Computers everywhere

Branden Williams at the Security Convergence Blog has this outstanding article about places your personal data can reside that you rarely consider.

Folks, don’t forget, that every one of these devices that you plug into the wall or has a battery is basically a computer. Sure, it may not be the one that you are reading this post on, but it is a scaled down version of the same technology.

You know that VOIP phone sitting on your desk? Yep, a computer. Aside from the data security issues associated with outdated or known vulnerable software, there is data on that thing. How long it lives, or what it stores depends on the device.

BE SURE to destroy all of the data on the device before handing it over. For appliances or self contained units such as TiVos or PS3s.

Computers are everywhere. Like lint. Most of us don’t really stop to consider that our old TiVo Series2 has several orders of magnitude more computing power that NASA had available for the Apollo 11 moon landing. And since TiVo is not only a subscription service itself, but can interface with a number of other subscription services like NetFlix, there is definitely personally identifiable information (PII) stored on board as well.

So think long and hard before trading in or repurposing (outside your control) your DVR or game console, since most don’t really provide a simple way to wipe the storage without destroying the unit. It’s probably better to take Branden’s advice:

using the super destructo method of a big magnet or a commercial shredder certainly becomes a more reasonable solution.

And more fun too.

Security ideas for your mom revisited

Information security for  everyone is a big deal with me. I even have a weblog devoted to that very ideal. So Julie Seedorf’s Something About Nothing article, “Be careful of what you store on computers” definitely resonated with me.

I read an article from PC Magazine recently. It was titled “Day in the Life of A Web 2.0 Hacker.” Because many of my days consist of repairing damage done by viruses and hackers to people’s computers, this article was of interest to me.

I like the Internet. I remember years ago my first experience with the Internet. It was exciting to be able to read Web pages created by people many miles and countries away from my home. It was exciting to be able to connect with new people. The Internet was a new information highway that would revolutionize our life.

There is no question that the Internet has changed the way we receive our news, the way we do business and the way we are in touch with people. However, reading this article confirmed what I have been feeling recently. I am frustrated with the dangers that the Internet has invoked upon our society. I am frustrated with the controls we need on our computer to keep our information safe. I am frustrated by the lack of security enforcement by law officials.

While I completely concur with Julie’s sentiments, isn’t everybody aware of the risks of our Web 2.0 lives? Aren’t there plenty of wise and erudite security experts providing all of the information that everyone needs to know about being secure? And what about all the excellent and ubiquitous security suite software packages available? Surely a tech savvy person like Julie has nothing to be concerned about. And clearly if you are a Republican VP candidate the Feds are quick to enforce even the most trivial security breaches at least as long as the Feds are Republicans. Sorry couldn’t resist.

Unfortunately all of the preceding rhetorical questions are pure irony. Phillip Hallam-Baker’s Web Security Blog article “Zero Overhead Security” sums it up this way.

Folk tell me that if you take 60 confused users, split them into three groups of 20 and show them different security interfaces they are all still confused. Well what did they expect?

A good part of the problem can be laid our door, fellow security professionals. We can certainly build brilliant complex software and our marketing and sales brethren can sell the heck out of it. But there is something very wrong when at the end of the day someone like Julie is left with this anemic solution.

The new security programs are good. The problem with many of the new programs is that they put blocks and watch everything we do on the computer and sometimes they make it difficult for us to understand how they work. These programs sometimes block sites that we want to use. These programs sometimes warn us more than we want.

Why am I writing this column? There is no fun in this column. I don’t feel funny about the Internet right now. I am here to tell you to put a good security suite on your computer and learn what it does and what you need to do to keep your computer and information safe. Make sure you update your virus signatures, keep your firewall on and be careful what you open.

Be careful of the personal information you share with others. Create strong passwords that contain a mix of numbers and letters and don’t use the same one for all Web sites. Watch what your kids and teenagers are doing on the Web.

All of these precautions may not protect you completely but they will help.

