Resources
October 5, 2013In case you hadn’t heard yet – for 10 years now October has been declared the National Cyber Security Awareness Month (NCSAM) by the National Cyber Security Alliance. An initiative designed to promote awareness of security issues, and educate people on how to mitigate or combat these issues.In the spirit of NCSAM – we’ve put together a few tips and general advice for you to chew on. Hopefully at least some of you will take some steps today to improve your security habits.

1. Understand that security is a shared responsibility.

It often goes unsaid – and there are two ways to really think about this. The main concept that you need to keep in mind however, is that your security system is only as strong as your weakest link.

No matter how good your security policies are, this becomes meaningless if you (or someone else) is allowed to be lax about their security protections e.g. using weak / no passwords, not using encryption for sensitive data, not taking proper precautions to secure your work station etc.

There are two common types of thinking regarding security responsibility.

  • You are the weak link, and think this is ok “because that’s a job for the IT / security people”. The reality is that you are putting others at risk through you poor security behavior, and this thinking is almost always the cause of over-arching and overly-strict security policy changes from top management.
  • You are a strong link, surrounded by weak links that you know about. Meaning you’ve done your part, so anything else that happens is “someone else’s fault” – except when you put your company at risk because you didn’t bother to educate or report the issue.

The above points may sound harsh, and they certainly are more cumbersome than simply avoiding the issue. You can also imagine the frustration of coming across this exact same type of thinking time and time again when there is yet another security issue to fix.

2. Check your computer for malware – right now!

When was the last time you ran a malware scan? Most people focus on using antivirus (which is great) – but new malware also crops up all the time, and your automated filters don’t always catch them.

If you don’t have a malware scanner installed right now, you can easily get one for free using your favorite search engine. THIS ALSO GOES FOR YOUR MOBILE DEVICE – tablets and smartphones are just as vulnerable to malware as desktops, and often even more so because many people don’t think about it.

3. Go ahead and change your passwords right now.

If you’ve been using the same password for over a year – it doesn’t hurt to change them, and does a lot for improving your security. Just keep a few things in mind:

  • Use a different password for each service you use – this way if one gets cracked, your other services won’t be affected. If you have difficulty remembering multiple passwords, you should get yourself a “password manager app”.
  • Use a complex password that you can remember (yes that does sound like a contradiction in terms) – here is a basic password guide from Microsoft, which also has a tool to test your password strength.

4. Stop using WEP for your wireless security. Change it to WPA or WPA2.

WEP is broken. 100% done. It would take me less than a minute (with my eyes closed) to hack into your wireless network if you’re only using WEP security.

Seriously it is that bad – and it only takes 2 minutes to change this option on your router. Do it – now!

Here is a video from Sophos that also dispels some common myths about wireless security. Both home and business users would do well to check it out – especially if you use “network name hiding” and / or MAC address filtering.

 

Be aware and stay safe!

Help – my web service has been hacked! What do I do?

September 28, 2013So you’re going about your day as normal, and then you notice something awry. This can happen on your website, web service, or user accounts (including email, social media, and so on).No matter what the case, here are some bad signs that your web service has been hacked:

  • You cannot access your website or user account.
  • Your website / webpages are defaced.
  • Your website redirects to another “unsavory” site, such as a porn or pharmaceuticals pusher.
  • Your contacts list notifies you that they have received strange messages from you.
  • Google or Bing notifies you that your site / user account / web service has been compromised.
  • Accounts, records, or other information is missing or corrupted.
  • Your website / web service “behaves strangely” (this is very difficult to describe until you actually encounter this behavior, then it is usually obvious).
  • You notice strange traffic on your network or user account (usually a big spike in traffic that cannot be explained).

There are a number of reasons that your web security could have been breached:

  • A weak password was compromised
  • Malware was used to capture login credentials
  • A security vulnerability was found in your computer systems
  • Another account / web service was compromised on a shared server / computer resource

Note: a data forensics expert can tell you with remarkable accuracy what was happened, how it happened, with a good chance of identifying the person (or location) causing the breach. This service can be a little out of reach for some people and companies however.

No matter what the case – there are some things you can do to minimize the damage, restore normal operation, and (ideally) close whatever vulnerability that caused the breach in the first place.

 

Step 1: Stay Calm

Security breaches happen to the best of us at times for any number of reasons. You could easily be the victim of bad luck or circumstance, or some other security flaw or weakness beyond your control.

The point is – there is no point getting flustered. A security breach is not the end of the world, you can recover, and that will happen faster if you keep your head straight.

 

Step 2: Get Your Website / Web Service Offline Immediately

Depending on the nature of the breach, and what systems are affected. You need to shut down your website or web service before the problem can spread, or otherwise cause more damage (especially to your business reputation).

