Information Security Tips from Westfield Insurance: Home Computer

Follow @WestfieldIns

Search

About

Westfield Links

Westfield Blogs

InfoSec Favorites

CMU Anti-Phishing Game
Learn to identify fraudulent URLs
OnGuard Online
Many security tips and educational materials collected and shared by the FTC
Anti-Phishing Blog
Lots of examples of phishing and other scams
SEO by the Sea
Search Engine Optimization
Fraudwar
Schneier on Security
eDiscoTECH
Reviews of legal cases and decisions in the new field of Electronic Discovery
IT Business Edge

35 posts categorized "Home Computer"

Great Browser Add-ons for Better Privacy and Security

Have you ever dabbled in Firefox, Chrome or Opera web browsers? These are all popular alternatives to Internet Explorer (IE).

Firefox (FF) burst onto the scene a few years ago as a vibrant successor to the aging Netscape communicator. What made Firefox unique is that, unlike the largely monolithic structure of IE, Firefox is built in layers like an onion. There is a small kernel of basic browser functionality and then some default outer layers that give it the familiar FF look and feel. But because of this onion-like structure, and because it is open-source software, users that had the technical skills could modify just about anything else about it! By far the most popular way to modify it was to add visual themes to change the shape and location of buttons and the overall color scheme. The next most popular modification was so-called add-ons. Add-ons change the fundamental way the browser works and, for our purposes, how security and privacy aspects function.

On behalf of their end users, security-oriented developers knew that browsers are one of the primary conduits for malware to get onto and take over systems and their contents. But with FF’s architecture they realized they could enhance browser security by leveraging the fact that add-ons “have dibs on seeing” incoming web site content as it comes into the browser kernel! Thus, add-ons could give the user back control over their privacy and security. As always – these add-ons do cost a little more in terms of user attention to their configuration and alerts. But such is the price of increased control. By and large the suggested add-ons below do an exemplary job of letting users tune them so security and privacy is improved without being overous.

So, here are some of my favorite FF add-ons that will raise your awareness of all things security and privacy on the web:

LastPass – truly superior, genuinely secure, browser password vault

If you allow your browser to save your web site account names and passwords then you should switch from the built-in function to using LastPass. LastPass uses genuinely strong encryption methods to encrypt your personal information. Furthermore, all the encryption is based on your master pass phrase, which only you know, and all of your information is encrypted before leaving your local system – not on the LastPass web server! This means that even LastPass employees have no access to your information (nor would anyone that successfully hacked them). However, because your personal info is stored “in the cloud” all of your personal information is available across different browsers (FF, Chrome, IE) and across different systems (work, home, mobile).

Adblock Plus – eliminates ads in your browser, period, end-of-story

Without screwing up the appearance web pages, AdBlock Plus simply eliminates 99% of ads from your browsing experience. It is highly controllable via a little pull down menu so if you go to, say a not for profit web site that you know is ad-supported, you can tell it to not block ads on that site. This is security-related only insofar as that ads are a conduit for spyware entering your browser. In addition to turning on your browser’s pop-up blocker this will go a long way towards improving security and lessening annoying unsolicited ads. As a side effect, it will also speed up web page loading times.

Collusion – graphically exposes tracking and selling information about your browsing habits

Collusion shows you what companies are collecting information from your browser about where you go on the Net. The graph is color coded to distinguish between the web site you went to for content (e.g., www.nytimes.com) versus partner sites which collect information about where you have been on the web (e.g. doubleclick.com). It literally connects the dots so you can understand how the NYTimes is connected to CNN through both having cut deals with some third party tracker like Google’s DoubleClick subsidiary. It’s purely informational, but when combined with No-Script below, it gives you control over who can learn what about your browsing.

Certificate Patrol – detects changes to secure browsing certificates (websites you access via HTTPS)
For those not familiar with HTTPS certificates, they are the heart and soul of how your browser decides it is safe for you to trust that the web site you are buying a new golf club from really is Callaway’s web site. Certificate Patrol is a mostly passive/informational. It tells you about the certificates your browser has seen and what has changed about them since the last time your browser was at that site. So, while it is just nerdy to find it is interesting to discover that Google uses several certificate authorities for different Google products (Google+, Gmail, Google Apps, etc.), it is concretely security enhancing that it will tell you if a site’s certificates are either revoked (by the signing certificate authority), expired or forged before you input your credit card information!

NoScript – makes visible and/or stops unseen chatter between the browser & 3rd parties

Of these add-ons, NoScript is the most in-your-face. However, in exchange for a little bit of extra interaction with web pages you gain a ton of awareness and/or control about what third party web sites your browser is “secretly” interacting with on virtually every web page you visit! That’s right – virtually all commercial web sites have links or bits of JavaScript embedded in them which, if allowed to execute, send information about you, and the page you just landed on, off to third parties. NoScript takes the attitude that the user should remain in control of their browser communicates, therefore, by default, it stops script execution. As with the other extensions mentioned it provides a drop-down menu that lets you control which site’s scripts to allow. This is a little annoying at first since it interrupts the seamless loading of a lot of web sites. However, it has options that allow you to tune it’s default behavior to be significantly less intrusive. In any case, the information about all the different linkages to third party tracking sites, etc. is a real eye-opener! If you install it with the aforementioned Collusion extension you will start to see patterns of firms that track you as you browse the Net! Another nifty feature, if you have no idea which of these “third parties” (the ones in the NoScript drop down menu) to trust, you can shift-click on their names to research, from a variety of trusted sources, what each one has a reputation for doing with tracked information such as shopping your email address around or selling information about which ads you click on.

You can get these add-ons to FF by using the Tools >> Add-ons menu item, and searching for each by name. Then follow the installation procedure for each. To remove an add-on on FF, just go to Tools >> Options >> General tab >> Manage Add-ons button.

What are your favorite security and privacy related plug-ins for FF or other browsers?

Credit to Steve Gibson of Gibson Research for pointing out some of these add-ons by name in his excellent Security Now! podcast (part of the This Week in Tech network of podcasts): http://grc.com.

John Brady is Information Security Architect Engineer at Westfield Insurance.

John Brady on 21 July 2011 | Permalink

Unsecured Wi-Fi Hotspots

If you are one of the many Americans who use an unsecured Wi-Fi network at home, then this blog is for you. You know who you are. At this very moment you are shifting uncomfortably in your seat thinking … how bad is it really?

