About

Subscribe to InfoSec

  • Enter your email address:

    Delivered by FeedBurner

Bookmark and Share

Recent Posts

Westfield Links

Westfield Blogs

Categories

Blogroll & other links

30 posts categorized "Home Computer"

01 July 2010

A Key to Decreasing ID Theft Exposure

No one wants to have their identifying particulars stolen and abused.   To help, there is the security concept of using one secret (a key) to unlock keys to other services.   The concept is simple, here is a real world analogy – in a car dealership, the service area has a bunch of keys to inventory and customer vehicles.  That collection of keys is kept in a locked wall-mounted cabinet.  Upper management are the only people with the keys to the “key locker.”

On your personal computer, there’s another commonly used example, in most browsers you can set your security preferences so that the username and password fields at different web sites are automatically supplied.  They are stored in a browser-managed repository which is the equivalent of the “key locker” described above.  Using this auto-fill feature alone is a net decrease in your security because, once turned on, anyone that can walk up to your computer, start up the browser and instantly be logged into your various web site accounts without having to know any credentials.  But there is simple way to mitigate this risk.  For example, in say FireFox, IE 8 or Opera you can also set a “Master Password” that is used to keep people other than yourself from getting at those passwords.  This master password is the equivalent of the key to the key locker in our physical world example.   This gives you the best of both worlds because now you only have to remember a single password which, in turn, allows you to set the underlying stored passwords to very hard to guess, long, complicated nonsense strings because you are planning to never have to remember/type them!

Another example of this security concept is in the world of payment card (credit, debit, etc.) clearing house services like PayPal, Google Checkout, PaySafeCard.  These are services that you give various credentials to and they provide clearing house service to merchant sites that have signed up to use their services for payments.  Here’s how it works:

First you sign up for the payment service of your choice, let’s say PayPal:

  • you create an account at the payment service using a unique string such as your email address
  • you fill out the payment service’s profile by providing contact information and credit card, debit card or checking account information
  • depending on the service, you may need to verify that a tiny transaction against the card or account in question goes through

That’s it!  Now, you can use any online vendor that supports that payment service (look for, say, the PayPal logo, although it may not be displayed until you go to checkout):

  • go to a merchant site such as Walmart and put some stuff in your virtual shopping cart
  •   proceed to check out and notice that there is a PayPal option, choose it
  • Walmart’s website sends you to PayPal, giving PayPal the bill you need to OK payment of (vendor and dollar amount)
  • you confirm your PayPal password and then tell PayPal which of your accounts to debit
  • when you hit “confirm payment”, PayPal debits your card/account on behalf of Walmart and then transfers the funds (not the payment information!) from your account to Walmart
  • PayPal also sends you email confirmation and tells you what merchant name to expect to see on your credit card statement
  • PayPal sends your browser back to the merchant site where your payment is confirmed in the form of a receipt (and usually another email) and information about order shipment

So, behind the scenes, the payment service deposits the payment (minus their transaction fee) into the merchant’s account without ever sharing your payment information with anyone!

Why bother with that?  In the case of Walmart.com, there is probably little reason for concern but in the case of a small company, say Tom’s LiveBait-by-Mail, you might be a bit leery of giving away your credit card information.  Also, if you signed up multiple credit/debit cards and one or more bank accounts then you can choose which to charge the payment against at checkout time.  So, as long as the payment service is super-secure, it’s a net win because the fewer places that get their hands on your card info the better.

Is there a downside to using these services?  Well, I suppose these particular processors are in a position to know a lot about your cross vendor buying habits and history.  Plus, of course, they are an inviting target for hackers because they store so much account information (although they are extremely aware of and well staffed to store and police said information).

So – keep this “key to the keys” idea in mind when you need to minimize complexity and exposure.

John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust


Posted by John Brady | | Comments (2)

| | | | |

02 June 2010

Parental Controls Online - 6 Questions to Ask Your Family

8S22SRE498JM

Have you ever noticed how your child's favorite TV shows are directing them to the Internet to watch extra episodes and access special content like games and other shows? My daughter is just now starting to show interest in our family laptop, finding it wherever we might be hiding it. We keep putting off establishing parental controls, but it's only a matter of time before she figures out how to make the laptop work.  As a family we will be nervous with not only the content she will be introduced to, but the wide variety of identity theftand other serious dangers that lurk within. Struggling with allowing her to learn while keeping her safe is a big challenge, one every parent is going to encounter.

This led me on a path of research, searching the web for keywords like "family safe internet software" and "parental controls for the internet."  I saw quite a few sites selling software solutions like NetNanny, BSecure, and free tools like K9webprotection. There were others which carried with them some recommendations like FocusontheFamily and ConsumerSearch, which suggest pre-reviewed products to use.

Looking at all of the options, I can understand how it would be difficult to choose the best product for your family. Here are a few questions to help identify your family’s need for a tool like this:

1) Who in your family needs protecting? Yourself? Children? Adults who are wary of the Internet? Guests?
2) What devices do you need to protect? Smart phones? Laptops/Desktops? Wii?
3) What applications does your family use? Internet browsers? Instant messaging? Social networking sites like Facebook or Myspace?
4) What operating systems and versions do you have? Mac? Windows? Linux?
5) What are you willing to spend to keep your family safe from these dangers?
6) What kind of monitoring do you want to have access to? Web surfing logs? Online game play? Instant messaging usage?

Let me know your thoughts on this topic! Please chime in and let us know what you do to keep your family safe.

Jacob Harris is a Vulnerability and Forensics analyst at Westfield Insurance. Sharing Knowledge. Building Trust.

Posted by Jake Harris | | Comments (4)

| | | | |

06 April 2010

At the Nexus of Social Networking and Business

In a recent blog post I suggested that, while social networking (e.g., facebook, myspace, twitter, orkut, LinkedIn, etc.) is here to stay, one needs to be somewhat circumspect in using them.  I focused mostly on “apps” within these social networking communities.   These apps often want access to your personal information or want you to install or run some program at their behest.

