Couple of interesting articles doing the rounds this week, which are worthy of a quick comment!
Heartbleed: the bug that keeps on giving
Reports suggest that the Heartbleed vulnerability was involved in a breach of over 4 million records from a health provider in the US — we won't see many of these, as identifying the culprit as Heartbleed is really difficult in most cases. That instances like this are still cropping up reminds us of the need to ensure we're patched, and not just in the obvious places like a web server. This time it seems to have been SSL VPN at the heart of the issue, so to speak.
Passwords: why are we still so rubbish at this?
Apparently 51% of people share a password. This is properly daft. Really, crazier than a box of weasels. Even if you trust the other person, there's no telling what accidents might occur, or where they may re-use that password themselves. I always get gyp from my wife that I won't tell her my passwords, but I won't — and believe me, I do pretty much everything else she tells me!
EU "right to be forgotten" rule still here, still a waste of time?!
Internet numptys are still asking Google to remove them from searches in their droves. Happily the BBC is kind enough to reveal who they are by linking us to the relevant articles. When will people realise that once you publish something on the Internet, it is there forever. Unless it's that really useful document you bookmarked last week, which now 404s and was never in the Internet archive. Yes, that one.
We all work in the internet security industry, and as such we're involved with a wide range of technologies, markets and people.
Our collective blog is a space for our insights, observations and interests...
(N.B. The opinions expressed here are those of the individual authors, and not those of Smoothwall ltd or Smoothwall inc.)
Showing posts with label passwords. Show all posts
Showing posts with label passwords. Show all posts
Friday, August 22, 2014
Thursday, January 2, 2014
5 New Year's Resolutions to Keep You Safe on the Internet
Happy New Year etc.! OK, now the pleasantries are out out of the way, we can get on with the usual cliche'd list of New Year's Resolutions. You can see I'm going well already with my drive to avoid cynicism in blog posts. These resolutions are aimed more at your personal IT needs than your work life, but you might find a spot of cross applicability in any case.
- Housekeeping! - Yes, it is a bit early for a spring clean, but since you've a while to go before you have to break out the washing up gloves and the hoover, you've got time for a bit of a clear-out in online accounts. Each login you have, even if it doesn't protect anything "interesting" or "valuable", is a potential route in for a "cross site privilege escalation" - an attacker could, for example use this to find your postal address or mobile number, which you gave on sign-up, and use these to gain entry to a more "interesting" site, which may have your credit card details. Take a look back at the marketing emails you received in December (they're all at it over the holidays so this is a great time for it) and close down anything you don't use.
- Pesky Passwords - by following the first resolution, you've protected yourself some more against having your password stolen in a site-breach - there's been enough of these in 2013 to sink a battleship. Ideally, you're going to want a different password for each site or service, and there are 2 ways to help reduce your password re-use: First, federate login (eg. through google and facebook), which is very much putting all your eggs in one basket - so you had better watch that basket by following my other resolutions. The second method is to use a password service, such as lastpass. There's no reason not to have a little from column A, and a little from column B, of course. While you're at it, you might check to see if any of the passwords you've been naughtily re-using have been leaked to the world here: https://haveibeenpwned.com/
- Backup: Half the Story - and I'm assuming you are halfway there, right? You should back up as much as possible as often as possible. I prefer "everything, all the time" for my files (I personally use backblaze, good value for money!) Other backup services/strategies exist. YMMV. The other side of the backup story is restore. Having your files sent to the great hard disk in the sky is all well and good, but you need to be sure you can get them back. At the very least, pick a few files and try to restore them. You might find a problem you never knew you had!
- No Pain, No Gain - 2 Factor Authentication. Yes, I mean you. Pay attention at the back. I know you've been putting this off because you think it will be a pain in the backside. Yes, it will, but once you're used to it, it's minor, and the protection afforded against keyloggers and brute force attacks are not to be understated. This isn't a panacea, but it's one more useful protection against the legion wrongdoers. Many sites & services now support this, a not-particularly-exhaustive list on a post over here.