And for all those readers who are disdainfully thinking that only a three-legged alien from Mars would be crazy enough to use an unsecured Wi-Fi network at home, let me ask you this … how many of us have been enticed to frequent certain establishments because they advertise ‘free Wi-Fi’? You know how it is. You’ve just dropped your child off at piano lessons, and with 45 minutes to kill you decide to visit your favorite café to curl up with a cup of java and use the ‘free Wi-Fi’ to update your Facebook page. All the while thinking you're safe as long as you don’t do any online banking on this Wi-Fi network.

Unfortunately, any semblance of "safe surfing" from any type unsecured Wi-Fi network is about to be debunked.

In a June 22, 2011 article published by SecurityWeek.com, titled “How Logging On From Starbucks Can Compromise Your Corporate Security”, author Ram Mohan describes three methods that hackers use to maliciously gather data from web enabled devices. While Ram focuses on the potential theft of corporate data, you can easily apply his message to understand all the ways in which your personal data may also be vulnerable to attacks when using an unsecured Wi-Fi network.

Safe Surfing Tips

In response, we’ve provided a few quick "safe surfing" tips:

First and foremost, whenever possible, use only SECURE Wi-Fi networks. Always feel free to ask the establishment or hotspot owner if their Wi-Fi network is secure. If your device shows several Wi-Fi network names, ask the proprietor which one belongs to their establishment. Never use an unsecured Wi-Fi network when you don’t know who the owner is – this is a very common way for hackers to pick-up victims’ traffic!
If your device is configured to auto-connect to Wi-Fi, consider enabling the notification feature in your Wi-Fi network settings. Once this is done, your device will prompt you prior to connecting to an unsecured/open Wi-Fi hotspot. This will keep you in control of which of the available networks your device is connecting to. You may also prohibit your device from automatically connecting to Wi-Fi hotspots. See your device’s user manual under Wi-Fi settings for instructions. Many user manuals may be found online.
Whenever possible use the secure/encrypted version of whatever site you are surfing. When you see ‘https’ in the web address, the ‘s’ actually signifies ‘secure’. For sites where you already have accounts such as Gmail or Facebook, you can find out how to connect to the secure/encrypted version typically by reviewing the website’s privacy or security settings once you are logged in. These settings are usually found via a link on the front page of the site. Sometimes you have to poke around a bit. Not all sites have this option. Don’t forget to save your new settings!
Whenever banking, ALWAYS verify that the web address begins with https and make sure your browser does not warn you that there is anything unusual about the certificate in use! If you see a warning or the login page is not https, call your bank immediately.
Always explicitly ‘log out’ or ‘sign out’ from your favorite websites and wait for the page confirming that you are logged out to load. Simply clicking the “X” to close your Facebook page is not enough especially when using a public system as in a library or Internet café. (Internet cafés are very popular abroad).
Be wary of downloads! Do not blindly download files or software from the Internet, as they may infect your computer with a variety of malware. When in doubt, contact the website from which you want to download – and ask whether or not the download is secure.
If something seems too good to be true – it probably is. Be wary of all pop ups; and especially wary of ones that say “you’ve just won a grand prize” or “click here to retrieve your free gift”. Pop ups, like downloads, can carry malware to your computer! Make sure your browser has a pop-up blocker – and USE IT!

What questions do you have about unsecured Wi-Fi networks? Post your questions in the comments and we'll post an answer!

- Heather Smee

Westfield Insurance on 06 July 2011 | Permalink | Comments (2)

Cyber Monday: How to Manage Online Store Passwords

Have you ever been sitting in front of your computer, getting ready to purchase a gift for someone and just as you click on the checkout button you see the dreaded "Create a new account" option staring back at you? To me this means yet another password and user ID that I'll need to somehow remember but keep secure at the same time. To make matters worse, I need to figure out some way to allow my wife access to the account as well, without leaving the password lying around for any and all to pick up and use.

My idea: Create a password list!

Here's my example:

Create a simple word or text document on your computer, choose a name for the document that would normally not be interesting to someone who was searching for a password like, FinalEssayOntheMigrationofBirds.doc or VehicleRepairTips.txt.

Next, fill it in so it looks something like this!

OnlineStore1 User3251 Y78
SuperBank 2729303 8n!
OnlineStore2 HappyMe123 Ii4

Your first row is the purpose or website for the account, if you feel really daring you can even create a link from this name to the website where you use it. The second row is your user account or ID for that website. And the last is a set of numbers, letters, or symbols you would either append to the end of your "known" password or place in front of your "known" password.

A "known" password is a simple word that is easy to remember for you and anyone you share the list with, for example November or Snowstorm might be common shared passwords. You'll never write or type this one anywhere; it should only be known by the people who share it.

For example, let's take the information I entered above, OnlineStore1 User3251 Y78. If I was going to login to OnlineStore1, and I used the account User3251, my password would be NovemberY78.

Hope this helps keep some passwords secure this shopping season!

Jacob Harris is a Vulnerability and Forensics analyst at Westfield Insurance. Sharing Knowledge. Building Trust.

Jake Harris on 29 November 2010 | Permalink | Comments (6)

Securing Mobile: When a Phone is as Powerful as a Laptop

There seems to be a disconnect between want and need with respect to smartphones and information protection. Securing mobile is a “downer” along at least two main axes of mobile phone interaction: convenience and cost.

If your phone is as powerful as your laptop; meaning the operating system, the peripherals and the applications on your phone are as – or are more - sophisticated than those of your laptop then shouldn’t the security measures that protect the contents be similar? The real question here is, if you’re using your phone to process the same information as your laptop, then we have to ask – how can one justify not securing it to the same degree as your laptop?

My opinion is that the only logical answer is yes. For an increasing number of functions, phones are replacing laptops. I believe that there are ways to secure mobile phones to the same standard as laptops while minimizing the inevitable inconveniences and extra cost. The solutions require thoughtful re-evaluation and sensible compromise. Rather than slapping the old products from the laptop onto the smartphone, we should look at it as a qualitatively different platform.

Drawbacks to Treating a Smartphone like a “Small Laptop”

Here’s an example of when it may be typical to treat a smartphone as a “small laptop”.

Many companies now use URL filtering perimeter systems, such as WebSense, to prevent employees from accidentally going to infected websites. When an employee uses their laptop outside the company network, you may tell them they must “VPN into” the network before using the web. (This way, once the VPN tunnel is established, their browsing goes through the URL filter.)

It is possible to treat the smartphone like a laptop in this scenario, because there are VPN clients that work as well as the laptop version. Employees could be told to “VPN into” the corporate network before web surfing on their smartphone.

However, there are drawbacks: a) VPN clients take a fair amount of computational horsepower to run, and b) from a network architecture and management standpoint, why tunnel all that traffic from every mobile browser into the corporate core in order to turn around and go back out to the Internet?

