12.31.2006

New Year Resolutions: Anti-virus, Firewall and Anti-Spyware

Happy New Year!

With the New Year upon us and everyone in the throes of new resolutions, I propose three information security resolutions:

  • Set up anti-virus software
  • Set up a firewall
  • Set up anti-spyware software
All of these are fairly simple and well worth your effort. In the next few articles, we will discuss the hows and whys of these three resolutions. See you soon!

Chalmer

12.26.2006

Using e-mail safely


I recently posted to the news site Slashdot about some changes that have occurred in the Department of Defense and how they handle email.

According to Federal Computer Week, The Department of Defense (DoD) has taken the step of blocking HTML-based email. They are also banning the use of Outlook Web Access email clients. The DoD is making this move because HTML messages can easily be infected with spyware and executable lines of code that enable hackers to access DoD networks.

Instead of HTML formatting, DoD is going with plain text.

See my Slashdot article for the extended summary and see the original Federal Computer Week article for all the details.

Having said that, the security implications for you, the Average Joe include some of the following:
  • images
  • programs
When we use Hypertext Markup Language (HTML) based email, our email browser will show the words in the message AND will try to follow all of the "instructions" in the HTML portion of the email. These instructions can include things such as:
  • programming code (scripts): some HTML can contain scripts that can access your computer, damage your computer and/or open channels for the bad guy to achieve even more sophisticated access to your machine.
  • image requests: that basically phone home to the sender's computer to get a copy of an image. These image requests often include a message that tells the sender that you opened or previewed the message. This can validate to spammers that your email address is active and may result in you receiving more spam.
Thus the risks of using HTML-based email are real. There are some things that you can do to minimize your risks:
  • Avoid HTML-based email all together (the Typical User likes to see the pretty colors and pictures and likes to have bold and italics, so this option will generally be avoided)
  • Given the above, you can use modern email software that can be set to not run programming code or scripts and/or can strip out HTML tags entirely.
  • Use email software that does not show images (i.e. does not phone home) unless you give it permission.
My favorite email client that meets the above criteria is Thunderbird. You can download it here. There are other options out there, but I am most familiar with Thunderbird.

Chalmer.

12.23.2006

Malware: What can happen to you!!!

Panda Software issued their annual list of 10 most interesting attacks or malware. The bad guys are out to get you in so many different ways, including:

  • track whether you view pornography
  • collect your personal information
  • turn on your microphone and/or webcam so you can be watched
  • change icons, hide file extensions, delete or remove access to tools and options
  • trick you into thinking you are being protected.
Take home message: Make sure you keep your anti-virus software updated.



If you need anti-virus software, one option that is free and fairly user-friendly is AVG's Anti-Virus, which can be downloaded here.



Chalmer

12.21.2006

Stop clicking on attachments

The BBC has an article on three vulnerabilities in Microsoft Word. The exact vulnerabilities are not important to the average computer user...so I won't go into any detail, but the take home message...the thing InfoSec professionals continue to try and pound into the hearts and minds of the average Joe is this:

  • Stop clicking on attachments that you weren't expecting to get.
  • Be cautious about clicking on attachments from your friends.

Beyond that...always make sure your anti-virus, anti-spam, anti-spyware and firewall software is up to date.



For the record, the vulnerabilities affect Microsoft Word 2000, 2002, Office 2003, Word Viewer 2003, Word 2004 for Mac, and Word v. X for Mac and Works 2004, 2005, and 2006.



For those in the audience that want more info, you can look here:

BBC article: Triple threat targets Word users

Microsoft Security Advisory: Vulnerability in Microsoft Word Could Allow Remote Code Execution

Microsoft Security Response Center Blog: Update on Current Word Vulnerability Reports



Merry Christmas!