So why do I say this is anemic? Isn’t this exactly what we’ve been telling Julie to do? Hasn’t she hit on every “best practice” point? Enough with the ironic rhetorical questions. How about some concrete ideas that Julie or you can give your mom on security that will make a difference. In three earlier articles here, here and here I attempted to build a framework of ideas that mom should consider when getting a new computer and going online. What’s missing from those articles are specific details. So without further ado:

Security Ideas for Mom – Revisited

1. Get a good firewall. Most of the popular security suites available will come with a desktop firewall, but not all of these are created equal and some are not even created well. Specifically several of the most popular include predefined exceptions for their “partners”. Now I don’t know about you, but just because someone has finances to partner with a security vendor does not imply that I should trust them. Note to vendors – transitive trust is not a desirable feature of a firewall. What I would suggest here is to think outside the software box a little (I know, heresy for a software geek, but I’m also an EE). Why not buy a hardware firewall? Like the ones that come with decent wireless access points. Even if you aren’t interested in running wireless (yet) and only have a single computer (so far) this is still a great idea, not to mention a bargain. Given that the annual subscription fee for the most popular security suite is $60, you can get a very nice wireless router for that price. And you only have to pay for it once. Furthermore, setting up the firewall, and other features on a consumer NAT router is simple. They really aren’t that smart. Which is a good thing. The only caveats are do not keep any of the defaults (i.e. SSID and passwords) and if you actually use wireless, lock it down to the specific hardware (MAC) addresses of the devices you want to allow on your network and turn off any broadcast or UPNP. Also turn off any remote maintenance. You can also use desktop firewall software along with a hardware firewall and NAT router, if you are paranoid (and you should be). Just be sure and get a good bidirectional firewall that watches outgoing as well as incoming traffic so it can stop spyware and adware that wants to phone home. Once you get your NAT router/firewall system in place, you need to go to Gibson Research web site and run ShieldsUP!. You should be completely stealth. A ghost on the internet. In my opinion, a hardware NAT router and firewall, coupled with a bidirectional software firewall eliminates most of the need for anti-virus software (more heresy I know). But l like the idea of cutting off the malware at the pass as is were.
2. If your computer is portable use full disk encryption. Period. No exceptions. Essentially full disk encryption converts the entire contents of your hard disk to random noise that cannot be deciphered without a key (passphrase or hardware key). There have been rumors over the years of groups like the NSA having the capability to break strong encryption, but trust me, you, me and mom are not worth the effort. The most widely known full disk encryption package is Microsoft Bitlocker, which is available with Vista Ultimate. For most average users, it’s probably not worth the $300 upgrade to Vista Ultimate, but for business users that are running Vista Ultimate on their mobile workstations should definitely contact their IT folks and get it set up. Fortunately there are some great (some would argue superior) alternatives to Bitlocker. I use the open source TrueCrypt package, because it runs on all of the platforms I use (Windows, Mac and Linux) and it’s free. The point is that when you lose your portable computer and the disk is encrypted, all that is really lost is the hardware (assuming you have backups) which is far less valuable than your data and personal information.
3. Get a good password manager. Certainly you can try to create and remember 50 odd strong passwords, but it’s a whole lot easier to create and remember one strong password that can be used to access hundreds of your insanely strong and impossible to remember passwords. I’ve already written an article about this, so you can read all about it. There are some very good password managers, both open source and commercial. An important feature of the password manager you choose should be the ability to set up expirations on your passwords – i.e. something that reminds you to change passwords. For email accounts you should change the password every 6 months and financial services every 3 months. Since with a good password manager this is easy to do, feel free to do it more often.