Rather than treating the smartphone like a laptop, the solution may be to change how your URL filter works. So perhaps, instead of bringing the traffic to the filter, bring the filter to the traffic! Put the URL filter on the Internet, and everyone’s computer (smartphone or laptop) can get to it from everywhere. Companies such as WebSense and zScaler advocates and vendors of such solutions.

Speaking of changing the place where the processing happens – how about using another ancient solution? How about moving where the applications run and so, where the information is processed? I am speaking here of just using the phone as a window into the corporate computing environment. This is déjà vu all over again, the fat client/thin client debate of the 1990s – the Unix X Window system and Citrix ICA. The fact is that this class of “collapsed data center” solution, which once suffered complaints about bandwidth and server capacity issues has become increasingly viable not increasingly outdated. Since the days of the mainframe terminal sessions, the thin client paradigm was always attractive from cost, administrative and data security perspectives. Now the protocols for computing in the data center core and transmitting just the display have become more efficient and bandwidth has come down in price. Similarly, multi-core servers with dozens of gigabytes of RAM are the rule not the exception. This makes it very attractive indeed to just load the thin client app onto the smartphone and have it connect securely to the core to process corporate information which is also on the core. If the organization wants people to be able to drag and drop files or query results from the core within apps that run on the endpoint – then the endpoint needs heavy securing as described above. But if the thin client is set up so that information cannot be transferred from the core to the endpoint then one has a lot less to worry about in terms of “information leakage.” The “drag and drop” tradeoff being that the information the employee wants to transmit to their smartphone is not directly usable by other apps on their smartphone that make them more productive (e.g., transferring an address to the smartphones contact management system or its GPS app).

So where does this leave us? I think, for now, the choice is between:

a. Smartphones with powerful processors and awe-inspiring local apps and local corporate data loaded down with classical malware protections like encrypted file systems, anti-virus, URL filtering, anti-spam, personal firewalling (local or in the cloud)

b. Collapsed data center where the employees log into a virtual desktop running on a big server and all the employee ever has on their smartphone is a thin interface to corporate data on a far-away desktop

The convenience trade-off is clear – I would much prefer to be able to download a spreadsheet to the app on my phone and then hop on a plane and “play with the numbers” versus having to be on the network and constrained by my company's standard spreadsheet program.

Cost wise, the price of buying and administering standalone smartphones with high performance client software on them is much higher risk and less cost-effective than standing up a big server with desktop OS licenses, a few licenses for each app and issuing a thin client for each employee’s corporate or privately owned smartphone, laptop or desktop.

Is there is a happy medium? What do you think?

Next time we’ll discuss modifications to these paradigms that may remove some of the downsides to both, namely, data centers in the cloud and always connected mobile networking.

----------------------------

Some links to others thinking about the same topics:

http://www.isaca.org/About-ISACA/Press-room/News-Releases/2010/Pages/Mobile-Devices-May-Pose-Greatest-Threat-to-Confidential-Information-New-ISACA-White-Paper.aspx

http://isc.sans.edu/diary.html?storyid=9787

----------------------------

John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust

John Brady on 18 November 2010 | Permalink | Comments (0)

A Key to Decreasing ID Theft Exposure

No one wants to have their identifying particulars stolen and abused. To help, there is the security concept of using one secret (a key) to unlock keys to other services. The concept is simple, here is a real world analogy – in a car dealership, the service area has a bunch of keys to inventory and customer vehicles. That collection of keys is kept in a locked wall-mounted cabinet. Upper management are the only people with the keys to the “key locker.”

On your personal computer, there’s another commonly used example, in most browsers you can set your security preferences so that the username and password fields at different web sites are automatically supplied. They are stored in a browser-managed repository which is the equivalent of the “key locker” described above. Using this auto-fill feature alone is a net decrease in your security because, once turned on, anyone that can walk up to your computer, start up the browser and instantly be logged into your various web site accounts without having to know any credentials. But there is simple way to mitigate this risk. For example, in say FireFox, IE 8 or Opera you can also set a “Master Password” that is used to keep people other than yourself from getting at those passwords. This master password is the equivalent of the key to the key locker in our physical world example. This gives you the best of both worlds because now you only have to remember a single password which, in turn, allows you to set the underlying stored passwords to very hard to guess, long, complicated nonsense strings because you are planning to never have to remember/type them!

Another example of this security concept is in the world of payment card (credit, debit, etc.) clearing house services like PayPal, Google Checkout, PaySafeCard. These are services that you give various credentials to and they provide clearing house service to merchant sites that have signed up to use their services for payments. Here’s how it works:

First you sign up for the payment service of your choice, let’s say PayPal:

you create an account at the payment service using a unique string such as your email address
you fill out the payment service’s profile by providing contact information and credit card, debit card or checking account information
depending on the service, you may need to verify that a tiny transaction against the card or account in question goes through

That’s it! Now, you can use any online vendor that supports that payment service (look for, say, the PayPal logo, although it may not be displayed until you go to checkout):

go to a merchant site such as Walmart and put some stuff in your virtual shopping cart
proceed to check out and notice that there is a PayPal option, choose it
Walmart’s website sends you to PayPal, giving PayPal the bill you need to OK payment of (vendor and dollar amount)
you confirm your PayPal password and then tell PayPal which of your accounts to debit
when you hit “confirm payment”, PayPal debits your card/account on behalf of Walmart and then transfers the funds (not the payment information!) from your account to Walmart
PayPal also sends you email confirmation and tells you what merchant name to expect to see on your credit card statement
PayPal sends your browser back to the merchant site where your payment is confirmed in the form of a receipt (and usually another email) and information about order shipment

So, behind the scenes, the payment service deposits the payment (minus their transaction fee) into the merchant’s account without ever sharing your payment information with anyone!

Why bother with that? In the case of Walmart.com, there is probably little reason for concern but in the case of a small company, say Tom’s LiveBait-by-Mail, you might be a bit leery of giving away your credit card information. Also, if you signed up multiple credit/debit cards and one or more bank accounts then you can choose which to charge the payment against at checkout time. So, as long as the payment service is super-secure, it’s a net win because the fewer places that get their hands on your card info the better.

Is there a downside to using these services? Well, I suppose these particular processors are in a position to know a lot about your cross vendor buying habits and history. Plus, of course, they are an inviting target for hackers because they store so much account information (although they are extremely aware of and well staffed to store and police said information).

So – keep this “key to the keys” idea in mind when you need to minimize complexity and exposure.