As a follow-up, I’d like to discuss some general ways in which you can improve the likelihood that you will not get your personal or business systems hacked while still being able to enjoy the fruits of these dynamic, fast-growing communities.

  • Think before you click on anything asking:

- for access to your personal information (on various sites, they may be called “applications”, games, “e-cards”, “gifts” like a virtual cup-of-coffee, virtual bouquet of flowers, a snowball).  Do you trust the requestor?  Do you even know their privacy policy?

- you to install some “missing piece of software” (e.g., a dll, driver, codec) and perhaps offering to forward you to the site where you  can install it now and then proceed with your original task.  Do you know the software provider?

  • Review your privacy settings periodically, there are many recommendations  in this regard in the mainstream media (see table at bottom).
  • When the social network provider notifies you that their privacy policy has been changed – READ the new privacy policy!  There have been cases where the provider has retroactively instituted new default access rules rendering previously private parts of user profiles open to the public!
  • Don’t lend the use of your computer (laptop, desktop) to anyone that might be reckless with it.  If the borrower surfs to an infected web site and your account on the PC becomes infected then they have unwittingly put your personal information at risk.  To mitigate the danger – always create a separate account for other users (either one account per person for regular users, or) a shared guest account for people that just want to use a browser for short time.  When creating such accounts do be sure they are not endowed with any administrative powers.  Delete all the files they leave behind and perform a virus/spyware scan.  Don’t think of it as being distrustful, think of it as good hygiene.
  • Taken to its logical extreme, you might seriously consider having a completely separate system for when you are working on your high privacy stuff (employee personal info., online banking, personal/business financials,  tax returns, medical bills/records, …).   This will almost guarantee that your private information stays that way. **

Although it may sound like I need to lighten up, if you read some of the horror stories about people that have  experienced ID theft, you may decide I am not being adamant enough!  Of course, you have to find a happy medium for your circumstances.  Hopefully, the list above will help you make more informed decisions before you click.

--------------------------

Site Policy

Privacy Recommendation

facebook

High level: NY Times

Very detailed: AllFacebook

MySpace

For better privacy control, switch from profile 1.0 to profile 2.0. 

MySpace recommendation

LinkedIn

Walk-through: Network World

LinkedIn recommendation

twitter

Creating a non-public  twitter account

** If you are computer savvy enough to know about virtual machines (VM) – you can get much of the same degree of isolation using a separateVM, instead of a separate piece of physical hardware.

Posted by John Brady | | Comments (1)

| | | | |

08 February 2010

Your information security "chain" breaks at its weakest link

I have been reading a lot of articles lately about information being stolen by foreign intelligence agencies, e-mail systems getting hacked into and millions of dollars of intellectual capital lost  Here are some current examples of this happening:

http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved

http://www.msnbc.msn.com/id/34923887/ns/technology_and_science-security/

This led me to think about the activities we should be doing to reduce the risk of things like this from happening to our companies or ourselves.  There are some very simple common sense things that can be done to protect information that you care about.

I have broken this down into three basic steps:

Step 1: Understand what you need to protect

The first (and most important) thing that you need to do is identify what information is critical to your company and what information you legally need to protect.  Really take the time to think about it.  Most state privacy breach laws state that you need to protect peoples names in association with their Social Security Numbers, any account numbers that have a PIN and any credit card numbers.  These are easy ones, but how about your customer contact lists?  new product ideas?  customer order histories?  etc… What information do you really need to ensure that you don’t lose and doesn’t get out of your control?  In addition to data loss, think about data integrity.  When you open a spreadsheet, how confident are you that someone has not accidentally or intentionally changed some numbers?   How important are the decisions you make from your data.  The controls you place around preserving the integrity of data need to match its importance.

Step 2: Inventory where it is stored

The next thing to do is to identify where all of this information is located.  In addition to the primary location, system or application, also identify where copies, backups, extracts and derivatives are stored. You may have great security around your PeopleSoft system, for example, but store all the reports that are generated out of it on a share drive that is readable by everyone.  Ask yourself these questions:

  • Are there any reports, spreadsheets or extracts produced by core systems that contain critical information?
  • Is the same level of security placed on these reports, spreadsheets or extracts as on the original information itself?
  • Where do you store and how do you protect your system backups?
  • Could someone gain access to a system backup and restore the information to their computer?
  • Can you reduce the number of locations that your critical information or copies of it are stored?
  • Are you relying on third parties to protect your information when it is in their systems?  Do they have the appropriate security controls in their environment?

Step 3: Align security controls with business risk

Finally, assess the security controls that you are using to protect your information.  You should align your controls across systems based on the value of the information you are trying to protect.  You must take a holistic view of your data and approach its protection aligned with its risk of loss or corruption wherever it is stored.  Do not haphazardly place security controls on systems just because they have some checkboxes in their setup screens to allow them to do fun things like expire passwords, disable accounts after failed attempts, etc... Don't apply extra security where it is not needed.

Know what information you want to protect and protect all locations that this information is stored consistently.  Your information chain will break at its weakest link.

The bottom line is that if you know exactly what you need to protect, have identified and minimized the locations that this information is stored and are confident that the controls in place to access or modify that information are appropriate, you have significantly reduced the chances that your information will be lost, stolen or altered.

Posted by Bill Murray | | Comments (0)

| | | | |

26 January 2010

4 steps to protect your data in an online transaction

Hello readers of the Westfield Insurance Information Security Tips blog!  I am new to Westfield, joining the InfoSec team in the capacity of Information Security Architect.  Previously, I was an information security consultant working predominantly in banking and pharmaceuticals.