4. Get different email addresses for different purposes. When you sign up with your ISP you get an email address that is your primary. If you intend to do Web 2.0 stuff, like say a weblog or social networking like facebook or MySpace you should get a free online email address from Google (GMail), Yahoo (Yahoo Mail) or Microsoft (Windows Live Hotmail). Use this online account when you register for social networking sites. Then you can have your friends and casual acquaintances contact you via the social network site. Only use your primary email account (the one from your ISP) for banking and other communication where there is a risk of Personally Identifiable Information (PII) leakage. Do not give out your primary email to address to anyone but those sensitive accounts. This can be a problem if you’ve already let the horse out of the barn so to speak. Fortunately you can still get around it by sending out change of email address notices to everyone who has your primary asking that they use the new email address or contact you through your social network. If they don’t, just ignore them. They’ll figure it out. Or not. If you are involved in a legal or highly sensitive situation where privacy and confidentiality is crucial then you should check out a secure email service like VaultletSuite 2 Go. This service includes a minimal, but extremely secure email environment. For everyday it’s overkill, but if you are sending sensitive messages to your lawyer, it is definitely worth considering.
5. Use different web browsers for different purposes. Let me be specific here: use Internet Explorer for your banking and financial sites, and no other sites. Use Firefox, Opera, Safari, Chrome or even another copy of IE for your social networking and casual surfing. The reason I recommend IE for banking and insurance sites is that they tend to work best (or only) with IE. Social sites, on the other hand tend to favor Mozilla (Firefox) or Webkit (Safari and Chrome) browsers. Now wait, isn’t it really inconvenient to share bookmarks between browsers? Yes. Exactly. Which is why you don’t want to do that. Your banking browser should only have bookmarks for your banks. Actually sharing bookmarks is not hard and if you really want to share between multiple social browsers, get a del.icio.us account. With your public email from #4.
6. If you download software get a disposable virtual environment. Downloading anything from the web and installing it on your PC is risky business, even if it is from a reputable site, but it can be catastrophic if your tastes run to the wild side. The problem is that even decent shareware (of which I’m a huge fan) rarely uninstalls cleanly from Windows. And much of the stuff available for free download isn’t decent. In fact a fair portion of it is infected with malware, malicious or just plain bad. What you need is a virtual environment where you can download this stuff, install it and try it out before you commit it to your real environment. This can be done a number of ways. Virtualization software like VMware and Parallels allow you to create virtual machines that are exactly that. If you trash one, you just delete it and move on. The downside, as you can well imagine, is that virtualization software requires a lot of resources (i.e. a very powerful computer) and it’s not trivial. There is another kind of software that you can use to accomplish this: sandbox software. Basically a sandbox sets aside a place on your computer where programs can play nicely, isolated from everything else. Just like naughty children. The best known of these packages is Sandboxie. Using this kind of software, you can run any program “sandboxed”. Then if it blows up, or simply tuns out not to be what you wanted, you just clean out the sandbox. If you do happen to decide that you want to keep your changes for real, you can recover everything to your computer. Trust me, this will save your bacon.
7. Keep your professional and personal stuff separate. By stuff, I mean everything: email accounts, social networking sites, computers and software. Everything. That means, don’t pay games or have personal email on your work computer. It also means don’t copy that spreadsheet from work to your home machine. Now hold on, I can see not doing personal stuff on my work PC, but what’s wrong with working on my personal PC? Ask your IT folks which is worse. They’ll tell you most emphatically that taking company data into an unsecured environment is way worse than stealing a some CPU cycles, hard disk space and time playing games. Either way it’s bad for you and bad for business. If you really must check your personal email at work, then use one of your web mail accounts (see #4). Also be aware that if you are using your employer’s computer equipment you have no reasonable expectation of privacy. Think about that before you fire off a note to that hotty you met last night. But what about connecting to the office VPN from my home machine? Well okay, but just be aware that if you have a home network where you share stuff like photos, music and files you could be sharing them with everyone on your company VPN. I’d think about that for a while. Finally if you work for the government, you may have safeguards and accountability requirements on your email. So don’t be like Sarah. Nuff said.

I’m sure there are other good, and straightforward ideas for securing mom’s computer. I would love to know about them. I would also love to hear about problems with the ideas I’ve put forth here [note – blatant pandering for comments]. Maybe we can make things a bit nicer for Julie and mom. Or convince them that the internet is funny again.