John Brady is Information Security Architect Engineer at Westfield Insurance. Sharing Knowledge. Building Trust

John Brady on 01 July 2010 | Permalink | Comments (2)

Parental Controls Online - 6 Questions to Ask Your Family

8S22SRE498JM

Have you ever noticed how your child's favorite TV shows are directing them to the Internet to watch extra episodes and access special content like games and other shows? My daughter is just now starting to show interest in our family laptop, finding it wherever we might be hiding it. We keep putting off establishing parental controls, but it's only a matter of time before she figures out how to make the laptop work. As a family we will be nervous with not only the content she will be introduced to, but the wide variety of identity theftand other serious dangers that lurk within. Struggling with allowing her to learn while keeping her safe is a big challenge, one every parent is going to encounter.

This led me on a path of research, searching the web for keywords like "family safe internet software" and "parental controls for the internet." I saw quite a few sites selling software solutions like NetNanny, BSecure, and free tools like K9webprotection. There were others which carried with them some recommendations like FocusontheFamily and ConsumerSearch, which suggest pre-reviewed products to use.

Looking at all of the options, I can understand how it would be difficult to choose the best product for your family. Here are a few questions to help identify your family’s need for a tool like this:

1) Who in your family needs protecting? Yourself? Children? Adults who are wary of the Internet? Guests?
2) What devices do you need to protect? Smart phones? Laptops/Desktops? Wii?
3) What applications does your family use? Internet browsers? Instant messaging? Social networking sites like Facebook or Myspace?
4) What operating systems and versions do you have? Mac? Windows? Linux?
5) What are you willing to spend to keep your family safe from these dangers?
6) What kind of monitoring do you want to have access to? Web surfing logs? Online game play? Instant messaging usage?

Let me know your thoughts on this topic! Please chime in and let us know what you do to keep your family safe.

Jacob Harris is a Vulnerability and Forensics analyst at Westfield Insurance. Sharing Knowledge. Building Trust.

Jake Harris on 02 June 2010 | Permalink | Comments (4)

At the Nexus of Social Networking and Business

In a recent blog post I suggested that, while social networking (e.g., facebook, myspace, twitter, orkut, LinkedIn, etc.) is here to stay, one needs to be somewhat circumspect in using them. I focused mostly on “apps” within these social networking communities. These apps often want access to your personal information or want you to install or run some program at their behest.

As a follow-up, I’d like to discuss some general ways in which you can improve the likelihood that you will not get your personal or business systems hacked while still being able to enjoy the fruits of these dynamic, fast-growing communities.

Think before you click on anything asking:

- for access to your personal information (on various sites, they may be called “applications”, games, “e-cards”, “gifts” like a virtual cup-of-coffee, virtual bouquet of flowers, a snowball). Do you trust the requestor? Do you even know their privacy policy?

- you to install some “missing piece of software” (e.g., a dll, driver, codec) and perhaps offering to forward you to the site where you can install it now and then proceed with your original task. Do you know the software provider?

Review your privacy settings periodically, there are many recommendations in this regard in the mainstream media (see table at bottom).

When the social network provider notifies you that their privacy policy has been changed – READ the new privacy policy! There have been cases where the provider has retroactively instituted new default access rules rendering previously private parts of user profiles open to the public!

Don’t lend the use of your computer (laptop, desktop) to anyone that might be reckless with it. If the borrower surfs to an infected web site and your account on the PC becomes infected then they have unwittingly put your personal information at risk. To mitigate the danger – always create a separate account for other users (either one account per person for regular users, or) a shared guest account for people that just want to use a browser for short time. When creating such accounts do be sure they are not endowed with any administrative powers. Delete all the files they leave behind and perform a virus/spyware scan. Don’t think of it as being distrustful, think of it as good hygiene.

Taken to its logical extreme, you might seriously consider having a completely separate system for when you are working on your high privacy stuff (employee personal info., online banking, personal/business financials, tax returns, medical bills/records, …). This will almost guarantee that your private information stays that way. **

Although it may sound like I need to lighten up, if you read some of the horror stories about people that have experienced ID theft, you may decide I am not being adamant enough! Of course, you have to find a happy medium for your circumstances. Hopefully, the list above will help you make more informed decisions before you click.

--------------------------

Site Policy	Privacy Recommendation
facebook	High level: NY Times Very detailed: AllFacebook
MySpace	For better privacy control, switch from profile 1.0 to profile 2.0. MySpace recommendation
LinkedIn	Walk-through: Network World LinkedIn recommendation
twitter	Creating a non-public twitter account

** If you are computer savvy enough to know about virtual machines (VM) – you can get much of the same degree of isolation using a separateVM, instead of a separate piece of physical hardware.

John Brady on 06 April 2010 | Permalink | Comments (1)

Your information security "chain" breaks at its weakest link

I have been reading a lot of articles lately about information being stolen by foreign intelligence agencies, e-mail systems getting hacked into and millions of dollars of intellectual capital lost Here are some current examples of this happening:

http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved

http://www.msnbc.msn.com/id/34923887/ns/technology_and_science-security/

This led me to think about the activities we should be doing to reduce the risk of things like this from happening to our companies or ourselves. There are some very simple common sense things that can be done to protect information that you care about.

I have broken this down into three basic steps:

Step 1: Understand what you need to protect

The first (and most important) thing that you need to do is identify what information is critical to your company and what information you legally need to protect. Really take the time to think about it. Most state privacy breach laws state that you need to protect peoples names in association with their Social Security Numbers, any account numbers that have a PIN and any credit card numbers. These are easy ones, but how about your customer contact lists? new product ideas? customer order histories? etc… What information do you really need to ensure that you don’t lose and doesn’t get out of your control? In addition to data loss, think about data integrity. When you open a spreadsheet, how confident are you that someone has not accidentally or intentionally changed some numbers? How important are the decisions you make from your data. The controls you place around preserving the integrity of data need to match its importance.

Step 2: Inventory where it is stored

The next thing to do is to identify where all of this information is located. In addition to the primary location, system or application, also identify where copies, backups, extracts and derivatives are stored. You may have great security around your PeopleSoft system, for example, but store all the reports that are generated out of it on a share drive that is readable by everyone. Ask yourself these questions:

Are there any reports, spreadsheets or extracts produced by core systems that contain critical information?
Is the same level of security placed on these reports, spreadsheets or extracts as on the original information itself?
Where do you store and how do you protect your system backups?
Could someone gain access to a system backup and restore the information to their computer?
Can you reduce the number of locations that your critical information or copies of it are stored?
Are you relying on third parties to protect your information when it is in their systems? Do they have the appropriate security controls in their environment?