 

You may be asking, "What is Information Security (IS) Architecture?"  In its broadest sense, architecture in the IT industry involves marrying an enterprise's business objectives to its current and future technology capabilities.  A good architecture does this by leveraging what is already present, or when needed, carefully introducing new types of technology.  When properly architected, the IT environment adapts smoothly to constantly changing business demands.  Information Security Architecture tries to achieve these same outcomes but within the specialized domain of information security.

 

What tips does an architect have regarding day to day information security?  Well, let’s take a security architecture concept and apply it to your situation.  For example, consider the idea of ensuring the confidentiality of sensitive information.  This idea is broadly applicable everyday on the web.  From an architectural perspective it is helpful to think about the two states of confidential information, namely, at rest (e.g., stored in a file) and in transit (e.g., whizzing across the Internet from server to laptop).

 

Take a scenario where you keep your credit card and expiration date in a file on your PC (you can remember your CVV, that three digit code on the back of your credit card, because it's so short).  Doing this makes it so much easier for you go shopping on the web because you can just cut and paste your information quickly, conveniently and without worrying about typing errors, etc.  So you surf to your favorite shopping site, find the widget you want to buy, follow the checkout process, open the credit card file, cut and paste your credit card information, submit it, and in a few days your stuff arrives.

 

Let's talk about your information's confidentiality during the 4 steps in an online transaction:

 

1)   In your computer file: First, if you saved your credit card information on your computer, it is sitting in a file.  Here it definitely should have been encrypted in such a way that only you could decrypt and read it, for example, using a password protected file encryption such as the free GNU Privacy Guard.

2)   On the merchant's order form: Next, you cut and pasted it to the online merchant’s checkout page.  Did you make sure the browser was indicating that the communications were protected by verifying that there were no browser warnings about unrecognized or expired digital certificates?  These certificates are used to help you make sure that you’re really at the web site of the merchant you think you are.  Some browsers use a color coding scheme in the URL field and green is usually the color indicating the site’s authenticity has been successfully verified. 

3)   In transit on the web: When you submit your credit card information, the data will suddenly be in transit across the Internet!  Prior to submitting anything, make sure it is protected in transit by confirming the URL of the page where you entered your personal data begins with the string https://... Instead of the normal http://... .  That extra ‘s’ in https is for security and it means the data stream between your browser and the merchant’s web server is encrypted.

4)   On the site receiving your info: And finally, after you press Submit, if you get any browser warning about information being sent unsecured, your browser is warning you that, although the page you were on was secure, the place you’re submitting the credit card info. to may not be.  When you recieve such warnings while transacting confidential information you should cancel out of the transaction and perform your purchase via a different medium (e.g., over the phone).

 

So, from an InfoSec architecture perspective, assuring that the encryption infrastructure is guarding your information at rest and in transit is all part of your personal information security architecture.

Posted by John Brady | | Comments (0) | TrackBack (0)

| | | | |

30 November 2009

Secure shopping reminders for Cyber-Monday

It's Cyber-Monday, the biggest on-line shopping day of the year, and that means it's time for Cyber-Monday scams. And there are a lot of them this year. Online shopping can be safe but you have to be careful where and how you shop. It's not really that much different from safe shopping at a physical store or over the phone. Be suspicious.

  • When shopping online, type the merchant's URL in by hand instead of following any "convenient" link in an email or instant message. Those links can be spoofed in a phishing attack which looks like legitimate advertising.
  • Look for the prefix https in the address line. This indicates that you are on an encrypted connection to the merchant's website. You can also look for the little yellow padlock icon in the bottom right of the browser. Be careful, however. Sophisticated hackers can spoof these signs
  • Read the site's privacy policy carefully and use common sense about the offer. If it sounds too good to be true, it probably is. If you don't trust the company to protect your personal information, shop somewhere else.
  • Make sure your own protections (anti-virus, firewall, patches) are up-to-date and running.
  • Use a credit card, not a debit card. If your credit card is stolen or the number misused, federal law limits your liability to $50 (as long as you comply with the notification requirements). If a debit card number is compromised, you could lose the entire amount in the account to which the debit card is linked.
  • Check your statement carefully for charges you don't recognize. Report any anomalies to your bank and report a lost or stolen card immediately.
  • Consider keeping a separate credit card with a low credit limit just for internet purchases.

And in the theme of Cyber-Monday scams, here's one that isn't.

There are allegations online that a Facebook-based promotion being run by the Australian mall company which shares our name is a scam. They are letting Australian customers sign up for a lottery for a $10,000 gift card in exchange for all kinds of semi-confidential information (basically the same information you'd give up for a discount card, though) and the inclusion of a Facebook app to your account. Many people have accused the Facebook app of being virus-infected and/or the sign-up of being a phish. It actually checks out, though. Despite the skepticism (which I consider entirely appropriate and healthy in our current online environment), the mall's promotion has been confirmed. Hoax-slayer.com has a good writeup describing their confirmation of the promotion.

Whether you shop with the Westfield mall is up to you. Take a few minutes to research any such offer and company before you sign up, though. Being suspicious of an offer that seems too good to be true is an excellent habit to build.

Posted by Mike Rossander | | Comments (3) | TrackBack (0)

| | | | |

04 November 2009

Information Security Concerns in a Pandemic

For a while now, we have been working on the development of a pandemic plan for our company.  Information Technology supports this plan in many ways.  Through the use of technology we can increase the number of employees who can “work at home” and use Virtual Private Networking (VPN) software to remotely connect into our systems to perform their work.  Getting employees out of the office but still having them be productive is a form of “Social Distancing” that can reduce the risk of exposure to disease.