Chalmer



12.18.2006

Computer Hijacking

An article in USA Today discusses the issue of computer hijacking...where a bad guy gains access to your computer and then encrypts your files and documents. The bad guy then leaves you a message with details on how to get the key to unencrypt your files. These types of attacks are not yet widespread, but if they prove to be successful money-makers, they may become more frequent.



Apparently the bad guys are not asking for much money, which means most small businesses won't bother to report the crime and most jurisdictions won't bother to investigate.



For the details, take a look at the article.



This story is related to the e-mail hijacking story.



To protect yourself...use quality anti-virus, firewall and anti-spyware software. I intend to write an article about these, as soon as I get the chance, so keep checking back.





Chalmer

12.16.2006

Cyber hijackers and your email


The bad guys are gaining access to web-based email accounts (Yahoo-mail, Gmail, Hotmail) and hiding the contents, like your contacts and messages. When you log on, all you find is a message from the Hijacker demanding that you pay if you want to have your information restored.

This attack can occur when the bad guys capture your user ID and password from a computer that is infected with a keystroke logger. A keystroke logger is software OR hardware that records all of the keystrokes made on the computer.

Cyber cafes, libraries, and other locations with "public" computers are often targeted by the bad guys, because they know that a wide variety of unsuspecting people will type in their most important information ( i.e. user ids and passwords).

There is no way for the average person to thoroughly check a public computer for the presence of software-based keystroke loggers. If you don't know what you are looking for, even hardware keystroke loggers can be difficult to find. The moral of this story: be very cautious if you choose to use public computers. The risks are greater than you think.

News Article on Cyber Hijacking

Chalmer

12.15.2006

Passwords, Part 2

In Passwords, Part 1, I warned you: use unique passwords and change them often...but let's face it...no one does. Modern Internet life means that you would quickly collect more complex passwords, like the one below, than you can possibly remember.

One way to fix this problem, without significantly increasing your risk is to group similar accounts and tailor your passwords accordingly. Below are examples of how you can group your passwords for easier control AND still apply the guidelines found in Passwords, Part I (PPI).
  • Work: this password ensures you can put food on the table...take good care of it and use all of the guidelines in PPI, as well as any guidelines provided by your employer.
  • Finance/Banking/Home Computer: these passwords protect your finances and your personal information (i.e. home computer, online banks, online financial accounts, online shopping, etc). These passwords must follow the guidelines in PPI, including unique passwords and regular updates. Identity theft is easier than you think...don't make it any easier by giving the bad guys one "key" to all of your accounts.
  • High use/Low financial risk: for accounts that you use regularly, but have low financial risk, many people will accept the risk of having only one password for all the accounts in the group. In addition, many people change these passwords less frequently (i.e. every six instead of every three months). Warning: don't be lazy...this password should bear NO resemblance to the passwords used for your high risk accounts.
  • Low use/No financial risk: if you don't intend to come back to a site and there is no financial risk it is generally reasonable to use the same password over and over. Again...be creative and use a password that bears NO resemblance to your high risk passwords. For these types of accounts, I may never go back to change this password.
For an example of how this might work in the real world, see my post Passwords, Part 3. Most people have only a handful of truly high risk accounts, so the above method greatly limits the number of passwords you need to remember, while simultaneously limiting your risk. A word of caution...it does not eliminate all risk...it just reduces it.

Chalmer

InfraGard

This Thursday, I was accepted as a member of the Executive Board of the East Tennessee Chapter of InfraGard. InfraGard is a program run by the FBI that shares information and analysis amongst a wide range of partners, including:

  • businesses
  • academic institutions
  • state and local law enforcement agencies
  • and other participants
At its most basic level, InfraGard is a partnership between the FBI and the private sector to share information and intelligence to prevent hostile acts against the United States.

You can read more about InfraGard here: http://www.infragard.net/

You can read about the East Tennessee Chapter here: http://www.infragard-etn.org/

The members of InfraGard are a wonderful group of patriotic citizens...check their website, find your local chapter and feel free to stop by the next meeting...we would love to see you there.