Step 3: Align security controls with business risk

Finally, assess the security controls that you are using to protect your information. You should align your controls across systems based on the value of the information you are trying to protect. You must take a holistic view of your data and approach its protection aligned with its risk of loss or corruption wherever it is stored. Do not haphazardly place security controls on systems just because they have some checkboxes in their setup screens to allow them to do fun things like expire passwords, disable accounts after failed attempts, etc... Don't apply extra security where it is not needed.

Know what information you want to protect and protect all locations that this information is stored consistently. Your information chain will break at its weakest link.

The bottom line is that if you know exactly what you need to protect, have identified and minimized the locations that this information is stored and are confident that the controls in place to access or modify that information are appropriate, you have significantly reduced the chances that your information will be lost, stolen or altered.

Bill Murray on 08 February 2010 | Permalink | Comments (0)

4 steps to protect your data in an online transaction

Hello readers of the Westfield Insurance Information Security Tips blog! I am new to Westfield, joining the InfoSec team in the capacity of Information Security Architect. Previously, I was an information security consultant working predominantly in banking and pharmaceuticals.

You may be asking, "What is Information Security (IS) Architecture?" In its broadest sense, architecture in the IT industry involves marrying an enterprise's business objectives to its current and future technology capabilities. A good architecture does this by leveraging what is already present, or when needed, carefully introducing new types of technology. When properly architected, the IT environment adapts smoothly to constantly changing business demands. Information Security Architecture tries to achieve these same outcomes but within the specialized domain of information security.

What tips does an architect have regarding day to day information security? Well, let’s take a security architecture concept and apply it to your situation. For example, consider the idea of ensuring the confidentiality of sensitive information. This idea is broadly applicable everyday on the web. From an architectural perspective it is helpful to think about the two states of confidential information, namely, at rest (e.g., stored in a file) and in transit (e.g., whizzing across the Internet from server to laptop).

Take a scenario where you keep your credit card and expiration date in a file on your PC (you can remember your CVV, that three digit code on the back of your credit card, because it's so short). Doing this makes it so much easier for you go shopping on the web because you can just cut and paste your information quickly, conveniently and without worrying about typing errors, etc. So you surf to your favorite shopping site, find the widget you want to buy, follow the checkout process, open the credit card file, cut and paste your credit card information, submit it, and in a few days your stuff arrives.

Let's talk about your information's confidentiality during the 4 steps in an online transaction:

1) In your computer file: First, if you saved your credit card information on your computer, it is sitting in a file. Here it definitely should have been encrypted in such a way that only you could decrypt and read it, for example, using a password protected file encryption such as the free GNU Privacy Guard.

2) On the merchant's order form: Next, you cut and pasted it to the online merchant’s checkout page. Did you make sure the browser was indicating that the communications were protected by verifying that there were no browser warnings about unrecognized or expired digital certificates? These certificates are used to help you make sure that you’re really at the web site of the merchant you think you are. Some browsers use a color coding scheme in the URL field and green is usually the color indicating the site’s authenticity has been successfully verified.

3) In transit on the web: When you submit your credit card information, the data will suddenly be in transit across the Internet! Prior to submitting anything, make sure it is protected in transit by confirming the URL of the page where you entered your personal data begins with the string https://... Instead of the normal http://... . That extra ‘s’ in https is for security and it means the data stream between your browser and the merchant’s web server is encrypted.

4) On the site receiving your info: And finally, after you press Submit, if you get any browser warning about information being sent unsecured, your browser is warning you that, although the page you were on was secure, the place you’re submitting the credit card info. to may not be. When you recieve such warnings while transacting confidential information you should cancel out of the transaction and perform your purchase via a different medium (e.g., over the phone).

So, from an InfoSec architecture perspective, assuring that the encryption infrastructure is guarding your information at rest and in transit is all part of your personal information security architecture.

John Brady on 26 January 2010 | Permalink | Comments (0) | TrackBack (0)

Secure shopping reminders for Cyber-Monday

It's Cyber-Monday, the biggest on-line shopping day of the year, and that means it's time for Cyber-Monday scams. And there are a lot of them this year. Online shopping can be safe but you have to be careful where and how you shop. It's not really that much different from safe shopping at a physical store or over the phone. Be suspicious.

When shopping online, type the merchant's URL in by hand instead of following any "convenient" link in an email or instant message. Those links can be spoofed in a phishing attack which looks like legitimate advertising.
Look for the prefix https in the address line. This indicates that you are on an encrypted connection to the merchant's website. You can also look for the little yellow padlock icon in the bottom right of the browser. Be careful, however. Sophisticated hackers can spoof these signs
Read the site's privacy policy carefully and use common sense about the offer. If it sounds too good to be true, it probably is. If you don't trust the company to protect your personal information, shop somewhere else.
Make sure your own protections (anti-virus, firewall, patches) are up-to-date and running.
Use a credit card, not a debit card. If your credit card is stolen or the number misused, federal law limits your liability to $50 (as long as you comply with the notification requirements). If a debit card number is compromised, you could lose the entire amount in the account to which the debit card is linked.
Check your statement carefully for charges you don't recognize. Report any anomalies to your bank and report a lost or stolen card immediately.
Consider keeping a separate credit card with a low credit limit just for internet purchases.

And in the theme of Cyber-Monday scams, here's one that isn't.

There are allegations online that a Facebook-based promotion being run by the Australian mall company which shares our name is a scam. They are letting Australian customers sign up for a lottery for a $10,000 gift card in exchange for all kinds of semi-confidential information (basically the same information you'd give up for a discount card, though) and the inclusion of a Facebook app to your account. Many people have accused the Facebook app of being virus-infected and/or the sign-up of being a phish. It actually checks out, though. Despite the skepticism (which I consider entirely appropriate and healthy in our current online environment), the mall's promotion has been confirmed. Hoax-slayer.com has a good writeup describing their confirmation of the promotion.

Whether you shop with the Westfield mall is up to you. Take a few minutes to research any such offer and company before you sign up, though. Being suspicious of an offer that seems too good to be true is an excellent habit to build.

Mike Rossander on 30 November 2009 | Permalink | Comments (2) | TrackBack (0)

Information Security Concerns in a Pandemic

For a while now, we have been working on the development of a pandemic plan for our company. Information Technology supports this plan in many ways. Through the use of technology we can increase the number of employees who can “work at home” and use Virtual Private Networking (VPN) software to remotely connect into our systems to perform their work. Getting employees out of the office but still having them be productive is a form of “Social Distancing” that can reduce the risk of exposure to disease.