A component of any pandemic plan needs to be communication on what can and can’t be done from an Information Security perspective, even in a pandemic situation.  For example, we only allow company configured machines to connect to our network, even over a VPN connection.  However, not all of our employees have laptops so many, therefore, cannot work at home.   It must be reinforced that information security policy is still policy even in a pandemic, and employees who do not have company laptops must not use email to send documents or data to themselves to work on using their home (or any non-company owned) computer.  This is the same for taking work home on portable USB drives or other media.  Even if you have the best intentions and only want to help your company, you are putting your company at risk of your data being intercepted, copied or lost resulting in a privacy breach.

Why be so paranoid?  Our employees are only trying to be more efficient and effective in a time where 20%-30% of the company might be out sick.  It can't be that bad, right?  Wrong.  A big reason why is “endpoint protection”.  Your company’s endpoints (workstations and laptops) have known, approved and licensed software on them, they have anti-virus software running on them, they are regularly patched for security vulnerabilities and they are free of peer-to-peer sharing software.  Some of your employees' home machines MAY be up to your company’s standards, but what if even one is not?  When your employee is done with their work, are you sure that no backup or temporary files will linger behind?  How many of your employees have children that use the home computer to share music or files?  How about viruses or malware infecting your corporate network once this work is brought back into your production environment?  What if the employee actually loses the USB drive?  Not to mention the risk of a shared or compromised gmail or yahoo mail account.

All of these scenarios can cause data leakage or data loss that can lead to a privacy breach.  According to the most recent Ponemon study that reports on the costs and causes of privacy breaches, “Over 88% of all cases this year involved incidents resulting from negligence.” This leaves only 12% as a result of malicious activity.  This 88% is composed of employees who think that they are doing the right thing, are trying to help and believe that nothing bad can happen.

So, please reinforce to your employees and peers that it is not safe to trust public networks, infrastructure or non-company owned equipment to store or work on company confidential materials.   Even in a pandemic situation were your workforce may be diminished and people are looking for innovative ways to “keep the lights on”, information security policy is still in effect and information security risks, and their consequences, outweigh lost productivity.

Posted by Bill Murray | | Comments (0) | TrackBack (0)

| | | | |

20 April 2009

A/S/L/P - Bridging the Internet Generation Gap

April 23, 2009 is national “Take Our Daughters and Sons to Work” day.  This day was founded in 1993 as a way to introduce children and young adults to career opportunities as well as demonstrate how skills learned at school will be applied later in life.

As much as our daughters and sons can learn about our careers; there is much that they can teach us about the Internet and Internet safety.  I propose as an extension to “Take Our Daughters and Sons to Work” day, that parents spend an extra hour or two at home with their children to learn about their world. 

If you have never watched your child, niece or nephew navigate a computer and the Internet; you will be shocked the first time you sit down with them.   Ironically, they may be able to identify ways to optimize and/or automate your daily activities.  Thank goodness for child labor laws; otherwise, your next boss would probably be twelve!  Our children are light years ahead of us when it comes to finding information on the Internet.  Unfortunately, many still lack the practical experience to determine when they encounter a dangerous or unhealthy situation.

Remember how excited you were when you received that letter from half way around the globe as your pen pal reached out to you?  Today’s children communicate daily with friends and relatives around the world.  Through social networking sites such as Facebook and My Space, long lost friends or new ones are only a few keyboard and mouse clicks away.  Twitter, Jaiku and Pownce are a few other places where kids are sharing information about their daily lives.  Using cell phones, these posts can happen anytime, anywhere giving the world up-to-the-minute updates. Celebrities like Erika Badu have gone as far as blogging their childbirth experience.

While this information is harmless when shared among friends and family; it may have serious consequences when obtained by the wrong person.  Cyberbullying and cyberstalking are examples of overt Internet crimes.  Online predators are manipulating our children to engage in dangerous and sometimes deadly situations.  Despite the popularity of news programs like NBC Dateline’s, “To Catch a Predator;” there continues to be increases in online predation.

This leads us all the way back to what started this blog; Take Our Daughters and Sons to Work Day.  This is a great opportunity to reach out to your children and learn what they have encountered on the Internet.  Find out what sites they visit regularly.  If they have a Facebook or My Space account, it might not hurt to set up one of your own to monitor their online activities.  Ensure they are not posting private information such as their address and/or phone numbers online.  Be aware when they are blogging their whereabouts.

Finally, a kilobit of prevention is worth a gigabyte of cure.  If you don’t have an Internet filter installed on your home computer(s)…get one.  There are many free ones available.  You can download a couple of them here and here.  Get involved with your children’s social networks. Besides ensuring they are not disclosing sensitive information, you may find yourself catching up with old friends and making new ones.  Keep the computers in an open location as opposed to the children’s rooms.  There is no reason to wait until somebody comes up with “Take Your Parents to the Internet” day, to start protecting our children today.

ICYC (In case you're curious), if you don't understand what the title of this post means; it wouldn't hurt to know the lingo your children use to communicate over IM (instant messenger) and txt (text messaging).  You can find a list of text lingo here.  What you find there may surprise you.  Especially when you find yourself the AITR.

Posted by John Doan | | Comments (0) | TrackBack (0)

| | | | |

31 March 2009

Lock your doors, here comes the Conficker worm!

You can hardly look at any news source anymore without being bombarded by articles about security incidents, privacy breaches, worms, viruses, zombies, botnet's or a host of other Information Security related headlines.  The media really eats this Information Security stuff up.

This week’s news continues this trend.

Get ready for the “Conficker.c” worm that has already infected 5 to 10 million computers worldwide and is waiting for April 1, 2009 to awaken.  The experts predict that the payload, which is what the worm will do when it is activated, will somehow involve people being separated from their money.  This assumption is based on the knowledge that many of this worms predecessors have been targeted at convincing their helpless victims to purchase what they think is "anti-virus software" to protect their computers from the very worm that they are already infected with.

It really is all about money these days. Microsoft has even jumped in and offered a $250k reward for information leading to the capture and arrest of the worm writer.

