As I contemplate purchasing a netbook (the HP Mini 2140 looks awesome) I saw a Computerworld.com article named a “Laptop Losers Hall of Shame” (http://www.computerworld.com.au/article/222142/laptop_losers_hall_shame) detailing the enormous security breaches that ensued when notebook computers were lost or stolen by employees of corporations, government agencies, or colleges. The hall of shame is both hilarious and frightening.
Smartphones are becoming the new laptops. ABI Research expects annual worldwide shipments of smartphones to exceed 334 million units by 2010, up from just more than 42 million units in 2005. With so many millions of devices carrying sensitive company data, it’s not hard to imagine what keeps security analysts up at night.
Mobile phones have evolved to a point where they equal the functionality of older notebook computers. I know that I can do pretty much every daily task I need too from my smartphone including RDPing or SSHing into servers. Like me and probably you, we use these smartphones to house critical information, such as notes, emails, and business contacts. If notebooks became such a huge security risk because they are portable, then smartphones are much worse. Brimming with insecure information, we carry these mobile devices with us at all times. For most of us, losing your mobile phone isn’t a possibility, it’s an inevitability. I have lost 2 phones with one being stolen in Vegas and the other being sucked into the ether somewhere.
Other than having more portability and ubiquity than notebooks, smartphones are also harder to control and manage because they are purchased by individual users and do double duty for work and personal use. Notebooks can be issued and centrally managed by the enterprise, but it cannot do the same for the mobile phones of every employee.
How can IT security professionals create a sound infrastructure to compensate for remote workers who are likely to be the unwitting bearers of major security threats?
As always, include the usage of mobile devices with company data in your security policy and create expectations for your company employees to follow.
I know this is basic stuff, but apparently we still need education on choosing a good password. It amazes me to know that if I ever wanted to log on to a client’s workstation, I can usually do this by entering their last name, their spouses name, their pet’s name, or just type “password1.” If these methods fail, I could just read the yellow sticky note attached to their computer or lying in their desk drawer.
Want to have something like this at your company? We will send you a free set of “Don’t write your Password on this” Post-It notes for FREE. Simply, contact us and we will ship them out!
Forget worrying about genius hackers with brilliant techniques for breaking into your system. Why would a hacker need to know how to break into a system when they could simply logon, and not even risk detection? No matter how strong your security is, it can always be trumped by a poorly chosen password that is easily susceptible to brute force attacks or social engineering. So let’s go over the rules again.
Your password should not be:
What your password could be:
This is an issue I often encounter with companies who want us to make sure they meet compliance standards like HIPAA or PCI DSS. They either think security and compliance are the same thing, or are only focused on compliance and not security. While compliance definitely improves the security of an enterprise, it has the side effect of creating a false sense of security. Being compliant is simply not the same as being secure.
Compliance is like a snapshot of good, not great, security practices. But unlike compliance, security isn’t a goal, it is a process – and it is ongoing. There is no secure place in the world; there are only constant efforts to make things as secure as possible.
Have we learned nothing from the recent breaches of Heartland Payment Systems, Inc and RBS World Play? Those organizations passed their PCI audit scan, yet hackers were able to capture hundreds of millions of transaction records in one of the biggest breaches in history. Were these organizations compliant? Yes. Were they secure? Apparently not.
It’s often the attitude towards security that is to blame. Enough money will be provided to meet each compliance requirement, but sometimes not a cent more towards the security budget. If a security expenditure is not required for compliance, it is a low, or even nonexistent, priority.
But security isn’t just about checkmarks on your compliance audits and ignoring practical security concerns along the way. Here is a great quote from Bill Seiglein regarding the difference between being compliant and being secure: “There might be a requirement for a door and so we install a door. Unfortunately the door is pointless without a lock but the requirement did not ask for a lock and so we did not get one.”
The correct attitude to have is to focus on actual security first and compliance second. Are sensitive data and systems protected? Is each unique risk of the enterprise addressed and properly managed? If so, then that’s great. Now you can ask what must additionally be done to satisfy compliance requirements? More often than not, you’ll find you have already done them.
Time Magazine should know better than to use a website poll to have users determine the most influential person of 2009. Polls are often susceptible to a number of automated attacks or simply a swarm of pranksters with too much time on their hands.
In this case, the poll padding came from the massive imageboard website, 4chan.org. Notorious for generating internet memes and fueling internet subculture, this is not the first internet attack to originate from the unmonitored site.
The voting link to Time’s most influential person poll was a simple URL that was redistributed by 4chan users through legitimate sites and content spamming. By using cross-site request forgery, unwitting and trusting website users clicked the voting link. At the same time, they were able to vote down other entries because the poll did not check if the rank in voting was legal.
Time fought back by adding a salted and hashed key that ensured votes were submitted from its own poll form. But 4chan found the authentication key was on the client by the poll’s flash application and bypassed this protection.
The poll also had anti-automation protection by making a user from the same IP address wait 13 seconds between each vote. 4chan created auto-voting robots that vote for every 13 seconds while voting down competing entries while waiting during the other 12.
All this allowed for “moot” to skyrocket to the top of the poll. But not content to merely take the top place, 4chan hackers continued to manipulate the poll rankings. They reordered the rankings so that the first letter of each name would spell out the acrostic “Marblecake Also the Game.”
If you did not already know, “moot” is supposedly the identity of the mysterious creator of 4chan. Although because of the intentional disorganization on the site, it is impossible to determine any truthful information about the user.
