security

Is staying safe online possible?

Eric Vanderburg

I was asked a question on Twitter today. The question was, ÔÇ£Is staying safe online possible?ÔÇØ This is a great question because I increasingly see a sense of apathy in users due to the frequent threats to online safety that are reported. They ask questions such as ÔÇ£If big companies canÔÇÖt protect themselves, what chance do I have?ÔÇØ or ÔÇ£If identify theft is inevitable, what is the point of protecting oneself?ÔÇØ LetÔÇÖs look at the question in an Aristotelian manner. We first must establish what staying safe is. LetÔÇÖs start with this definition:

Being safe online is having the knowledge, ability and opportunity to utilize the Internet and Internet-based resources without subjecting oneself to harm*

Having the knowledge, ability and opportunity to utilize the Internet and Internet-based resources without subjecting oneself or others to harm*

 *harm is being described as the following:

  • Unauthorized disclosure of personal or sensitive information
  • Identify theft
  • Misuse of computing resources due to unauthorized access or presence of malicious code
  • Persuasion or coercion to perform actions due to misrepresentation or incorrect facts presented in phishing emails

With this definition in hand, I can now consider whether this is possible. First, this definition means that no harm, as described above, would come to the individual despite the frequency of use as long as they utilized sufficient knowledge, ability and opportunity. I believe this is false. Even those equipped with sufficient knowledge, ability and opportunity will eventually come to some harm in utilizing the Internet and Internet-based resources. So, what if I revise my definition to this?

Being safe online is having the knowledge, ability and opportunity to minimize the harm* and frequency of harm caused due to the use of the Internet and Internet-based resources.

This definition allows for someone to be safe online but still have harm occasionally occur. However, in such occurrences, the damage done would be minimized. For example, if personal information was disclosed, the individual would be able to recognize that disclosure quickly and work with persons and companies to restrict the value the ability of malicious user to employ the information disclosed and to reduce the amount of damage incurred through use. More specifically, if a person entered a username and password in a fake web site, they would realize their mistake and change their password on the legitimate site before an attacker would have the ability to utilize their credentials. They would also utilize different credentials for other sites so the information gained would have no value if employed for other Internet services.

Using this definition, I believe I could say that it is possible to stay safe online. However, possibility is not probability. Those that would be safe under this definition must have the knowledge, ability and opportunity. If the majority of people utilizing the Internet do not have this then the majority of users are not safe. Our logical step, therefore, is to educate users to give them the knowledge and ability and to make the technology and environment that will provide them with the opportunity something that is available to the majority of users.

For more information:

The Human Side of IT Security

Organizational Security Culture

Securing the Network against Inevitable Human Slipups

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and donÔÇÖt necessarily represent DellÔÇÖs positions or strategies.

Twas the Night before the Breach

Eric Vanderburg

Twas the night before the breach, when all through the place
Not an alarm was ringing, nor even a trace
That data was being pilfered, with the greatest of care
In hopes that its access would none make aware
 
The employees were off early, out for the day
Some to go shopping and others to play
Leaving the office empty, ÔÇÿcept for one man
Filling a thumb drive as fast as he can
 
The passwords he had, some from Susan, others Paul
One under the keyboard, another on the wall
So he gleefully posed as his oblivious colleagues
Obtaining the data while humming a melody
 
Till leaving the office, no clue he neglect
To remove with him lest someone start to suspect
Ill intentions from such an employee as he
Whose reputation was spotless as spotless could be
 
The holiday proceeded much as expected
Families gathered, read stories and collected
The gifts they desired but hardly touched after
Great feasts were consumed, songs sung with laughter
 
But one of them partook in much more than cheer
Anonymously he sold them, stolen secrets most dear
Highest bidder to win, take all you can handle
Spreadsheets, memos, personal and financial
 
Returning to work, the breach first went undetected
Till profits sagged much lower than projected
Our secrets were stolen, they cried in shock
Our competitors have knowledge of things they ought not

Four keys to successful BYOD | Eric Vanderburg | Network World

Eric Vanderburg

The bring your own device (BYOD) movement formally advocates use of personal equipment for work and obligates IT to ensure jobs can be performed with an acceptable level of security, but how can risks be addressed given the range of devices used and the fact that you lack control of the end point? Companies looking to embrace BYOD — 44% of firms surveyed by Citrix say they have a BYOD policy in place and 94% plan to implement BYOD by 2013 — need to address four key areas:

1) standardization of service, not device,

2) common delivery methods,

3) intelligent access controls and

4) data containment

Read the full article here:

Security awareness for mobile apps

Eric Vanderburg

Smartphones are replacing traditional phones. These handheld devices offer users more than just the ability to make calls; smartphones such as the iPhone, Google Android, or Blackberry let owners browse the Internet, check email, and run applications. In many ways, the modern smartphone is a merger of the computer and the phone into one small pocket sized device delivering information to you anytime, anywhere. But what else is your smartphone up to? With all its similarities to the PC, smartphones also share one of the PCs less desired attributesmalware.