A component of any pandemic plan needs to be communication on what can and can’t be done from an Information Security perspective, even in a pandemic situation. For example, we only allow company configured machines to connect to our network, even over a VPN connection. However, not all of our employees have laptops so many, therefore, cannot work at home. It must be reinforced that information security policy is still policy even in a pandemic, and employees who do not have company laptops must not use email to send documents or data to themselves to work on using their home (or any non-company owned) computer. This is the same for taking work home on portable USB drives or other media. Even if you have the best intentions and only want to help your company, you are putting your company at risk of your data being intercepted, copied or lost resulting in a privacy breach.

Why be so paranoid? Our employees are only trying to be more efficient and effective in a time where 20%-30% of the company might be out sick. It can't be that bad, right? Wrong. A big reason why is “endpoint protection”. Your company’s endpoints (workstations and laptops) have known, approved and licensed software on them, they have anti-virus software running on them, they are regularly patched for security vulnerabilities and they are free of peer-to-peer sharing software. Some of your employees' home machines MAY be up to your company’s standards, but what if even one is not? When your employee is done with their work, are you sure that no backup or temporary files will linger behind? How many of your employees have children that use the home computer to share music or files? How about viruses or malware infecting your corporate network once this work is brought back into your production environment? What if the employee actually loses the USB drive? Not to mention the risk of a shared or compromised gmail or yahoo mail account.

All of these scenarios can cause data leakage or data loss that can lead to a privacy breach. According to the most recent Ponemon study that reports on the costs and causes of privacy breaches, “Over 88% of all cases this year involved incidents resulting from negligence.” This leaves only 12% as a result of malicious activity. This 88% is composed of employees who think that they are doing the right thing, are trying to help and believe that nothing bad can happen.

So, please reinforce to your employees and peers that it is not safe to trust public networks, infrastructure or non-company owned equipment to store or work on company confidential materials. Even in a pandemic situation were your workforce may be diminished and people are looking for innovative ways to “keep the lights on”, information security policy is still in effect and information security risks, and their consequences, outweigh lost productivity.

Bill Murray on 04 November 2009 | Permalink | Comments (0) | TrackBack (0)

A/S/L/P - Bridging the Internet Generation Gap

April 23, 2009 is national “Take Our Daughters and Sons to Work” day. This day was founded in 1993 as a way to introduce children and young adults to career opportunities as well as demonstrate how skills learned at school will be applied later in life.

As much as our daughters and sons can learn about our careers; there is much that they can teach us about the Internet and Internet safety. I propose as an extension to “Take Our Daughters and Sons to Work” day, that parents spend an extra hour or two at home with their children to learn about their world.

If you have never watched your child, niece or nephew navigate a computer and the Internet; you will be shocked the first time you sit down with them. Ironically, they may be able to identify ways to optimize and/or automate your daily activities. Thank goodness for child labor laws; otherwise, your next boss would probably be twelve! Our children are light years ahead of us when it comes to finding information on the Internet. Unfortunately, many still lack the practical experience to determine when they encounter a dangerous or unhealthy situation.

Remember how excited you were when you received that letter from half way around the globe as your pen pal reached out to you? Today’s children communicate daily with friends and relatives around the world. Through social networking sites such as Facebook and My Space, long lost friends or new ones are only a few keyboard and mouse clicks away. Twitter, Jaiku and Pownce are a few other places where kids are sharing information about their daily lives. Using cell phones, these posts can happen anytime, anywhere giving the world up-to-the-minute updates. Celebrities like Erika Badu have gone as far as blogging their childbirth experience.

While this information is harmless when shared among friends and family; it may have serious consequences when obtained by the wrong person. Cyberbullying and cyberstalking are examples of overt Internet crimes. Online predators are manipulating our children to engage in dangerous and sometimes deadly situations. Despite the popularity of news programs like NBC Dateline’s, “To Catch a Predator;” there continues to be increases in online predation.

This leads us all the way back to what started this blog; Take Our Daughters and Sons to Work Day. This is a great opportunity to reach out to your children and learn what they have encountered on the Internet. Find out what sites they visit regularly. If they have a Facebook or My Space account, it might not hurt to set up one of your own to monitor their online activities. Ensure they are not posting private information such as their address and/or phone numbers online. Be aware when they are blogging their whereabouts.

Finally, a kilobit of prevention is worth a gigabyte of cure. If you don’t have an Internet filter installed on your home computer(s)…get one. There are many free ones available. You can download a couple of them here and here. Get involved with your children’s social networks. Besides ensuring they are not disclosing sensitive information, you may find yourself catching up with old friends and making new ones. Keep the computers in an open location as opposed to the children’s rooms. There is no reason to wait until somebody comes up with “Take Your Parents to the Internet” day, to start protecting our children today.

ICYC (In case you're curious), if you don't understand what the title of this post means; it wouldn't hurt to know the lingo your children use to communicate over IM (instant messenger) and txt (text messaging). You can find a list of text lingo here. What you find there may surprise you. Especially when you find yourself the AITR.

John Doan on 20 April 2009 | Permalink | Comments (0) | TrackBack (0)

Lock your doors, here comes the Conficker worm!

You can hardly look at any news source anymore without being bombarded by articles about security incidents, privacy breaches, worms, viruses, zombies, botnet's or a host of other Information Security related headlines. The media really eats this Information Security stuff up.

This week’s news continues this trend.

Get ready for the “Conficker.c” worm that has already infected 5 to 10 million computers worldwide and is waiting for April 1, 2009 to awaken. The experts predict that the payload, which is what the worm will do when it is activated, will somehow involve people being separated from their money. This assumption is based on the knowledge that many of this worms predecessors have been targeted at convincing their helpless victims to purchase what they think is "anti-virus software" to protect their computers from the very worm that they are already infected with.

It really is all about money these days. Microsoft has even jumped in and offered a $250k reward for information leading to the capture and arrest of the worm writer.

Over the last few months the news has been filled with companies getting "hacked" and loosing their customer privacy related information (SSN & Account numbers, etc...). There have also been several companies that have just simply lost information through carelessness and bad security practices.

And over the next few months I am sure that we will continue to hear about more about companies losing information, more virus and worm scares that threaten society and more about victims who have lost money due to identity theft, phishing attacks or more worms.

I have been in the Information Security profession for a long time and while Information Security threats are ever changing, fast paced and have grown to ever increasing scales, there are some simple and basic things that companies and people can do to significantly reduce their exposure to these threats.

Not surprisingly, they are really just common sense, don't change much over time and you already know how to do them.

Patch your systems and do it all the time. The Conficker.c worm exploits a vulnerability that a patch was released to mitigate in October 2008. New patches are being released all the time. I guarantee viruses and worms will be written to exploit them.

Have basic protections in place like a personal firewall that blocks nonstandard traffic and antivirus software that is regularly updated and is configured to regularly scan your computer. We hear this all the time. Are you doing it?

