October 6th, 2011
While it seems that PC’s and Mac’s seem to require patches and updates very regularly, don’t become complacent. Updates are provided free and automatically for a reason. A recent study of Windows Malware infections showed that most exploits target patched security vulnerabilities and (somewhat surprisingly if you believe everything on the internet) most of these are not actually Microsoft’s doing. The most likely entry points for malware into your system (in descending order) are flaws in Java, Adobe Reader, Adobe Flash Player and MS Internet Explorer. Only one of those is Windows only…
Java installs an automatic update notification when it is installed, run these updates!
Adobe runs automatic update checks as well for Reader and Flash, install these updates! One word of caution though for businesses with a caching proxy server, beware of the Adobe Updater fundamental coding flaw that Adobe won’t acknowledge. Adobe Updater is very impatient, if it does not start receiving its update within 15 seconds, it will request it again. If you have a caching proxy server (running Anti Virus checks on downloaded files for example), make sure the Adobe update sites are either blocked (install updates manually for the business) or exempt from scanning or it can burn your internet bandwidth very quickly (until you stop it). All Adobe needs to do is check for a proxy server in the internet settings and if there is one, extend the timeout. They haven’t yet.
Finally, dont use Internet Explorer unless you have to. Microsoft Cloud Service web interfaces such as Sharepoint work best with Internet Explorer and some systems management tools with web interfaces require it due to custom Active-X controls (Blackberry Server Express for example). A better alternative is to use Mozilla Firefox or Google Chrome and for even more protection in Firefox, install the “NoScript” plugin.
Finally, make sure you patch Windows and Mac’s all the time. It is pretty rare these days that patches break things but it does still happen from time to time. In a business environment, make sure you test updates properly before deployment. Home users should do a web search on the updates to see if people are reporting problems.
UPDATE: February 5th 2012.
I should have mentioned to make sure you keep your website back-end up to date if you use a content management system (or even just a database). There are many vulnerabilities in every CMS, they are usually patched quickly but if you dont apply the patches, you will become the victim of an automated hack. A client recently had their website hacked, fortunately it was a relatively benign, albeit alarming hack. The vulnerability was traced to a very old version of WordPress that was not even being used that was installed in a subfolder on the website and had been forgotten about. The hack installed a small shell onto the web server which give full control of the whole site, not just the old WordPress blog. Their main blog was up to date. Plugins are also likely points of entry into your web site, keep them up to date as well.
January 6th, 2010
If you have personal or sensitive business information, especially on a portable device such as a laptop, USB stick or portable hard drive, you should consider encrypting this data. If you lose any of these devices, any un-encrypted data on them can quickly and easily fall into the wrong hands. One solution is a free and relatively easy to use encryption utility called TrueCrypt which can encrypt to some of the most secure levels of encryption available.
You have a couple of encryption options from complete system encrytion (fully secured laptop), an entire physical drive or the more simple and user friendly encrypted virtual hard drive which is simply a file on your device that appears as a hard drive when you put in your password. You decide what data will be stored in the encrypted file. It is not as secure as a fully encrypted system but is a far better option than nothing at all and will take an enormous amount of effort to decrypt without the right password. I generally have an encrypted volume on any portable device and any personal or important information sits in that. I also keep the TrueCrypt installer on an unencrypted part of the drive so I can install it if required (I also use a portable version that does not need to be installed)
Windows Vista and Windows 7 high end versions (Ultimate) have BitLocker encryption built in if you want to encrypt your laptop. While this is built in, you have to have bought the expensive OS’s and the encrypted data is not as flexible. With a TrueCrypt “Volume”, it can be mounted on pretty much any operating system (Including Linux and Mac) and can be put on a USB stick or portable hard drive which makes it portable. It cannot be read unless the right password is used.
With encryption though, the end user is the most likely weak point.
TrueCrypt can be downloaded from http://www.truecrypt.org/
December 5th, 2009
I am generally concerned with the use of very simple passwords that I come across regularly.
I recently ran a password cracking tool over all passwords in one workplace to get a feel for how secure their passwords were. The results were not ideal considering there were less than 70 staff.
- 19 passwords were found within 1 second;
- 40 within 30 seconds;
- 52 within 60 seconds;
- 55 within 3 minutes.
Passwords discovered (apart from the ones which were the users own name) included:
- abc123
- surfer
- thursday
- fuel01
- bulldogs
- password
- pink01
- gold65
- mushroom
And the list goes on. If you recognise any of these passwords as similar to your own, you should recognise why there is a need to make passwords a bit more secure. Sometimes the people with the extremely simple passwords have remote VPN access directly into the work network which is a massive security issue and puts the entire network at risk.
There are great security differences between a non-secure password (eg apple12) and a (more) secure password (ApP!e1@).
You need to make up a password you can remember. Use a pass-phrase to help, use a combination of upper and lower case, numbers and special characters. Use substitute characters, eg use 1 instead of i. If you normally have two numbers at the end of you password, randomly substitute the number’s special character, eg instead of 24, use @4 or 2$. I dont want to make this so hard you end up writing down your password and sticking it on your screen so you get it right as this kind of defeats the purpose.
An example of a strong complex password is M2dn@saR3x which could be remembered with the pass-phrase – “my two dogs names are spot and rex” or “M(y) 2 d(ogs) n(ames) @(re) s(pot) a(nd) R3x
Your password protects your IT, the longer and more complex the better. Security paranoid people recommend 20 characters or more but in reality, make sure they are a minimum of 8 characters long and as varied as possible and change them regularly (a few times per year or more often).