- Finally, One Good Turn... - I'm quite sure you are already 100% on top of all of these suggestions, so I am going to leave you with resolution 5 - go help someone less fortunate (in the Info-security sense) than yourself. Parents, siblings, other-halves, whoever. I know, it's a pain, you're probably the person they'll come to when it all goes pear shaped in any case, and you do enough family tech support as it is, blah blah. Nut up, and go do a good turn. It's the new year, and you'll feel better for it. Not only that, but some of these resolutions will help reduce the calls you get in 2014 from panicking friends and family, and their security is, in many ways, allied to your own. Much like a compromise on a "less important" account that can be priv-esc'd, a security-compromised friend is a threat to your own online safety. On the subject of good turns - if you're after more resolutiony goodness, check out Graham Cluley's list here.
One last thing... thanks for reading the Smoothwall blog in 2013, hope we can keep you interested and entertained in 2014. -Tom
Tuesday, February 7, 2012
Safer Internet Day: Passwords and Protection
Today is Safer Internet Day - an event organised by Insafe to help people, particularly young people, become and stay safe in today's interconnected society.
Instant interconnectivity can be daunting to the uninitiated. Within a few minutes, you can have Facebook and Myspace tied into lastfm, twitter, flickr, blogspot, stumbleupon, reddit and literally hundreds of other third party games, apps and sites, all of which come together to help us connect to more people, more quickly, more of the time … every connection you make increases the amount of people that can see information about you – information that could be used to target you. If you have up to date anti-virus software and a firewall it will help protect you against many software based threats, keyloggers, botnets and the like, but it can’t protect you from the malicious and hurtful people you meet on and off-line. Passwords are the key to your on-line life. One of the easiest ways to break into your computer system is to guess your password. Especially if that password is on a post-it note, stuck to the screen. With the word 'password' next to it in block capitals.
Is your Facebook password the same as your computer login? It's easier to remember that way isn't it? So now, because of that post-it, someone knows your personal email address, date of birth, where you went to school, where you work, where you live, who all your friends are, every club you've been to in the past 6 months (and on what dates), what car you drive, when you bought it and exactly what your next door neighbours cat had for breakfast. In isolation, none of this information would be particularly useful in the hands of someone with nefarious intentions, but put it all together and it wouldn't be too difficult for them to impersonate you on-line. I hope your banking password is different...
Aside from the material risks, there is also the danger of someone manipulating your social life. Abusive messages to friends, offensive posts about others and publicised subscriptions to ‘entertainment’ sites you woudn't normally touch with a barge pole can all produce a pretty uncomfortable social backlash. This applies to all age groups, but the most quoted problem area is teenagers and cyberbullying.
Cyberbullying is real, hurtful and dangerous. The faceless nature of the attacker can make it even more disturbing than a bloody nose in the playground or superglued books. How do you fight something intangible? The first step is to know what tools you have at your disposal. Every social website (twitter, lastfm, facebook, myspace et. al.) has a ‘block person’ function to stop people contacting you – and for serious incidents a ‘report this person’ process. Most have a setting to make this the default behaviour, and only those you select can get in touch. If you don't want to communicate with someone on-line, you don't have to - the tools are there and very easy to use.
I know several teachers that have have students who have experienced cyberbullying/cyberstalking incidents that have spilled over into the school environment. By this point, the victim had been terrorised for several weeks or even months beforehand. A trying time for everyone – especially the victims, but the trauma and fallout could have been averted with a few clicks had they only known how to protect themselves on-line.
Internet safety is not just about protecting your computer - it’s about knowing how and why to protect yourself. You wouldn’t walk down a dark alley on your own late at night, even if there was a sign at the entrance saying ‘Play for free now!’ Yet the same sign on the internet flashing red and yellow is often treated as a risk free invitation. A little trepidation is all that’s needed. A slight shift in your mentality from ‘why not’ to ‘why should I?’. Why should I give someone I don’t know the means to contact me any time they please? Why should let them see everything I’ve done and everywhere I’ve been? Why should I keep talking to someone if they’re making me feel uncomfortable?
Just as the internet has become an everyday thing, internet safety should be something that’s considered every day.
Have a look here for some useful information about password practice.
Saturday, April 16, 2011
Infosec this week. Best post about security?
Hey there readers. (Or at least I hope there's more than one of you). Infosec this week - if you've not been it's a lot of fun (except for the standing up for ages bit). Be good to see a few old friends there (hey Shep), and check out whats new and groovy in the world of "Info" "Security" (don't hold your breath).