Over the last few months the news has been filled with companies getting "hacked" and loosing their customer privacy related information (SSN & Account numbers, etc...). There have also been several companies that have just simply lost information through carelessness and bad security practices.

And over the next few months I am sure that we will continue to hear about more about companies losing information, more virus and worm scares that threaten society and more about victims who have lost money due to identity theft, phishing attacks or more worms.

I have been in the Information Security profession for a long time and while Information Security threats are ever changing, fast paced and have grown to ever increasing scales, there are some simple and basic things that companies and people can do to significantly reduce their exposure to these threats. 

Not surprisingly, they are really just common sense, don't change much over time and you already know how to do them.

  • Patch your systems and do it all the time. The Conficker.c worm exploits a vulnerability that a patch was released to mitigate in October 2008.  New patches are being released all the time.  I guarantee viruses and worms will be written to exploit them.

  • Have basic protections in place like a personal firewall that blocks nonstandard traffic and antivirus software that is regularly updated and is configured to regularly scan your computer.  We hear this all the time.  Are you doing it?

  • Don't download and run pirated software or software that does illegal things.  This includes peer-to-peer file sharing as well as pirated versions of your favorite tax software.

  • Be suspicious of everything.  And even more so if someone or something is trying to help you or give you something for free.  Nothing is free.  Come on, you know that don’t you?

 The bottom line is simple. Protect the information on your computer the same as you would protect your physical property.  Lock your doors and windows.  Don't let strangers in your house even when one comes to the door and wants to give you $100 dollars.  Change your locks if you think that someone has been inside your house.  Don't accept (or seek out) stolen property.  If you receive a recall notice for your car because of failing brakes, make a point to get them fixed as soon as possible. 

Security is security. Use the same logic with computers and information that you use to determine what you should and should not do with your valued physical possessions.  Applying this logic will avoid the majority of the Information Security problems that you hear about in the news.

Posted by Bill Murray | | Comments (1) | TrackBack (0)

| | | | |

16 February 2009

Anti-Virus Software?

    Just the other day, I ran into another person who told me they don't run anti-virus software on their home computer. I looked at them in disbelief and asked why they would expose their computer/personal information to the potential danger? The response I got was, "I've never had a virus on my computer before". As I explained to this person that they have every right to not run anti-virus software, I cautioned them and asked that they looked at the risks they were taking.

     I started to ask what things were on the computer such as financial information, etc. Next, I asked if they used their machine for online banking. I started to see a look of concern on their face. I stated that getting a virus is as easy as clicking on a link in your web browser. I said I would hate to see a virus drop a keystroke logger on their computer and get their online banking credentials. Some legitimate sites could have been hacked and not know it yet.

     I know because it has happened to me. I was surfing on my children's computer and clicked on a link. Immediately, a second browser opened and my anti-virus software popped up an alert. Fortunately, I was running AV software that contained it and their computer had zero information on it. I got to spend my Sunday afternoon rebuilding their computer.

     Symantec states that “10-15 new viruses are discovered every day.” A Network World article written in May 2008 says “The total number of viruses will reach 1 million by year-end, according to security experts.” With this information alone, it makes a great argument to make sure to run anti-virus software. Anyway, a lot of Internet Service Provider’s (ISP) are giving it away for free because they don't want the potential problems inside their own networks. I guess the way I look at it is, I would rather spend a little time and maybe some money to reduce my risks of identity/financial theft than spend potentially thousands to straighten out my credit.

Good luck in whatever you choose to do.


Jeff Gibson

Vulnerability Management, Compliance & Forensics Analyst

Westfield Group

Posted by Jeff Gibson | | Comments (1) | TrackBack (0)

| | | | |

09 February 2009

Experiences of a carpenter

Hi everyone, I'm Jake Harris one of the new team members who will be carrying on Westfield Insurance's Information Security Blog.  I thought I'd take a second and share with you a recent issue which I've seen quite often.

I recently had the chance to work on a friend’s computer. (Actually it was a fair trade; I'll fix your computer if you can watch my daughter for a few extra minutes)  The first thing I noticed was a little black box connected directly to their computer.  I asked "Don't you have a router?”  The response was "sure do, it's down in the garage with the other wood working tools".  I laughed as I've heard that one more than once in my travels.  But from a more serious point of view a router is a very handy piece of technology, not to mention component of securing a home network.

I'll take a few moments to explain (no not in great detail, unless you ask me for them) what a router is, why it really makes sense to get one, and how simple they really are to use.

What is a "Router"?

Well a router is a rather complex device if you start talking about all the cool things they could do in a corporate network, rather from a home network point of view a router is a device which acts as a protective gate between your home network and your internet connection. 

Think of it like this if:

·         A computer with a password is a locked building

·         Antivirus software on a computer is a security guard patrolling that building

·         Your home network is like a parking lot connecting all of the buildings

Then a router would be a protective fence surrounding your parking lot with a gated entrance.  The gated entrance is only going to let something in if it is welcome or allowed to come in.

The technology used to make this happen is called NAT (Network Address Translation), basically what that means is the router is the actual computer that gets a "public" address or “dirty” address, and then the router provides each home computer a "private" address.  The router is usually very secure from an internet point of view, so you don’t have to worry about it getting damaged.

Why should I get a router?  I don't have a parking lot, or security guards?

No, most people probably don't have parking lots or security guards, and I wonder to myself why, well point blank they can't afford it.  But a router is cheap, usually less than $50, and if you can afford that type of security for your home network maybe you should get it, not to mention you can connect multiple computers at one time to the internet and use wireless.

You just said they are complex, are you sure they are simple?

In short companies which make home routers have done a great job of making them simple to install in a home network.  In many cases all you have to do is:

·         Open the package

·         Plug power into the router

·         Plug your internet connection into the Internet port on your router

·         Plug your computers into the private ports on your router

·         Reboot your internet connection device (simply remove the power, wait 5 seconds, and plug it in)

And you’re ready to surf once again.