Sarah Palin and the great Yahoo! angst

I’ve really been trying to stay out of this one. I really have. Mostly because everyone, and I do mean everyone, has this story covered. While mainstream media, in stories like this, were concentrating on where to place blame, whether nasty sites like wikileaks are legal (while dutifully linking the prurient details) and whether Ms. Palin was a victim or villian (how about just clueless), the Security Bloggers Network, yea the entire blogoshere, has been alight with posts about what we can learn from this incident and how to make sure this doesn’t happen to you. Kindred spirit Alan Shimel even weighs in with words of advice and consolation for Ms. Palin.

So what’s the most important takeaway from this ugly, yet amusing, incident? That Yahoo!’s email security policies suck? I’m guessing that Alan would answer that with a resounding “yes!“ (albeit more emphatically and certainly more colorfully). Or is it that all web-based email services’ security sucks? Or maybe that there is a vast left-wing conspiracy to discredit our lovely GOP VP wannabee? (Oh! – I like that one).

Not to minimize or criticize the excellent analysis and advice proffered by fellow security bloggers, I think the most important takeaway was this:

Security is about managing risk. First you identify the assets that are exposed, then determine the threats that those assets will be exposed to, and finally determine how best to to manage that risk. This was yet another, albeit high profile, case of poorly managed risk.

Does Yahoo!’s mail security, particularly their password reset mechanism, introduce threats? Of course. Same with Google Mail or Hotmail. Can these threats be mitigated? Of course. Is it safe for me to use webmail? Ah, now we get to the question, however obliquely, that we should have asked first. So lets start at the beginning shall we?

1. What is the benefit received from a web-based email/calendar/contacts system?
2. What are the information assets that would be exposed?
3. What are the threats to those assets?
4. How can those threats be mitigated?
5. Given the value of the exposed assets, can the threats be mitigated sufficiently such that the risk can be accepted?
6. Do the benefits outweigh the cost in money and risk?

So if I’m me (which I was last time I checked) I would get a great deal of benefit from an online system like Yahoo! (disclaimer: I don’t actually use Yahoo!, I use something else), since I like to be connected everywhere and I make a point of keeping my work and personal stuff well separated.

In my case, the information assets that are exposed by my webmail are intentionally minimal. No important numbers or addresses and minimal Personally Identifiable Information.

The major threat to my assets is exposure due to data breach, with the most likely vector being a compromised password.

I’ve already written a blog entry about password security and I also use some of the stuff outlined here.

The value of my exposed information assets is pathetically low – my family weekend plans or my personal address list are, sadly, valuable only to me. So any common sense mitigation I can put in place will definitely make the effort required to compromise my data a very poor investment indeed.

Therefore, the convenience of having my todo list available on my iPhone far outweighs the risk of that data being exposed.

But then I’m not the Governor of Alaska and a vice presidential candidate. Ms. Palin should have gotten to #2 and started hearing all kinds of alarms going off. Barring that (hey, she only recently became a celebrity – er… high profile person) the answer to #5 is “no!” (actually “HELL, NO!“). Particularly since the data identified in #2 was not hers to risk – some of it belonged to the people of the sovereign state of Alaska. I can safely say that were I to expose my employer’s data via a personal online account, no matter what precautions I took and regardless if it were actually compromised, I would be fired. Immediately. Walked right out the door. And rightly so.

I’m pretty sure I wouldn’t get promoted to Vice President.

Security ideas for your mom part 2

Let’s recap shall we?

