As always, we can learn from example . . .

A little over a month ago I used my 4GB USB flash drive to move a small executable file from one computer to another. After using it I dropped it back into my computer bag like I always do….

Or, so I thought.

…………………………

Life was good and I had no need for the USB drive. But then I really needed it for moving another file between computers that were not networked.

I rummaged through my computer bag. No luck.

I cleaned the extraneous stuff off my desk. Still could not find the drive.

I even removed all the change in the cup holders in my pickup. No joy.

Finally, it was found deep in the bottom of my computer bag, where it was supposed to be.

………………………….

As The Professor used to say in college, “It’s intuitively obvious” that USB drives can be easily lost.

What should we do? Here a couple of ideas…

• Never store confidential information on a USB drive.
• If you must put confidential information on a USB drive, then encrypt the USB drive, or the files on the USB drive. This is pretty easy. You can use a drive from IronKey, or you can use a generic drive with TrueCrypt.

So, be careful out there. Don’t lose your personal information by putting it on an unencrypted USB drive.

- Dan

That was the statement that a friend said to me this past week. Of course a statement like that implied that he had a completely open wireless network at his place of business.

Open wireless is not all that uncommon. I’m using one right now as I’m writing this.

There are many businesses that may have a legitimate reason to have open wireless…

• coffee shops
• libraries
• hotels
• schools (maybe)

But most have no business need for open wireless. If there is not a need, then it should be encrypted.

So, what are some good reasons for encrypting the wireless network?

1. It helps to keep unauthorized users off your business network. You really don’t want to make it easy for someone to “accidentally” have access to your business information.
2. If credit card information traverses your network, then PCI-DSS may require it.
3. There are always people with less than honorable intentions looking for open networks. They may want access to your business information, or they may simply want to use your network to mount an attack on someone else.

Encrypting your wireless is very easy and is done from the administrative interface on your access point. Be sure to choose WPA2 if that is an option. Give it a complex password. Don’t share the password with people not needing it.

These suggestions also are relevant to your home network.

Finally, many of the more publicized breaches have been launched because the victim company has used weak or no encryption.

- Dan

Most folks will not understand (or even care about) the details of the recently reported DNS rebind vulnerability. But this problem affects many of the low-end cable and DSL routers that are used in homes and small businesses.

Even more alarming is that a tool to exploit this vulnerability is to be released at Black Hat 2010 in just a few days.

What can you do to protect yourself from this exploit?

1. Change the administrative passwords on your routers. All of your routers come with a well-known default administrative password. You should connect to the router and make sure that you are not using the default. You should also use a complex password.
2. Disallow remote administration of the device. Many routers allow administrative access from the Internet. This should be allowed only in rare and well-defined situations. Although this is not directly related to the DNS rebind problems, you should still verify this setting.
3. Upgrade the firmware to the latest version available from the manufacturer. Most manufacturers put out updates to the firmware that is running on their routers. If you are not running the latest version of the firmware for the router, go get it from the manufacturer’s website and do the upgrade. This will protect you from other attacks.
4. If you are using wireless, be sure to use WPA2 to protect your wireless connections. I hope you are not using WEP. Using WPA2 is much better. (A technical explanation is beyond the scope of this post.)

These steps will minimize the attack surface on your devices.

Good luck!

- Dan

I received a call this week from a friend who works in a small office. She had been out for a few days, and when she returned it became obvious that someone had been rummaging through the stuff on her desk.

Then, she started telling me that when she turned her computer on there was evidence that someone had been using her computer, as well.

Needless to say, she was pretty upset and wanted to know how she could tell who the offender was. She was hoping that there were some “tracks” somewhere that would tell here everything about who had been using her computer.

She wanted to confront the others in the office about accessing her computer and desk items while she was out.

Now, let’s look at some details from a common-sense perspective…

• The computer was configured so that it didn’t require a password to get into Windows. My recommendation was that she make the computer require a password to enter Windows. I suggested to her that the added security far outweighed any perceived inconvenience here.
• It also turns out that the computer in question is a notebook. She had just been turning the computer off at night and leaving it on her desk. Further inquiry led to the discovery that she had a locked file cabinet where she kept the important company information. My recommendation was to make it so the computer could not be accessed while she was not there. I suggested that she lock the notebook computer in the cabinet when she left the office for the day.
• Further questioning helped me to realize that the business has purchased this notebook computer a year ago, but there was no need for portability. So, why did they purchase a notebook? I couldn’t get a firm answer. My recommendation is that a notebook only be purchased if there is a need for portability, as portability makes theft of the computer easier.
• Regarding who and why someone accessed the computer without permission, there could be a variety of reasons. I suggested to her that she calmly discuss with her office-mates that it appeared someone had been looking for something while she was out. I also suggested that it is important she do this professionally, and to encourage them to call her is something is needed while she is out. These are people that she has to work with, and it is important that relationships not be antagonistic.