A few thoughts on keeping your router safe:

·         Change the administrator password

·         Update the firmware every few months or as available

·         Backup your router’s configuration

All of these tasks should be documented on a CD or paper that comes with your router.

Will a router fix all your worries, well a short answer is no.  Anti-virus, Anti-spyware, updating your software (patching) and safe web surfing practices are just as important, however a router is still an important component of keeping your home computer secure.

Well I hope my thoughts reached someone out there and made them a little more secure.  Looking forward to hearing about other’s thoughts and experiences, even if you want to tell me about that great new router you just bought or a vote for a next topic.

Thanks for reading,

Jake

Posted by Jake Harris | | Comments (0) | TrackBack (0)

| | | | |

24 November 2008

Secure shopping (encore tip)

This Tip was first run in Dec 2006 when forecasters were predicting the biggest online holiday shopping season ever. Amazingly, that forecast is still true - the volume of online shopping continues to rise (though perhaps not quite as dramatically as in previous years). This "encore tip" is a reminder to shop safely during the holiday season.

Last year was the busiest online shopping year in history – and this year looks like it will be even busier. Shopping online is a convenience that we are quickly learning to take for granted. At the same time, identity theft is a steadily more serious threat. There are some risks you should consider, especially when making purchases over the Internet.

  • When shopping online, type the merchant's URL in by hand instead of following any "convenient" link in an email or instant message. Those links can be spoofed in a phishing attack which looks like legitimate advertising.
  • Look for the prefix https in the address line. This indicates that you are on an encrypted connection to the merchant's website. You can also look for the little yellow padlock icon in the bottom right of the browser. Be careful, however. Sophisticated hackers can spoof these signs.
  • Read the site's privacy policy carefully and use common sense about the offer. If it sounds too good to be true, it probably is. If you don't trust the company to protect your personal information, shop somewhere else.
  • Make sure your own protections (anti-virus, firewall, patches) are up-to-date and running.
  • Use a credit card, not a debit card. If your credit card is stolen or the number misused, federal law limits your liability to $50 (as long as you comply with the notification requirements). If a debit card number is compromised, you could lose the entire amount in the account to which the debit card is linked.
  • Check your statement carefully for charges you don't recognize. Report any anomalies to your bank and report a lost or stolen card immediately.
  • Consider keeping a separate credit card with a low credit limit just for internet purchases.

Remember that these rules apply when you are paying by telephone, too. You should always call the merchant (or utility, charity, etc). Never give someone your financial information if they called you. No matter who they say they are, you don't really know who's on the other end of that line.

Shopping online can be as safe as shopping in a physical store or through a catalog as long as you shop responsibly.

Posted by Mike Rossander | | Comments (1) | TrackBack (0)

| | | | |

17 November 2008

OnGuard Online

As the holidays get closer, many of us will turn to online shopping. Done right, online shopping is about as safe as catalog shopping - and much more convenient. If you don't take basic precautions, though, you could lose your shirt. Take the time to learn about the kinds of scams and cons that are used online.

The Federal Trade Commission hosts a terrific site with lots of content on identifying and deflecting these kinds of scams. If you haven't already been out to visit www.onguardonline.gov, I strongly recommend the site. It has some excellent overview material on security at the personal and small business level. The site also has a set of games covering a variety of topics like spyware, online auctioneering, peer-to-peer, phishing and spam. Test your knowledge of internet security and safe shopping. It's well worth the time to visit the site.

The site's material comes from a number of public and private sources but is all released for public use. If you run your own personal website, you can post their games, videos and handouts to your own site and help spread the word. (Instructions are here.)

Addendum:
This tip has inspired me to create a more permanent set of links to some of the better games and awareness quizzes that I've run across. I'll try to get them posted in a permanent sidebar on the blog but in the meantime, here are a few good links.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

18 August 2008

Filesharing - defined

All the kids are doing it. And depending on which news reports you read, it's either the inevitable wave of the future or another sign of the collapse of our society - or both. But what is filesharing really?

Filesharing is the term for software designed to make it easier for you to share stuff through your computer with other people. (I use the technical term "stuff" here because you can share literally any electronic file through these tools but the most common shared files are documents, music files and videos – and viruses. More on that in a minute.) The most common form of filesharing is "peer-to-peer" (P2P) sharing, a way to share files directly from your computer to someone else's computer without needing to store it on a server somewhere. If I want to download a file that you've offered up for sharing, I reach through the internet and grab it directly off your computer.

This kind of filesharing requires special software such as Limewire, BitTorrent or Kazaa. These applications create an index of the files that you've offered for sharing and publish the index to the Internet so others can find your files. They also let you access the index and download the files you want. Filesharing is an easy way to publish documents widely and can get you access to all kinds of free content. Music is especially easy to find.

The problem with filesharing is that it exposes you and your computer to all sorts of risks that are not disclosed by the filesharing network or those "friends" who are pressuring your kids.

  • When you use P2P, it is essentially impossible to verify that the file is trustworthy. Hackers hide spyware, viruses, worms and trojan horses and other malicious code into the files. When you download the file, you infect your own computer.
  • P2P also opens up your computer to outsiders. The applications claim to only expose certain directories but 1) you don't know if the application is locking the folders down properly and 2) it's too easy to misfile a confidential document in a shared folder. Any little mistake opens up your confidential information to the world.
  • Most P2P applications require you to open up certain ports on your firewall so it can send or receive the files. Hackers exploit those open ports to attack your computer directly anytime it is connected to the internet.
  • And, of course, the big risk that got so much press when Napster was being sued into bankruptcy is the phenomenally high proportion of copyrighted material being illegally offered for "sharing". If you download pirated content, even unknowingly, you could face fines or other legal action. The Recording Industry Association of America (RIAA) is especially aggressive about finding and suing individual users who have illegally copied content on their computers.

