a search engine and if their advertising dollars are being well-spent.)

    • If a web site uses cookies, they can collect even more information. The information they can collect about your browsing habits is limited only by their own privacy policy.

    On the other hand, If the site you're visiting is malicious, all bets are off. Your privacy is completely dependent on the strength of your antivirus/antispyware programs and how up-to-date you keep your patches. Hackers at these sorts of sites can use all sorts of techniques to either steal information or trick you into revealing more than you intended. They will try to steal passwords (knowing that many people reuse the same password and that, by compromising this password, they have a very good guess at your online bank or work password), load viruses and may even attempt to alter the security settings on your computer so that they can access and use your computer for other malicious activity.

    You can reduce the amount of information revealed about yourself by only visiting legitimate sites, checking privacy policies and paying careful attention to the personal information you provide. Don't post your address, password, or credit card information unless you trust the site. Look for indications that the site uses SSL to encrypt your information. Limit what cookies you allow and be careful which web sites you visit; if it seems suspicious, leave the site.

    And, of course, always keep your antivirus software up-to-date and your computer fully patched.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

16 June 2008

Use bcc: for large email distributions

Have you ever replied to an email message only to realize too late that you just sent your reply to the entire department? Or worse, to the entire company? Reply to All should be used only when you are sure that every recipient on the list really wants and needs to read your reply.

Unfortunately, accidentally hitting Reply to All is an easy mistake to make.

If you are the sender of the original message, you can make life easier and safer for your readers if you use the bcc: field instead of the To: field in the email header. Bcc: stands for "blind carbon copy. Every user will receive the message but the recipient will see only his or her own name in the bcc: field. If a user accidentally hits the Reply to All button, the reply message will only be sent to the original sender.

As a matter of ettiquette, you should disclose the distribution list to your readers in the body of the message. This avoids any appearance of attempting to hide the distribution. A common convention is to use small italicized text in the first line with the text "sent bcc: to MidwestDivision".

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

02 June 2008

Scareware - defined

Have you ever seen a "free" offer to scan your computer for security vulnerabilities? The most common one that I get is a pop-up ad that reads "Your computer may be infected with harmful spyware programs. Immediate removal may be required. To scan, click 'Yes' below." It looks like a great idea. You're offering to test my machine for free so I know what, if anything, needs fixing. Doctors, mechanics, even the lawn guy offers that kind of free screening as a legitimate way to build a relationship with new customers.

Unfortunately, most if not all of these computer scanning offers are scams. They are rogue programs that will always report something that needs to be fixed or cleaned whether the flaw is real or not. They are designed to scare you into believing that there is something terribly wrong with your computer that only their software can fix.

Examples that attack Windows computers include SpySheriff, WinFixer, IEDefender and Cleanator. Interestingly, Mac users ran into this problem for the first time in January with a product called MacSweeper. MacSweeper is so "thorough" that it even finds flaws when it's run against a PC – flaws that can only exist on a Mac.

Most of these are simple attempts to con you out of money or credit card numbers. Some are more malicious and will load spyware onto the computer or even disable your existing antivirus programs.

Never run software from unknown sources. If you do suspect that your computer may be vulnerable, use your own anti-virus and anti-spyware software. Don't trust that "free" offer.

Note: The word "scareware" also includes more harmless pranks such as the program that pops up and says "Erase everything on hard drive?" with two buttons labeled "OK" and "OK". (Nothing is actually deleted in this prank.) Just ignore those pranks.

A few more popup examples:
Infosec_scarewareerrorsafe_2
Infosec_scarewaresystemdoctor_2

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

12 May 2008

Credit freeze - defined

Most states have passed "credit freeze" laws, allowing individual consumers to lock their credit reports and, in theory, reducing their vulnerability to identity theft. While the credit freeze is in place, the credit reporting agency may not give out your credit report unless you explicitly grant permission and confirm your identity using a PIN or password. This makes it harder for the identity thief to open an new account or to get new credit in your name.

Even if your state does not have a credit freeze law, the three major credit reporting agencies now offer freezes voluntarily. To institute a credit freeze, you generally need to send a written request to each of the three major credit reporting agencies. The specific instructions vary from state to state. You can find links to each state's instructions at ConsumersUnion.org. The states allow the credit reporting agency to impose a fee to initiate the freeze (usually $5-10 per credit reporting agency but often free to confirmed victims of identity theft) .