As a side note: I delivered a presentation on Denial of Service Attacks to the Tennessee Chapter in February of 2006. My presentation can be found here: http://www.infragard-etn.org/images/Presentations/Distributed%20Denial-of-Services%20Attacks.pdf

Chalmer

12.03.2006

Passwords, Part 1

Trust me...I don't like them either: passwords (a.k.a. PINs, passphrases). Passwords are synonymous with the computing experience, but few people appreciate the heavy lifting that these words and numbers perform. Due to poor security, passwords are often the only line of defense between you and the enemy, so make sure your passwords are good, strong passwords.

A strong password has the following characteristics:

  • Length: the longer your password, generally the better. Eight characters* or more is generally considered the minimum.

  • Variety: use the weird characters on your keyboard (i.e. $5?:!}+*3). The only real reason keyboard makers put those characters on there, is so that we can have better passwords. You paid for the extra keys, go ahead and use them!

  • Early Death: euthanize your passwords regularly. If the bad guy gets a password, you can give him a rude awakening when the password stops working. 30 to 90 days is a good maximum lifespan* for a healthy password.

  • Secrecy: Stop taping your password to your monitor. Stop giving your password to your friends. Passwords like their privacy too.

  • Seldom Used: Don't make your poor password slave away all the time. Pick different passwords for each application and each website. This goes hand-in-hand with the secrecy issue. Why give your bank password to the staff at Blockbuster Online?

* since this is being written in Dec 2006, the guidelines on length and lifespan may change as computers get faster.

In a future post, I will help you figure out how to remember all of these long, complicated, obnoxious passwords.

Chalmer

11.24.2006

Security in the real world

One key focus of this blog will be security in the real world. How to implement security in a realistic and effective manner. One of the major problems with security today is the inappropriate knee-jerk reaction to security vulnerabilities. We find that security responses often:

  • respond to the wrong threat
  • respond in a way that is ineffective
  • respond in a way that feels good, without providing a valid return on your security investment

We intend to address how to overcome the knee-jerk reaction and engineer security that actually works.

Chalmer

Real Post

The process of creating this blog has been far easier than anticipated. Since this is working so well, we will begin posting information of importance.

This blog will be devoted to information security and security engineering and will present commentary on:

  • the state of the art in information security
  • how to engineer security
  • how to improve the state of security for the common good
I hope that you enjoy this blog and I trust that the information here will improve your security.

Regards,


Chalmer

11.11.2006

Passwords, Part 3 - Examples

For more info about passwords and the basis of the following example, see Passwords, Part 1 and Passwords, Part 2.

William Tell, web-surfer extraordinaire, has 20 accounts that he uses.

Work account: William might use the following password, which he changes every 30 to 60 days: m@rNc$act0

Financial/Banking/Home Computer Accounts: William likely has the following web accounts with these passwords, which he changes every 30 to 90 days

  • Bank: Mortgage - t*1rFlt>
  • Bank: Checking - eCs$h@oF
  • Bank: Credit Card - r2aiNa&o
  • Home Computer - iAt+d{mp
  • Amazon - bPa2fFa=
High Use/Low financial risk: William may use the same password or a very similar password for all of these types of websites and may only change it twice a year.
  • New York Times website - t^pl*iUh
  • Slashdot forums website - t^pl*1Uh
  • Firefox forums website - t^pl*iUh
  • InfoSec website - t^pl*1Uh
Low use/No financial risk: In this case William would likely use the exact same very simple password over and over and would likely never come back to change it.
  • One time only website - cl2938vl
  • I was really bored and not sure why I signed onto this website - cl2938vl
  • I needed a piece of info, but don't plan on going back website- cl2938vl
  • etc - cl2938vl
Hoping this helps you avoid password pain.

Chalmer

Contact Me

oKAMi Information Security can be contacted at:

chalmer.lowe at gmail.com
865.405.4289
I look forward to hearing from you.

Google