This can be especially important because Google and Bing can mark your website as compromised, which makes it more difficult to get back to normal operation even if the threat has been removed. It can take days or weeks for search engines to mark your site as safe once they detect malware.

You will know when this happens because when you try to access the site, and you get warning message saying something like “Reported Attack Site!” or “randomsite.com contains malware”.

 

Step 3: Call for Support

This could mean your IT department or system administrator (sysadmin), the support team for your service provider, or a 3rd party professional to take care of the issue for you. You should always have the relevant phone numbers and contact information readily available for these situations.

Yes it is absolutely possible for you to fix the problem yourself (if you have the time and skills). Though most people will simply not have the experience to do this properly, and even fewer IT experts will have the IT security experience to fix what could (potentially) be a rather complicated mess.

Getting experienced people working on this problem will (generally) go faster and smoother than attempting to fix these issues yourself. If you are depending on service provider support, you may consider hiring an outside security expert to do damage control, and close any vulnerabilities exposed by this breach.

BUT – if calling for professional help is really not a feasible option for you, later we will be publishing a separate guide that outlines some steps you can take to cleanup your system so (hopefully) you can get your small business site running again. You can also try your luck scouring Google / Bing for guides on what to do, just try to be as specific as possible when you run your searches.

 

Step 4: Inform the Right People

Aside from contacting the people who can fix the issue – you may also need to inform your colleagues, customers, or other contacts to let them know what is happening.

People in general are more forgiving if they are informed about what is going on, rather than finding out the hard way that they cannot access your website or web service. Some industries are even legally obliged to contact people potentially affected by the security breach.

 

Step 5: Smarten Up About Information and Computer Security

Once a breach has occurred, it behooves you to find out how it happened – and then take steps to prevent security breaches from happening again. IT security is a complicated practice at the best of times, but the majority of security threats can typically be avoided through good security behavior and common sense.

There are many websites out there discussing good security practices, and we’ve also published articles about these topics numerous times. To paraphrase Francis Bacon – knowledge is the most powerful security tool you can possess.

There is no such thing as a “safer” web browser

September 20, 2013Some people take their web browser choice seriously. Other people working in a corporate environment will often bemoan their lack of choice in web browsing.Of course your personal preferences can come down to any number of factors – but if you’re making your choice based on the idea that one browser is “safer” than the others – then we have some interesting news to report to you from NSS Labs.

NSS Labs is a research company that regularly compares the security capabilities of all the major web browsers. According to their latest research – it seems that no one browser is better than others in all areas of privacy and security.

Let’s take a look at some of the findings – starting with the phishing URL catch rate:

  1. Firefox 19 – 96%
  2. Safari 5 – 95%
  3. Chrome 25 – 92%
  4. Opera 12 – 89%
  5. Internet Explorer 10 – 83%

While Firefox and Safari are at the top of this list, and some of you are likely unsurpised to see Internet Explorer at the bottom of this list (even though 83% catch rate is still pretty good) – this does not tell you the whole story.

Let’s take a look at the same browsers, and see how well they block socially engineered malware (using built-in default settings):

  1. Internet Explorer 10 – 99.96%
  2. Chrome 25 / 26 – 83.16%
  3. Safari 5 – 10.15%
  4. Firefox 19 – 9.92%
  5. Opera 12 – 1.87%

While these numbers may appear shocking at first glance – you should take a deeper look into how these figures are calculated, how malware blocking affects usability, and how “successful malware blocking” is defined by NSS (pdf link). Ultimately however, Internet Explorer and Chrome are still far and away better than other browsers in this regard.

These discrepancies are mostly thanks to the built-in CAMP (Content Agnostic Malware Protection) technologies now offered by Google (CAMP) and Microsoft (SmartScreen Filter). You should also keep in mind that most computers should have other layers of protection to deal with malware – such as firewalls, antivirus software, and other OS protections.

Internet Explorer is also a clear winner when it comes to default privacy protections – for example while all major browsers offer a “do not track” option, only IE enables this setting by default (which has caused some industry controversy mind you). At the moment however, this feature will generally lack teeth until new proposed legislation forces advertisers to be honest about following this setting.

Since Google and Mozilla (which is subsidized by Google) are so dependent on advertising revenue, it is likely that both Chrome and Firefox will continue to lag Internet Explorer and Safari in this matter.

Safari is considered second best by NSS for default user privacy configuration, though does offer some better protections compared to Internet Explorer. For example Safari actively blocks all third-party cookies, while IE offers only partial blocking by default.