If you do freeze your credit report, you will have to lift the freeze whenever you want credit. Under almost all the state laws, you'll have to pay again each time you want the freeze lifted. This can make opening a new account or even changing your existing service more difficult and expensive. When you apply for the freeze, you will be given the instructions and PIN needed to lift the freeze. In some cases, you'll have to lift the freeze yourself – in others, you might be able to authorize the merchant to do it for you. Either way, it will take some extra time. It will also make you ineligible for "instant credit" unless you lift the freeze before going to the store.

The credit freeze laws have implications for businesses that use credit reports for purposes other than lending (such as evaluating underwriting risk). Unless the state law has explicitly carved out that usage as allowed (and many but not all states did for underwriting), the business should expect extra paperwork and several extra steps in the process to get permission to view the consumer's credit report. The law varies from state to state. Check with your corporate counsel for details.

As a consumer, you should also know that a credit freeze will not necessarily keep you safe from identity theft. While most reputable creditors will check your report before issuing credit, some don't. Identity thieves can still exploit those situations, knowing that you will have to pay the consequences. A credit freeze also will not protect you from exploitation of existing accounts.

If you are at increased risk of identity theft and already have a house, car, phone service and the credit cards you need and you see no near-term need to refinance any of them, a credit freeze might be appropriate for you. If you have few risk factors or will need to legitimately seek credit for yourself soon, a credit freeze could be more trouble than it's worth. Personally, I do not have a credit freeze on my account. I take normal precautions to make my identity hard to steal in the first place (I have a shredder and use it, I don't leave financial documents like credit card bills on the kitchen counter, I don't keep my SSN in my wallet, I use strong passwords, etc) and I check my credit report regularly. To me, the incremental protection of a credit freeze is not now worth the extra hassle and expense.

Posted by Mike Rossander | | Comments (1) | TrackBack (0)

| | | | |

14 April 2008

Web browser security settings

Your web browser is your primary connection to the Internet, either by reading web pages directly or through applications that use your browser to function. How you set the security makes a great deal of difference for your computer's safety.

Those security settings will also affect the functionality of some web sites. Web page writers try to improve your experience by enabling different features. Sometimes they're nice but they leave your computer more vulnerable to attack. In fact, a common hacker trick is to set up an "innocent" website with attractive content but which will not work correctly unless you reduce your security settings, exposing you to the hacker's malicious content on other links. The safest policy is to disable those optional features until you decide that it's necessary and that the website is trustworthy. (In most cases, you can enable the feature temporarily.)

Note: Your IT department should control the settings for your work computer. Make sure that they have the security controls locked down so users can not accidentally expose their computer to unacceptable risks. If you use Internet Explorer, you can find the security settings by clicking Tools/Internet Options/Security. (Firefox and other browsers generally use similar paths.) If the security is properly locked down, you should be able to see but not change the settings.

Internet Explorer uses the concept of "zones" and lets you set the security level differently depending on where you are browsing. For most of us, the most important zone is "internet". This is the general zone for all public websites and is the default used when the browser doesn't have different instructions. This should be set as high as possible but never below "medium".

The "local intranet" zone is usually used for internal content. Since your own company developed the pages, it's usually safer to use a slightly lower level of security as long as there is a business reason to do so. "Trusted sites" are those that you have decided are well-designed and use good security practices. Our work computers have certain trusted business partners pre-loaded in this zone. I have none in my personal computer at home.

"Restricted sites" are those that you think might not be safe and that deserve the highest level of caution. Frankly, if you're that suspicious, you're probably not surfing there anyway. But it can be helpful to mark those sites because it will provide an extra layer of protection if your computer is calling those domains for "hidden" content like ads and pop-ups.

Your browser also has some security settings related to JavaScript, ActiveX controls and Plug-ins. You should only allow them if you are at a trusted site. See the tip on Active Content for suggestions on those controls.

You should disable cookies except for sites that you trust that require them. Add those manually to the browser's "allowed" list. Definitely block pop-ups but remember that it will break some websites. You can always allow the pop-ups on a case-by-case basis.

In general, always set your security for the highest level possible. Then lower the security only when a page fails to work properly and only as far as you need to or for as long as you need to. Once you've set the controls properly, it's not that much work to maintain. But it is a vital part of the protection of your computer and your confidential information.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

17 March 2008

Protect your computer from Spyware

Spyware is Internet jargon for advertising-supported software. This type of software often automatically installs itself on your computer without your knowledge in order to collect your personal information and provide it to a website or advertiser. Spyware is hidden in the background and keeps track of your web browsing, what information you enter into forms and even the configuration of your hardware and software. The company receiving this information may use it directly or, more likely, will sell this information about you. Based on this information, you may begin to see incessant pop-up ads, giving the false impression that the Web page being viewed is responsible for the constant annoyances.