So, anyway, what with the week it is - maybe I thought i'd stick up a post about security... these crazy ideas, eh? Bit of an old topic though - risk. Specifically people mis-assessing it - including some folks who should know better.
First up - there's been a lovely message doing the rounds on Facebook. This message exhorts users to sidle on up to the url bar, and bob an "s" on their "http". Harmless advice, nay even reasonable advice - but you're really not at a great deal of risk, given that login is always encrypted, so the worst you're really looking at is a session hijack on untrusted media. So folks will bandy about useful but largely irrelevant advice - you never see a "viral" encouraging good password sense, or not leaving yourself logged in on a public PC.. and this is probably because the HTTPS advice is easy to execute - hey look, I can see there's no "s", but I can put one there and feel safe. Nice. Security, it's like a switch, you can turn it on and go back to sleep. Hmm I didn't intend this post to be about Infosec, but i'm getting a faint echo of some of the marketing guff I heard there last year...
Secondly, and these boys and girls belong firmly in the "should know better" camp... I recently upgraded my phone (finally went smartphone, the Luddite is dead). The network, Everything Everywhere (always block.. guardian3 users know the score...) allow me to set a lovely long password. It has numbers and everything. Now, don't ask why, but I ended up calling these guys a few times over the last week.. and always giving the same two characters in my password. My secure-sense (yeah right) finally surfaced, and I questioned my "customer services advisor" and yeah, sorry coincidence hunters, they always ask the first two characters. There's probably a few statistics you can use to tilt the balance in your favour (not least overhearing any call!) - my first guess, going vowel-consonant only bought me 3%, I bet you, dear reader can whip that with a bit of grep and /usr/share/dict/words! On the other hand, these guys won't post my new trombone to anything but my home address. Which I told them. After giving my "2 character 10 character" password. I wonder if this new "home address only" policy is fixing the symptom, not the cause?
Lastly i'd like to put in a good word for CEOP, who got a bit of gyp in the press for not making their child abuse reporting form HTTPS.. what's more important, being able to report such sites, or mitigating the minuscule risk of an interested party snooping?
So, anyway, what with the week it is - maybe I thought i'd stick up a post about security... these crazy ideas, eh? Bit of an old topic though - risk. Specifically people mis-assessing it - including some folks who should know better.
First up - there's been a lovely message doing the rounds on Facebook. This message exhorts users to sidle on up to the url bar, and bob an "s" on their "http". Harmless advice, nay even reasonable advice - but you're really not at a great deal of risk, given that login is always encrypted, so the worst you're really looking at is a session hijack on untrusted media. So folks will bandy about useful but largely irrelevant advice - you never see a "viral" encouraging good password sense, or not leaving yourself logged in on a public PC.. and this is probably because the HTTPS advice is easy to execute - hey look, I can see there's no "s", but I can put one there and feel safe. Nice. Security, it's like a switch, you can turn it on and go back to sleep. Hmm I didn't intend this post to be about Infosec, but i'm getting a faint echo of some of the marketing guff I heard there last year...
Secondly, and these boys and girls belong firmly in the "should know better" camp... I recently upgraded my phone (finally went smartphone, the Luddite is dead). The network, Everything Everywhere (always block.. guardian3 users know the score...) allow me to set a lovely long password. It has numbers and everything. Now, don't ask why, but I ended up calling these guys a few times over the last week.. and always giving the same two characters in my password. My secure-sense (yeah right) finally surfaced, and I questioned my "customer services advisor" and yeah, sorry coincidence hunters, they always ask the first two characters. There's probably a few statistics you can use to tilt the balance in your favour (not least overhearing any call!) - my first guess, going vowel-consonant only bought me 3%, I bet you, dear reader can whip that with a bit of grep and /usr/share/dict/words! On the other hand, these guys won't post my new trombone to anything but my home address. Which I told them. After giving my "2 character 10 character" password. I wonder if this new "home address only" policy is fixing the symptom, not the cause?
Lastly i'd like to put in a good word for CEOP, who got a bit of gyp in the press for not making their child abuse reporting form HTTPS.. what's more important, being able to report such sites, or mitigating the minuscule risk of an interested party snooping?
Subscribe to:
Posts (Atom)