Overall these are still more victories of intent rather than effect, because it is still far too easy for companies to ignore these privacy settings. Again we will have to see what happens to the pending legislation, though clearly both Microsoft and Apple have taken bold action to prove how seriously they take user privacy.

We will just have to wait and see how it all pans out.

Securing Your Email – or Why You Should Stop Using Free Email Services for Business

September 15, 2013Email is tragically insecure. There is simply no way around it – and if you’re using free email services such as Google Gmail, Yahoo Mail, or Microsoft’s Windows Live Hotmail – you are leaving yourself far more exposed than you might realize.The problem with email security is that the system is inherently designed to facilitate quick communication between anyone with a valid email address. Regardless of where the sender and recipient are located, or which email service provider is being used.

All emails must be stored *somewhere* until they are retrieved and read. Most email providers (including Google, Microsoft, and Yahoo) will also happily archive all your emails essentially forever (remember when that was a huge selling point?).

Why is this a problem? Well in a perfect world it isn’t, and if no one ever cares to read your emails – then it never will be. What if on the other hand you are negotiating a business transaction, or otherwise need to share something sensitive with another person. What if you have been doing this for many years now – then what?

Every single email you have ever sent through your Google, Microsoft, or Yahoo email account is still sitting on their servers, usually stored in plain text, and under the domain of whatever privacy laws exist in that particular country. This means any sufficiently mature email account is a gold-mine for anyone interested in finding out everything they can about you.

Take a look through your archived emails if you want to see what one broken password can reveal about you – or take a look at what happened to Sarah Palin when her personal Yahoo email was hacked.

The email security problem is then compounded when you consider that anything you can do to better secure your email – is inherently going to make your email less useful (or at least less convenient). Unless you really are dealing with a lot of sensitive information (such as business negotiations) or have some need to maintain a high level of privacy (such as being a public figure) – then the benefits may simply not be worth the hassle or expense.

This is certainly a matter of personal choice though, and in either case – people should know what happens when they use email communications – and that there are choices to better secure your email if you want.

 

Recommendations:

1) Stop using free private email services for business

For all the reasons mentioned above – there simply is no good reason to do so, and you should keep your personal and business life separate anyway. Business / enterprise solutions for email are much more secure, and even though they will cost you a little bit extra – at least you can deduct them from taxes as a business expense.

2) If feasible – employ encryption, or use a paid encrypted email service

Setting up email encryption for free is certainly possible, but a hassle to setup for the average user – and it gets difficult to convince all your contacts to use your encryption methods. What good is encrypting your emails if the recipient doesn’t want to bother using the decryption key?

Paid services are available which make the encryption process much easier, though there will always be some extra hassle involved. Some popular options for such services (which we strongly urge you to research before using) include: HushMail (US-based), CounterMail (from Sweden), and NeoMailBox (from Switzerland).

Businesses with larger IT budgets will be more spoilt for choice in terms of secure email solutions.

3) Backup your email archive and store it elsewhere

Deleting your public email archive regularly will help make sure that even if someone manages to break into your account, there will be little information for them to exploit. Many backup solutions (both free and paid) are readily available and offer a quick boost to your privacy security.

4) Use a proportional and appropriate response

As we said before – while email is inherently insecure – anything you do to add layers of security will increase the hassle of using email. Paid options are (often much) less cumbersome, but still an extra hassle. You ultimately need to take a close look at what information you really need to communicate via any given channel, and communicate those using an appropriate level of security (and thus extra hassle).

5) Understand that there is no perfect solution (yet)

Believe it or not – there is a relevant XKCD that describes the major flaw with relying entirely on encryption to keep your emails secure. Ultimately if someone is really determined to access your emails, there is a way to do so with enough persistence and advanced knowledge.

Hopefully one day we will have a better solution than SMTP for email communication protocols. Until that day however, you should be mindful of what you communicate via email, and take steps to minimize your exposure as is desirable and feasible for your needs.

We’ve put together a massive list of infosec / compsec resources for your reading pleasure.

September 11, 2013SCWOA has launched a new free reference site – called Deploy6 – for people serious about their security, or would just like to know more about security issues in general.There’s lots of links and publications to peruse, especially if you’re curious about some of the US government legislation that affects how security (should be) handled by organizations in possession of your private data.

 

Our list of resources on Deploy6 includes:

  • Downloadable security reports
  • Security technology buying guides
  • A variety of interesting podcasts
  • Video libraries
  • Whitepaper libraries
  • Infosec / compsec Security Magazines
  • Security templates, policies, and frameworks
  • Privacy / security awareness organizations
  • Best practices and guidelines
  • US Government initiatives
  • Vulnerability and incident databases
  • Information Sharing and Analysis Centers (or ISACS)