Spyware usually is usually hidden in or behind an application that you want to use (such as a music player). When you install the software, the spyware application also installs itself.

In addition to the annoyances of increased spam and advertising, the spyware application ties up valuable computing power and can eventually make it run slower. It can create conflicts with other software on your machine causing programs to lock up or causing your machine to crash. It can even be abused by hackers to steal your password or to take control of your computer.

If you load software from the Internet, read the license agreement carefully. Some companies actually disclose that they will install an application on to your computer and may allow you the option to "opt-out". For example, RealJukebox has the ability to track how you used the program including the number of recorded songs on the computer, the format that songs are recorded in, the user's musical preferences, the quality level of the recordings, and the type of portable player connected to the computer.

You can use specialized software to find and disable spyware applications and to protect your computer. Two of the better-known free-ware applications are SpyBot Search and Destroy and Ad-Aware. Whatever anti-spyware solution you pick, be sure to keep it updated and run it regularly.

Be sure to read all "End User License Agreements" very carefully and make sure you understand what is actually going to be installed on your home computer.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

11 February 2008

Firewalls

A firewall looks for and attempts to stop forbidden communications between two computers. Firewalls work by examining each piece of traffic entering or leaving the network and blocking those which do not meet specified criteria. If the communication is an allowed type (for example, Windows passing your user name and password to the company network during login), the message is allowed through. If the communication is unrecognized (for example, a virus attempting to impersonate Lotus Notes but really sending your password out to a hacker), the traffic can be stopped.

There are two kinds of firewalls: "personal" or software firewalls and "network" or hardware firewalls.

  • Software firewalls are relatively easy to install and provide good protection. They filter traffic entering or leaving a single computer. Software firewall programs (such as ZoneAlarm, Norton or Comodo) can be downloaded from the Internet and may be available in a free version for home users. (Note: If your home computer's operating system is Windows XP or Vista, it has a built-in software firewall but Windows has not traditionally performed well in bench comparisons. Most security experts recommend replacing or at least supplementing the Windows firewall.) For more on personal firewalls and how they work, see the first page of this article.
  • Hardware firewalls require you to buy and connect a separate piece of equipment, but they provide stronger protection. They plug in between your internet connection (such as the cable-modem or DSL line) and the computer. Hardware firewalls are often built into routers, allowing multiple computers to share a single, protected connection to the internet. Hardware firewalls often also have the ability to perform network address translation (NAT) which hides the specific IP address of your computer and makes it much harder for a hacker to launch an attack against you. Hardware firewalls are available at many electronics retail stores, usually starting at $50-$75.

CERT (the Computer Emergency Readiness Team) strongly recommends the use of hardware firewalls, especially if you have a broadband or "always on" connection. See "Before You Connect a New Computer to the Internet" for more information.

Some firewalls will display a pop-up box asking if you want to allow the message. If you see one of these pop-ups, never allow the traffic unless you are sure that you know exactly what it is doing. Remember, the firewall won't do any good if you give permission for the virus to send out your password.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

21 January 2008

Patches - defined

Security geeks often talk about keeping your computer "patched". Here's what we mean and why it's so important.

In a perfect world, all the code on your computer would do exactly what it's supposed to do and nothing more. In the real world, new code was added on top of existing code to fix a problem or to add some new feature until, over time, the code became too complicated to test for every possible scenario. Hackers found ways to exploit the holes in the code. By sending just the right command in just the right circumstances, they could make the computer do something it shouldn't – like give the hacker permission to install software and take control of the computer.

When such a vulnerability is discovered, the developers who made the software have to figure out how to plug the hole – how to change the code just enough to stop the hacker without shutting down the new feature they added or interfering with some other application. "Patches" are the bits of code to be added to your computer to fix that hole. (Patches can also be used to add a new feature or fix something else in the program but for now we'll stick to security patches.)

At work, your IT team should be responsible for keeping your core applications up-to-date and fully patched. For your home computer, you should set your computer to automatically update the software whenever new patches are available. That's the safest way to be sure that you have the latest code protecting your computer. While most vulnerabilities are found in the operating system (those core instructions that the computer needs just to turn itself on), more and more vulnerabilities are being found in applications – Word, Adobe, QuickTime, RealPlayer, etc. No modern application is completely safe. In Windows, you can set the updates through the Control Panel. (Look for something like Automatic Updates or Windows Updater.) In other programs such as Quicken, you usually set the updates via Tools/Options or Preferences.