The conclusion is that this situation could have been averted with just a few simple actions.

Let’s all use common sense when approaching physical security.

- Dan

“Backups are the disaster recover plan!”, he emphatically said.

And so began the conversation…

Of course, backups are a part of the disaster recovery, but not the complete plan.

Just last night I found out about a local business whose server crashed. They had been dutifully performing backups. The backup subsystem reported that backups had been created. But…

It turns out that the backups are unreadable and now they are scrambling to determine the next steps to keep their business running.

Tip: Periodically check your backups to make sure that (1) they are readable, and (2) that they contain the information you hope they do.

Put this into your list of things to review on a monthly basis. As some point you will be glad that you did.

- Dan

Twitter hacked by old technique — again by AP: Yahoo! Tech

This article came out yesterday. The short description is that a compromised personal email account led to a compromise at Twitter.

Although the article is written with the focus on Twitter, this can just as easily happen to you and your organization.

Tip: Keep work email and data separate from personal email and data.

We need to constantly remind folks that there needs to be separation between work and personal email and storage. The selling point is that it protects both the employee and the company in the event the other is compromised.

Once again, the weakest link is The Human.

- Dan

I can remember many, many years ago when my Dad disposed of old tax documents. He just threw them in the trash.

The only redeeming factor was that we lived in the country and burned all of our paper trash.

But, have you ever known anyone to just toss a confidential document in the trash? What is considered “confidential“?

Here are some examples of what you should consider confidential…

• Anything with your Social Security number on it
• Anything with a credit card number on it
• Anything that is a credit application
• Anything with user accounts and passwords
• Anything with bank account numbers

Tip: Purchase a cross-cut shredder and shred confidential documents.

This will help to protect you from identity theft, or someone using your credit to make purchases.

Make you life easier. Shred those documents!

- Dan

Sorry to bring this up, but your computer is not perfect. Neither were the programmers who wrote the programs. Neither were the dude’s who designed the hardware. And of course the user is not perfect!

Patches and Updates are used to correct programming errors and fix vulnerabilities in the software.

It is difficult to keep up with the vulnerabilities that are found for Windows, OS X and all the programs that are running on them.

So, today’s tip is to use the automated facilities of Windows and OS X to automatically update the operating system and applications.

To enable this in Windows, go to the Control Panel and look for Automated Updates.

For OS X, go to the System Preferences application and open Software Update.

Both Windows and OS X allow for the computer to download the updates on a set schedule. When you are notified of updates, you should let them install.

Is your cell phone like mine?

I have names and addresses of family, friends, co-workers and peers stored in mine. I also have my calendar on it. A Facebook app can be accessed and more information found. My ToDo list is stored on it. Other apps, such as OliveTree Bible Reader, Notes, Twitter all are on there too.

Amazing things can be learned about me from the information and applications that are on my cell phone.

Regardless of your role in life – staff or management, plumber or professor, pastor or teacher – your cell phone contains information about you and your life.

If the phone is lost or stolen, all that information is then available for whomever finds it. So, what’s a guy to do?

1. If your phone has remote wipe capabilities, make sure that you know how to use it. Windows Mobile, BlackBerry and iPhone all have the capability of remote wipes. If your phone is lost or stolen, use remote wipe to reset your phone.
2. If your phone has the ability to lock, use it. Often this takes the form of a passcode that must be entered before the main screen is displayed. The iPhone and Windows Mobile phones have this ability built-in.
3. Take special care when traveling. I’ve been in airports and seen cell phones left behind by hurried travelers. Several years ago, we had an employees leave his smartphone in a taxi. He had been in a hurry to make a meeting and wasn’t paying attention.

What things can be learned or inferred about you and your organization just from the information on your cell phone? Protect it!

- Dan

It’s convenient to just turn on your computer, go get a cup of coffee and have the desktop waiting for you when you come back. Right?

But do you realize that you are putting your sensitive data at risk when you do that?

What if you lose your computer? One barrier to the Bad Guys accessing your files is removed. I can think of countless scenarios similar to this.

If you are running Mac OS X, here are the steps to turn off automatic login…

1. Open System Preferences and then open the Security pane.



2. Put a check mark beside “Require password to wake this computer from sleep or screen saver”, and also put a check mark beside “Disable automatic login” for all accounts on this computer.

What about Windows XP or Vista? First off, you need Local Administrator rights to make this change. Second, if you are joined to a Domain, then by default your auto-login is turned off and this is managed by the Domain Administrator.

Here are the steps to turn off automatic login in a Windows XP and Vista environment…

1. Go to Start… Run… and then type control userpasswords2 in the Run… box and hit enter.



2. Put a check mark in the box beside Users must enter a user name and password to use this computer. Click Apply, then OK.

That’s all there is to it! Pretty simple, and greatly increases the security of your files in the event you lose your computer, or someone without permission turns your computer on.

- Dan