If you run a network, either at a business or at home, I strongly recommend that you block filesharing sites. Remember, you go to jail or pay the fine whether they downloaded the illegal software with your knowledge or not. If you have kids, turn on your computer's parental controls and block those sites. Teach your kids to buy their music legitimately.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

28 July 2008

AntiVirusXP2008 warning

Last month, we wrote about scareware and hackers using fake update notices. In the past few days, we've seen a sudden increase in one of these attacks coming from one of the former Soviet republics. This group is exploiting a "DNS hole" to hijack visitors who are attempting to visit legitimate websites (such as a hotel in a common vacation destination like Hilton Head). The hacker redirects the victim to the hacker's virus-infected website, then automatically loads a virus onto your computer. From what we've seen so far, this virus first disables your existing anti-virus program, then slows down your machine and finally starts to present you with a false warning that your computer is badly virus infected and needs to run AntiVirusXP2008 to clean it up (for only $50 which they want you to send to them in Russia). The warning message lists hundreds of "infected" files on your machine. Many of those files are, in fact, on your machine but are legitimate files needed by the operating system.

At Westfield, we normally have to clean up about one infected computer a month. It's jumped to 6 in the past week. Worse, this virus has proven particularly difficult to clean out. Our IT department has found it necessary to completely reimage the machine in order to fix the problem.

At home, fix your firewall, update your antivirus and patches and practice safe surfing. If google or yahoo (or your existing antivirus program) give you a warning that you are about to go to a sight that might contain malicious code, heed the warning. Do not override it just because you think that you're going to a "safe" site like the hotel.

At work, shut your computer off every day. (Your IT department probably pushes updates to your computer's defenses every day but many of those updates can't take effect until you restart your computer. If you leave your computer on for an extended period, you will be missing those critical updates.) And, of course, practice safe surfing.

If you get one of these pop-up warnings, never allow it to scan your computer. If you think you might have triggered one of these scams, call IT.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

02 June 2008

Scareware - defined

Have you ever seen a "free" offer to scan your computer for security vulnerabilities? The most common one that I get is a pop-up ad that reads "Your computer may be infected with harmful spyware programs. Immediate removal may be required. To scan, click 'Yes' below." It looks like a great idea. You're offering to test my machine for free so I know what, if anything, needs fixing. Doctors, mechanics, even the lawn guy offers that kind of free screening as a legitimate way to build a relationship with new customers.

Unfortunately, most if not all of these computer scanning offers are scams. They are rogue programs that will always report something that needs to be fixed or cleaned whether the flaw is real or not. They are designed to scare you into believing that there is something terribly wrong with your computer that only their software can fix.

Examples that attack Windows computers include SpySheriff, WinFixer, IEDefender and Cleanator. Interestingly, Mac users ran into this problem for the first time in January with a product called MacSweeper. MacSweeper is so "thorough" that it even finds flaws when it's run against a PC – flaws that can only exist on a Mac.

Most of these are simple attempts to con you out of money or credit card numbers. Some are more malicious and will load spyware onto the computer or even disable your existing antivirus programs.

Never run software from unknown sources. If you do suspect that your computer may be vulnerable, use your own anti-virus and anti-spyware software. Don't trust that "free" offer.

Note: The word "scareware" also includes more harmless pranks such as the program that pops up and says "Erase everything on hard drive?" with two buttons labeled "OK" and "OK". (Nothing is actually deleted in this prank.) Just ignore those pranks.

A few more popup examples:
Infosec_scarewareerrorsafe_2
Infosec_scarewaresystemdoctor_2

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

14 April 2008

Web browser security settings

Your web browser is your primary connection to the Internet, either by reading web pages directly or through applications that use your browser to function. How you set the security makes a great deal of difference for your computer's safety.

Those security settings will also affect the functionality of some web sites. Web page writers try to improve your experience by enabling different features. Sometimes they're nice but they leave your computer more vulnerable to attack. In fact, a common hacker trick is to set up an "innocent" website with attractive content but which will not work correctly unless you reduce your security settings, exposing you to the hacker's malicious content on other links. The safest policy is to disable those optional features until you decide that it's necessary and that the website is trustworthy. (In most cases, you can enable the feature temporarily.)

Note: Your IT department should control the settings for your work computer. Make sure that they have the security controls locked down so users can not accidentally expose their computer to unacceptable risks. If you use Internet Explorer, you can find the security settings by clicking Tools/Internet Options/Security. (Firefox and other browsers generally use similar paths.) If the security is properly locked down, you should be able to see but not change the settings.

Internet Explorer uses the concept of "zones" and lets you set the security level differently depending on where you are browsing. For most of us, the most important zone is "internet". This is the general zone for all public websites and is the default used when the browser doesn't have different instructions. This should be set as high as possible but never below "medium".

The "local intranet" zone is usually used for internal content. Since your own company developed the pages, it's usually safer to use a slightly lower level of security as long as there is a business reason to do so. "Trusted sites" are those that you have decided are well-designed and use good security practices. Our work computers have certain trusted business partners pre-loaded in this zone. I have none in my personal computer at home.

"Restricted sites" are those that you think might not be safe and that deserve the highest level of caution. Frankly, if you're that suspicious, you're probably not surfing there anyway. But it can be helpful to mark those sites because it will provide an extra layer of protection if your computer is calling those domains for "hidden" content like ads and pop-ups.

Your browser also has some security settings related to JavaScript, ActiveX controls and Plug-ins. You should only allow them if you are at a trusted site. See the tip on Active Content for suggestions on those controls.

You should disable cookies except for sites that you trust that require them. Add those manually to the browser's "allowed" list. Definitely block pop-ups but remember that it will break some websites. You can always allow the pop-ups on a case-by-case basis.