Of course, there's no such thing as a free lunch or perfect software. Sometimes, the patch will fix the program but will also break some function that some other program needed to run. When that happens, you must either decide to wait (and hope that the developers at one of the two companies will send out yet another patch to fix the breakage) or take the risk and reverse out the last patch. Unless the patch broke something that's absolutely mission-critical, you are almost always better off leaving it in place.

Incidentally, Microsoft has been releasing a packet of security updates on the second Tuesday of each month (so-called Patch Tuesday) for several years now. Some hackers are now exploiting that pattern and holding their latest virus until the second Wednesday so they have the most possible time before they are shut down. Even if you stay fully patched, there are no guarantees in life.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

24 September 2007

Email spoofing

Have you ever received an error message about an email that you didn't send? Or wondered why someone from your own company's email address is sending you ads for Viagra or financial alerts for penny-stocks? Have you gotten a spam message from yourself? If so, you've just seen email spoofing in action.

Anything about an email can be edited or overwritten including the From, Return-Path, and Reply-To fields. Commands inserted into the header of the email can make the message appear to come from anyone, anywhere saying whatever the sender wants it to say. Spammers and other hackers know that their response rate is 10% higher if they can match the recipient's name – they rely on curiosity and trust to trick you into opening a malicious message. The trick is built right into the hacker tools that are used to generate mass-mailingworms and other malware.

If you think you received a spoofed message, simply delete it. Most email programs allow you to block future messages from that address but that approach is no longer effective at actually stopping spam. The problem is that blocking User1@spoofvictim.com still lets junk through from User2@spoofvictim.com, User3, etc. The odds that the spammer will pick the same victim next time are negligible. But if you ever do get a legitimate message from User1, you'll never see it. If there really is enough spam from one location to justify a black-listing, our spam-filter vendor will find it and include it in their master list. That fixes the problem not just for your email but for everyone else at the same time.

Do not send a complaint to the person that you think sent you the spam. If it was a spoof, they can't do anything about it anyway. If it was not a spoof, all you've done is confirm that you're the kind of person who opens spam messages. You'll get more spam, not less. You can, however, forward a copy to spam@uce.com, a department of the Federal Trade Commission which collects and reports on spam trends.

If you think that your address has been spoofed, delete that message too. Some virus writers are deliberately mimicking the email error messages in the hopes that you'll open the attachment "explaining the problem" and infect your computer with their program. If you don't remember sending the message, trust your memory. It's very likely a scam.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

17 September 2007

Active Content - defined

At some point, you've probably seen an error message pop up that "Active Content on this webpage has been blocked. Click here for options." Microsoft and the other browser makers give us these warning so we can try to make choices about what to trust on the web and what to avoid. Unfortunately, most average computer users don't know what "active content" is or how to decide what to trust. There are no easy answers for deciding who to trust but after reading this overview, you should have a little more idea of the risks you are taking.

Active content today comes in two basic flavors – web scripts like JavaScript or VBScript and programs such as Java or ActiveX. Both use code embedded in the webpage to help the webpage do something extra (like drop-down menus) or formatting of the page look better. While these scripts make the webpage more user-friendly, they can offer a way for hackers to get into your computer.

Web scripts are used on almost every web site now. These scripts let the web designer customize the look and feel of the site and are very easy to use. The script is written into the webpage and is executed by your browser. There are limits to what the script can do, making them mostly safe. Unfortunately, one of the ways they can be exploited is to redirect you from a legitimate web site to a look-alike malicious one that may download viruses or collect personal information.

Java and ActiveX controls are actual programs that are already on your computer or can be automatically downloaded into your browser. ActiveX can do anything on your computer that you can do. That's helpful if the web page is supposed to find and run a program for you but very dangerous if exploited by a hacker. Untrustworthy ActiveX controls can be used to load spyware, collect personal information, connect to other computers or do other damage. (If you're trying to load or update well-known software like Flash Player or Adobe Reader, it's probably okay. On the other hand, if the browser is trying to launch something like WeatherBug or MemoryMeter, SAY NO!) Java applets usually run in a more restricted environment and have less rights on your computer (and therefore can do less damage if exploited), but if that environment isn't secure, malicious Java applets may be used for attack as well.

In general, you should set your Internet Options to block ActiveX. For computers containing highly sensitive information, you should also consider disallowing Java and JavaScript. Only allow the content through if you are sure that you are at a trusted website. Recognize, however, that the added security may cause some features of the website to not function or to function improperly. Once you've verified the security of a site, you can designate it a "Trusted Site" and allow future active content from that site. And always keep your anti-virus, anti-spyware and firewalls running and your software fully patched.

based in part on CERT Cyber Security Tip ST04-012

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

Next »