Don't download and run pirated software or software that does illegal things. This includes peer-to-peer file sharing as well as pirated versions of your favorite tax software.

Be suspicious of everything. And even more so if someone or something is trying to help you or give you something for free. Nothing is free. Come on, you know that don’t you?

The bottom line is simple. Protect the information on your computer the same as you would protect your physical property. Lock your doors and windows. Don't let strangers in your house even when one comes to the door and wants to give you $100 dollars. Change your locks if you think that someone has been inside your house. Don't accept (or seek out) stolen property. If you receive a recall notice for your car because of failing brakes, make a point to get them fixed as soon as possible.

Security is security. Use the same logic with computers and information that you use to determine what you should and should not do with your valued physical possessions. Applying this logic will avoid the majority of the Information Security problems that you hear about in the news.

Bill Murray on 31 March 2009 | Permalink | Comments (1) | TrackBack (0)

Anti-Virus Software?

Just the other day, I ran into another person who told me they don't run anti-virus software on their home computer. I looked at them in disbelief and asked why they would expose their computer/personal information to the potential danger? The response I got was, "I've never had a virus on my computer before". As I explained to this person that they have every right to not run anti-virus software, I cautioned them and asked that they looked at the risks they were taking.

I started to ask what things were on the computer such as financial information, etc. Next, I asked if they used their machine for online banking. I started to see a look of concern on their face. I stated that getting a virus is as easy as clicking on a link in your web browser. I said I would hate to see a virus drop a keystroke logger on their computer and get their online banking credentials. Some legitimate sites could have been hacked and not know it yet.

I know because it has happened to me. I was surfing on my children's computer and clicked on a link. Immediately, a second browser opened and my anti-virus software popped up an alert. Fortunately, I was running AV software that contained it and their computer had zero information on it. I got to spend my Sunday afternoon rebuilding their computer.

Symantec states that “10-15 new viruses are discovered every day.” A Network World article written in May 2008 says “The total number of viruses will reach 1 million by year-end, according to security experts.” With this information alone, it makes a great argument to make sure to run anti-virus software. Anyway, a lot of Internet Service Provider’s (ISP) are giving it away for free because they don't want the potential problems inside their own networks. I guess the way I look at it is, I would rather spend a little time and maybe some money to reduce my risks of identity/financial theft than spend potentially thousands to straighten out my credit.

Good luck in whatever you choose to do.

Jeff Gibson

Vulnerability Management, Compliance & Forensics Analyst

Westfield Group

Jeff Gibson on 16 February 2009 | Permalink | Comments (1) | TrackBack (0)

Experiences of a carpenter

Hi everyone, I'm Jake Harris one of the new team members who will be carrying on Westfield Insurance's Information Security Blog. I thought I'd take a second and share with you a recent issue which I've seen quite often.

I recently had the chance to work on a friend’s computer. (Actually it was a fair trade; I'll fix your computer if you can watch my daughter for a few extra minutes) The first thing I noticed was a little black box connected directly to their computer. I asked "Don't you have a router?” The response was "sure do, it's down in the garage with the other wood working tools". I laughed as I've heard that one more than once in my travels. But from a more serious point of view a router is a very handy piece of technology, not to mention component of securing a home network.

I'll take a few moments to explain (no not in great detail, unless you ask me for them) what a router is, why it really makes sense to get one, and how simple they really are to use.

What is a "Router"?

Well a router is a rather complex device if you start talking about all the cool things they could do in a corporate network, rather from a home network point of view a router is a device which acts as a protective gate between your home network and your internet connection.

Think of it like this if:

· A computer with a password is a locked building

· Antivirus software on a computer is a security guard patrolling that building

· Your home network is like a parking lot connecting all of the buildings

Then a router would be a protective fence surrounding your parking lot with a gated entrance. The gated entrance is only going to let something in if it is welcome or allowed to come in.

The technology used to make this happen is called NAT (Network Address Translation), basically what that means is the router is the actual computer that gets a "public" address or “dirty” address, and then the router provides each home computer a "private" address. The router is usually very secure from an internet point of view, so you don’t have to worry about it getting damaged.

Why should I get a router? I don't have a parking lot, or security guards?

No, most people probably don't have parking lots or security guards, and I wonder to myself why, well point blank they can't afford it. But a router is cheap, usually less than $50, and if you can afford that type of security for your home network maybe you should get it, not to mention you can connect multiple computers at one time to the internet and use wireless.

You just said they are complex, are you sure they are simple?

In short companies which make home routers have done a great job of making them simple to install in a home network. In many cases all you have to do is:

· Open the package

· Plug power into the router

· Plug your internet connection into the Internet port on your router

· Plug your computers into the private ports on your router

· Reboot your internet connection device (simply remove the power, wait 5 seconds, and plug it in)

And you’re ready to surf once again.

A few thoughts on keeping your router safe:

· Change the administrator password

· Update the firmware every few months or as available

· Backup your router’s configuration

All of these tasks should be documented on a CD or paper that comes with your router.

Will a router fix all your worries, well a short answer is no. Anti-virus, Anti-spyware, updating your software (patching) and safe web surfing practices are just as important, however a router is still an important component of keeping your home computer secure.

Well I hope my thoughts reached someone out there and made them a little more secure. Looking forward to hearing about other’s thoughts and experiences, even if you want to tell me about that great new router you just bought or a vote for a next topic.

Thanks for reading,

Jake

Jake Harris on 09 February 2009 | Permalink | Comments (0) | TrackBack (0)

Secure shopping (encore tip)

This Tip was first run in Dec 2006 when forecasters were predicting the biggest online holiday shopping season ever. Amazingly, that forecast is still true - the volume of online shopping continues to rise (though perhaps not quite as dramatically as in previous years). This "encore tip" is a reminder to shop safely during the holiday season.

Last year was the busiest online shopping year in history – and this year looks like it will be even busier. Shopping online is a convenience that we are quickly learning to take for granted. At the same time, identity theft is a steadily more serious threat. There are some risks you should consider, especially when making purchases over the Internet.

When shopping online, type the merchant's URL in by hand instead of following any "convenient" link in an email or instant message. Those links can be spoofed in a phishing attack which looks like legitimate advertising.
Look for the prefix https in the address line. This indicates that you are on an encrypted connection to the merchant's website. You can also look for the little yellow padlock icon in the bottom right of the browser. Be careful, however. Sophisticated hackers can spoof these signs.
Read the site's privacy policy carefully and use common sense about the offer. If it sounds too good to be true, it probably is. If you don't trust the company to protect your personal information, shop somewhere else.
Make sure your own protections (anti-virus, firewall, patches) are up-to-date and running.
Use a credit card, not a debit card. If your credit card is stolen or the number misused, federal law limits your liability to $50 (as long as you comply with the notification requirements). If a debit card number is compromised, you could lose the entire amount in the account to which the debit card is linked.
Check your statement carefully for charges you don't recognize. Report any anomalies to your bank and report a lost or stolen card immediately.
Consider keeping a separate credit card with a low credit limit just for internet purchases.