Mom wants to get online to read email, surf the web and Google stuff that you don’t even want to know about. We’ve already presented 4 ideas – which essentially boil down to 2 themes:

• Use Common Sense
• Know how to use your stuff

Okay, now we’re ready to get serious and specific about helping mom manage the risks of her internet behavior. So let’s look a little closer at each of the things mom wants to do:

Send and receive email – This will clearly require an email client, but what else? Well, let’s assume that mom wants to check out pictures of you and your significant other frolicking in the surf on your last vacation. And of course there’s Uncle Edgar who sends out those swell PowerPoint presentations and Aunt Thelma who sends MP3s of the latest hymns (at least that’s what mom says they are). So far all of this  can be handled by any personal computer (and most cell phones) running any OS with either built in or free add on software.

Email risks fall into 2 categories, cyberfraud (e.g. phishing scams) and attachment-borne malware (e.g. worms or trojans embedded in attachments). While there are virus scanners that can scan your email for malware attachments, these will never sufficiently mitigate the threat without a judicious application of the first 4 ideas. Unfortunately almost all cyberfraud is undetectable by virus scanners, simply because there is nothing wrong with the email format or data itself. The fraudster relies on the recipient to actually take action to fall into the trap. So the only way to mitigate a cyberfraud threat is by using the first 4 ideas. While there are “anti-phishing” mechanisms built into most browsers and some email clients these days, they are useless if you don’t understand them and they are certainly not foolproof.

Surf the web – This is going to require a web browser. Again, any personal computer and most cell phones will come with a web browser sufficient to the task. While the actual choice of browser is mostly a personal taste kind of deal (if there is a choice – which there may not be on a cell phone) some browsers definitely have better security features than others (more on that later).

Web surfing risks include cyberfraud (note that email cyberfraud will almost always utilize some web-based component like a malicious web site that the email links to), downloaded malware (e.g. a trojan embedded in a file you download), malformed images (pictures that are designed with intentional flaws to crash the browser – or worse), malicious active content (all those cute dancing hamsters are really little programs that can actually do worse than just annoy you), leakage of personally identifiable information (e.g. some web sites will collect personal information from you in exchange for some goodie – and then sell it to spammers or phishers) and privacy invasion (e.g. tracking your surfing habits using third-party cookies). The right choice of web browser software and associated “plugins” will go a long way toward mitigating these threats, but again you must apply ideas 1 – 4 to achieve a decent level of threat mitigation. It should be noted that your web surfing habits have a dramatic impact on the risk you incur. Specifically if you intend to visit adult (porn) or warez (pirated software) sites your risk is increased exponentially. Whereas reputable sites like legitimate shopping sites or wikipedia are relatively low risk, a trip to the typical warez site can almost guarantee several of the above threats being real and present. So the moral of this story is don’t even think about stealing software or surfing for porn unless you really know what you are doing and take extreme measures well beyond the scope of what I’m going to tell you about in these posts.

Using search engines – Usually all you need is a browser for this, but almost invariably search engines like Google are way more than just search engines. Google, for example, is an entire suite of web services. They have portals, email, calendar, instant messaging, contacts, office tools and a whole lot more. And they are not alone. Yahoo has similar offerings as does AOL (to some extent). And each and every one of those bad boys wants to install some kind of browser toolbar and desktop application on mom’s computer. My advice is (again see the first 4 ideas) decide on single search provider and use only what you need. Otherwise you will subject yourself to a cornucopia of conflicting crapware. Trust me, it bites wind and mom won’t like it.

Search engine risks include all of the web surfing risks listed above (well Duh! search engines raison d’être is to allow you to surf lots of places really fast). But in addition there is a search engine specific risk of search engine gaming (e.g. a porn site will intentionally embed words like “angels” or “family values” into pages just so the search engines will direct you there when you search for those words). Luckily if you are a firm adherent to the first 4 ideas, this can usually be minimized to simply an annoyance. Also most modern search engines do a pretty good job of filtering out gamed results.

Throughout this post it may seem that (in addition to not adding anything tangible to our list of ideas) I’ve been using the terms risk and threat interchangeably. Just so there’s no confusion let’s go right to the definition of the relationship between them:

Risk management is a structured approach to managing uncertainty related to a threat.

This seems like a logical place to break so we’ll pause here for station identification and finish this up in another post.