In general, always set your security for the highest level possible. Then lower the security only when a page fails to work properly and only as far as you need to or for as long as you need to. Once you've set the controls properly, it's not that much work to maintain. But it is a vital part of the protection of your computer and your confidential information.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

17 March 2008

Protect your computer from Spyware

Spyware is Internet jargon for advertising-supported software. This type of software often automatically installs itself on your computer without your knowledge in order to collect your personal information and provide it to a website or advertiser. Spyware is hidden in the background and keeps track of your web browsing, what information you enter into forms and even the configuration of your hardware and software. The company receiving this information may use it directly or, more likely, will sell this information about you. Based on this information, you may begin to see incessant pop-up ads, giving the false impression that the Web page being viewed is responsible for the constant annoyances.

Spyware usually is usually hidden in or behind an application that you want to use (such as a music player). When you install the software, the spyware application also installs itself.

In addition to the annoyances of increased spam and advertising, the spyware application ties up valuable computing power and can eventually make it run slower. It can create conflicts with other software on your machine causing programs to lock up or causing your machine to crash. It can even be abused by hackers to steal your password or to take control of your computer.

If you load software from the Internet, read the license agreement carefully. Some companies actually disclose that they will install an application on to your computer and may allow you the option to "opt-out". For example, RealJukebox has the ability to track how you used the program including the number of recorded songs on the computer, the format that songs are recorded in, the user's musical preferences, the quality level of the recordings, and the type of portable player connected to the computer.

You can use specialized software to find and disable spyware applications and to protect your computer. Two of the better-known free-ware applications are SpyBot Search and Destroy and Ad-Aware. Whatever anti-spyware solution you pick, be sure to keep it updated and run it regularly.

Be sure to read all "End User License Agreements" very carefully and make sure you understand what is actually going to be installed on your home computer.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

11 February 2008

Firewalls

A firewall looks for and attempts to stop forbidden communications between two computers. Firewalls work by examining each piece of traffic entering or leaving the network and blocking those which do not meet specified criteria. If the communication is an allowed type (for example, Windows passing your user name and password to the company network during login), the message is allowed through. If the communication is unrecognized (for example, a virus attempting to impersonate Lotus Notes but really sending your password out to a hacker), the traffic can be stopped.

There are two kinds of firewalls: "personal" or software firewalls and "network" or hardware firewalls.

  • Software firewalls are relatively easy to install and provide good protection. They filter traffic entering or leaving a single computer. Software firewall programs (such as ZoneAlarm, Norton or Comodo) can be downloaded from the Internet and may be available in a free version for home users. (Note: If your home computer's operating system is Windows XP or Vista, it has a built-in software firewall but Windows has not traditionally performed well in bench comparisons. Most security experts recommend replacing or at least supplementing the Windows firewall.) For more on personal firewalls and how they work, see the first page of this article.
  • Hardware firewalls require you to buy and connect a separate piece of equipment, but they provide stronger protection. They plug in between your internet connection (such as the cable-modem or DSL line) and the computer. Hardware firewalls are often built into routers, allowing multiple computers to share a single, protected connection to the internet. Hardware firewalls often also have the ability to perform network address translation (NAT) which hides the specific IP address of your computer and makes it much harder for a hacker to launch an attack against you. Hardware firewalls are available at many electronics retail stores, usually starting at $50-$75.

CERT (the Computer Emergency Readiness Team) strongly recommends the use of hardware firewalls, especially if you have a broadband or "always on" connection. See "Before You Connect a New Computer to the Internet" for more information.

Some firewalls will display a pop-up box asking if you want to allow the message. If you see one of these pop-ups, never allow the traffic unless you are sure that you know exactly what it is doing. Remember, the firewall won't do any good if you give permission for the virus to send out your password.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

21 January 2008

Patches - defined

Security geeks often talk about keeping your computer "patched". Here's what we mean and why it's so important.

In a perfect world, all the code on your computer would do exactly what it's supposed to do and nothing more. In the real world, new code was added on top of existing code to fix a problem or to add some new feature until, over time, the code became too complicated to test for every possible scenario. Hackers found ways to exploit the holes in the code. By sending just the right command in just the right circumstances, they could make the computer do something it shouldn't – like give the hacker permission to install software and take control of the computer.

When such a vulnerability is discovered, the developers who made the software have to figure out how to plug the hole – how to change the code just enough to stop the hacker without shutting down the new feature they added or interfering with some other application. "Patches" are the bits of code to be added to your computer to fix that hole. (Patches can also be used to add a new feature or fix something else in the program but for now we'll stick to security patches.)

At work, your IT team should be responsible for keeping your core applications up-to-date and fully patched. For your home computer, you should set your computer to automatically update the software whenever new patches are available. That's the safest way to be sure that you have the latest code protecting your computer. While most vulnerabilities are found in the operating system (those core instructions that the computer needs just to turn itself on), more and more vulnerabilities are being found in applications – Word, Adobe, QuickTime, RealPlayer, etc. No modern application is completely safe. In Windows, you can set the updates through the Control Panel. (Look for something like Automatic Updates or Windows Updater.) In other programs such as Quicken, you usually set the updates via Tools/Options or Preferences.

Of course, there's no such thing as a free lunch or perfect software. Sometimes, the patch will fix the program but will also break some function that some other program needed to run. When that happens, you must either decide to wait (and hope that the developers at one of the two companies will send out yet another patch to fix the breakage) or take the risk and reverse out the last patch. Unless the patch broke something that's absolutely mission-critical, you are almost always better off leaving it in place.

Incidentally, Microsoft has been releasing a packet of security updates on the second Tuesday of each month (so-called Patch Tuesday) for several years now. Some hackers are now exploiting that pattern and holding their latest virus until the second Wednesday so they have the most possible time before they are shut down. Even if you stay fully patched, there are no guarantees in life.

Posted by Mike Rossander | | Comments (0) | TrackBack (0)

| | | | |

Next »