Remember that these rules apply when you are paying by telephone, too. You should always call the merchant (or utility, charity, etc). Never give someone your financial information if they called you. No matter who they say they are, you don't really know who's on the other end of that line.

Shopping online can be as safe as shopping in a physical store or through a catalog as long as you shop responsibly.

Mike Rossander on 24 November 2008 | Permalink | Comments (1) | TrackBack (0)

OnGuard Online

As the holidays get closer, many of us will turn to online shopping. Done right, online shopping is about as safe as catalog shopping - and much more convenient. If you don't take basic precautions, though, you could lose your shirt. Take the time to learn about the kinds of scams and cons that are used online.

The Federal Trade Commission hosts a terrific site with lots of content on identifying and deflecting these kinds of scams. If you haven't already been out to visit www.onguardonline.gov, I strongly recommend the site. It has some excellent overview material on security at the personal and small business level. The site also has a set of games covering a variety of topics like spyware, online auctioneering, peer-to-peer, phishing and spam. Test your knowledge of internet security and safe shopping. It's well worth the time to visit the site.

The site's material comes from a number of public and private sources but is all released for public use. If you run your own personal website, you can post their games, videos and handouts to your own site and help spread the word. (Instructions are here.)

Addendum:
This tip has inspired me to create a more permanent set of links to some of the better games and awareness quizzes that I've run across. I'll try to get them posted in a permanent sidebar on the blog but in the meantime, here are a few good links.

CMU Anti-Phishing Game - Learn to identify fraudulent URLs
Mission:Laptop Security - Protect your laptop while traveling
Anti-phishing Father's Day card - Flash video on phishing
Auction Action - Test your knowledge of online auctioning
P2P Threeplay! - a quick quiz on file-sharing
Invest Quest|http://www.onguardonline.gov/games/invest-quest.aspx - a simple quiz but the 'disclaimers' are pretty funny

Mike Rossander on 17 November 2008 | Permalink | Comments (0) | TrackBack (0)

Filesharing - defined

All the kids are doing it. And depending on which news reports you read, it's either the inevitable wave of the future or another sign of the collapse of our society - or both. But what is filesharing really?

Filesharing is the term for software designed to make it easier for you to share stuff through your computer with other people. (I use the technical term "stuff" here because you can share literally any electronic file through these tools but the most common shared files are documents, music files and videos – and viruses. More on that in a minute.) The most common form of filesharing is "peer-to-peer" (P2P) sharing, a way to share files directly from your computer to someone else's computer without needing to store it on a server somewhere. If I want to download a file that you've offered up for sharing, I reach through the internet and grab it directly off your computer.

This kind of filesharing requires special software such as Limewire, BitTorrent or Kazaa. These applications create an index of the files that you've offered for sharing and publish the index to the Internet so others can find your files. They also let you access the index and download the files you want. Filesharing is an easy way to publish documents widely and can get you access to all kinds of free content. Music is especially easy to find.

The problem with filesharing is that it exposes you and your computer to all sorts of risks that are not disclosed by the filesharing network or those "friends" who are pressuring your kids.

When you use P2P, it is essentially impossible to verify that the file is trustworthy. Hackers hide spyware, viruses, worms and trojan horses and other malicious code into the files. When you download the file, you infect your own computer.
P2P also opens up your computer to outsiders. The applications claim to only expose certain directories but 1) you don't know if the application is locking the folders down properly and 2) it's too easy to misfile a confidential document in a shared folder. Any little mistake opens up your confidential information to the world.
Most P2P applications require you to open up certain ports on your firewall so it can send or receive the files. Hackers exploit those open ports to attack your computer directly anytime it is connected to the internet.
And, of course, the big risk that got so much press when Napster was being sued into bankruptcy is the phenomenally high proportion of copyrighted material being illegally offered for "sharing". If you download pirated content, even unknowingly, you could face fines or other legal action. The Recording Industry Association of America (RIAA) is especially aggressive about finding and suing individual users who have illegally copied content on their computers.

If you run a network, either at a business or at home, I strongly recommend that you block filesharing sites. Remember, you go to jail or pay the fine whether they downloaded the illegal software with your knowledge or not. If you have kids, turn on your computer's parental controls and block those sites. Teach your kids to buy their music legitimately.

Based in part on US-CERT Cyber Security Tip ST05-007

Mike Rossander on 18 August 2008 | Permalink | Comments (0) | TrackBack (0)

AntiVirusXP2008 warning

Last month, we wrote about scareware and hackers using fake update notices. In the past few days, we've seen a sudden increase in one of these attacks coming from one of the former Soviet republics. This group is exploiting a "DNS hole" to hijack visitors who are attempting to visit legitimate websites (such as a hotel in a common vacation destination like Hilton Head). The hacker redirects the victim to the hacker's virus-infected website, then automatically loads a virus onto your computer. From what we've seen so far, this virus first disables your existing anti-virus program, then slows down your machine and finally starts to present you with a false warning that your computer is badly virus infected and needs to run AntiVirusXP2008 to clean it up (for only $50 which they want you to send to them in Russia). The warning message lists hundreds of "infected" files on your machine. Many of those files are, in fact, on your machine but are legitimate files needed by the operating system.

At Westfield, we normally have to clean up about one infected computer a month. It's jumped to 6 in the past week. Worse, this virus has proven particularly difficult to clean out. Our IT department has found it necessary to completely reimage the machine in order to fix the problem.

At home, fix your firewall, update your antivirus and patches and practice safe surfing. If google or yahoo (or your existing antivirus program) give you a warning that you are about to go to a sight that might contain malicious code, heed the warning. Do not override it just because you think that you're going to a "safe" site like the hotel.

At work, shut your computer off every day. (Your IT department probably pushes updates to your computer's defenses every day but many of those updates can't take effect until you restart your computer. If you leave your computer on for an extended period, you will be missing those critical updates.) And, of course, practice safe surfing.

If you get one of these pop-up warnings, never allow it to scan your computer. If you think you might have triggered one of these scams, call IT.

Mike Rossander on 28 July 2008 | Permalink | Comments (0) | TrackBack (0)

Information Security Tips from Westfield Insurance