All three vendors, Google, Apple, and RIM maintain a directory of applications, or apps, allowing developers to publish applications to a directory for downloading. Some of those applications contained malicious code allowing phones to be converted into ÔÇ£zombiesÔÇØ for launching attacks or giving attackers access to data on smartphones such as contacts, emails, attachments, browsing history, or passwords. Some applications made calls to 900 numbers or premium texting services that you could be billed for. Both Google and Apple have identified and removed malicious apps from their directory and Google has implemented measures to remotely remove malicious apps from usersÔÇÖ phones. However, even this fact is disturbing because it demonstrates that Google has backdoor access to the Android phone. This system that today is used to remove malware, could one day be used to deploy it.

So you may be asking what you can do to protect yourself from smartphone malware. Here are some recommendations. First, download apps from trusted sites. The best controlled sites are those operated by Google, Apple, and RIM. These apps are reviewed prior to being added to their directory. It should be noted that Apple and RIM have a more stringent review process for apps published to their directory so Google Android users may have a little more difficulty finding malware free applications when using the directory. Directories are still not completely safe so users will need to exercise caution when downloading apps.

Second, you should be aware of the correct name of an application. If someone tells you to get the Facebook app, make sure you get the official application rather than Facebook Notifier or Facebook Express or some other variation. Next, make sure the spelling of the application is correct. Malicious apps masquerade as legitimate apps with a similar name. If you misspell Facebook as Facebok, an application may be available with that name but it is probably that the application in the form of malware.

Third, do not hack your phone or operating system. Many users are tempted to hack their phone by applying unauthorized firmware versions or making software modifications so that their phones will perform actions not intended by the manufacturer. Such modifications can disable vital security features of the device allowing malware to infect the machine or applications to perform unwanted actions on your phone.

Lastly, consider using anti-malware applications on your phone if you run lots of apps. iPhone users may have difficulty locating an anti-malware app for the iPhone because the iPhone OS does not allow applications to run in the background. Apple claims anti-malware applications are not needed in their operating system because of this and because all applications run in a sandbox where they are prohibited from interacting with other apps or with the system directly. However, similar techniques have been used with standard computer operating systems and such techniques have been circumvented.

To sum it up and answer the question posed at the beginning, ÔÇ£does one bad app spoil the bunch?ÔÇØ, use your smartphone with caution. Download only the apps you need and download them from a trusted source. If you utilize many applications, consider anti-malware software for your phone and do not hack your smartphone because doing so may disable security features of the phone. The threat of malicious apps on smartphones is real but you can go a long way in protecting yourself by following these guidelines.

For more information

Google purges tainted apps from Android phones

5 ways to protect your Android phone from malware

Antivirus for Smartphones?

Great Firewall of China

Eric Vanderburg
Computer experts from the University of Cambridge were able to breach the ÔÇ£Great Firewall of ChinaÔÇØ and also have found a way to use the firewall to launch DoS (Denial of Service) attacks. .
The firewall was tested by sending data packets containing the word "Falun" to it. This word is a reference to the Falun Gong religious group, which is banned in China. By using forged packets, they were able to circumvent the firewallÔÇÖs filters.
Furthermore, the Chinese firewall can also be used to launch denial-of-service attacks. The system can essentially be turned around on the Chinese government. Sites could be blocked that the Chinese government wants people to see and others could be let in.

Inaudable Ringtones – The security of sound

Eric Vanderburg
I came across an interesting article the other day.┬á It was on a new set of cell phone ringtones that only kids can hear.┬á Apparently, when you grow older you ears change and you cannot hear sounds in a specific frequency range.┬á They encoded an mp3 sound in this range and the kids are using it and others as ringtones for the cell phones so that they can hear when they go off in class but the teacher does not.┬á The technology was created as a teenager repellant and now the teens are using it against us.┬á Isn’t that funny?┬á I played the mp3 for my class and some co-workers and the only person who could hear it was Ann, the front receptionist.┬á Lisa tried it at home and her daughter, Liz, could hear it as well.

WiFi Rabbit

Eric Vanderburg
I was made aware of this little creature on the CWNP forums.  It is a small wireless rabbit that can receive messages, music, tell you the weather and time and other things.  Interesting.  Here is the website.  http://www.nabaztag.com/vl/FR/index.jsp#

CWSP

Eric Vanderburg
I am really cutting this close.  The CWSP test changes on January 1 and I just scheduled the test for December 21.  I am going out of town from the 24th to the 1st so this is really my only chance.  I must study very hard and pass it the first time.  I am feeling pretty good about the material right now but I have not taken any practice tests yet.  I am going to try that tonight. 

I am working on the midterm exam for the OS class today.  I am giving a review tomorrow and the test is Monday.  I also need to lecture on Windows XP and  Windows 2000. 

A co-worker wants a low end PC for internet use so I am fixing up a computer for him.  It needs to have a DVD drive in it and run Windows XP.  Those are the only requirements.  I am charging $100 for the machine and throwing in a 15" CRT if needed for free.  I can get them at Goodwill for less than $10 each.  That is how I am keeping my lab stocked at school.  Some are better than others and sometimes they break but it is ok.