Tuesday, November 30, 2010

Simple Security Suggestions

I've created a list of simple suggestions for Windows users. It is not in any particular order other than how my mind works! I hope it will be useful. These are some of the most common things that I see that people fail to do.

1) Install all windows updates & setup windows updates to install automatically. Upgrade to Windows 7 if you can.
2) Install a good anti-virus - Microsoft Security Essentials is free.
3) Be sure a firewall is turned on and configured - will talk about how to configure another time - use the default to start.
4) Put a password on your account - I see many people with no passwords.
5) Consider creating two accounts - one as the Administrator and one for the user. Then only use the Administrator account when you need to install new programs or updates. Use the "user" account for surfing the web, doing banking, etc.
6) If you are a more advanced user, consider using another browser than IE such as Mozilla's Firefox or Google Chrome.
7) More advanced users may also like such plugins as Noscript or Adblock to help control accidentally clicking on malicious sites.
8) If you must use Adobe Reader, be sure you are using the most recent version and that it updates automatically.
9) Other options are available to read PDF files, such as Foxit. Consider changing to another PDF reader as a lot of attacks are directed specifically at Adobe. If you decide to do that, uninstall Adobe. You don't want to just leave it sitting around on your computer!
10) Consider using opendns - go to www.opendns.com to find out how easy it is.
11) Consider banking on a computer that is not used for other kinds of internet browsing, if you have two computers. Also use a limited (non-administrator) account.
12) Don't use a cell phone for banking! I wouldn't put any credit card information over a cell phone.
13) Put a router between your modem (cable, DSL, etc) and your computer - it doesn't have to be a wireless router, but that may be the more economical choice. Most wireless routers will allow you to turn the wireless on or off. If you want to use the wireless, secure it! If you don't need it, turn it off!

Thirteen is a good number! This is not a bad start for any Windows user. If you are unable to do it yourself, ask a friend. Two heads working together are always better than one!!

Thursday, September 24, 2009

iPhone Security

Perhaps it’s because we think of Apple as the security minded OS – the Mac that is – so we trust the iPhone. I am dumb founded over and over as I study just how insecure information is over the iPhone. Is that Apple’s fault or the problem of securing information over the wireless cell phone network? Things that travel over the air need to be smaller – so am I assuming if I say that Apple has “built it” without worrying about security so that people will buy it, use it, and love it – then they can worry about it’s security. I wanted one as well and now that I have one, I can see why people love it – it is so nice to have “things” available via the Internet over this small device. In a recent DAR meeting, we wanted to read a certain article in the recent DAR magazine, but no one remembered to bring their magazine. I was able to pull it up on the iPhone and read it to the group. It saved us a lot of head aches by being able to do that. So the convenience and access to information is tremendous. Plus it is small and easy to carry around, as opposed to a laptop. Had I brought my laptop, I could have connected to the Internet by tethering my laptop to the iPhone. So now, the iPhone has the ability to act like an air card and connect to the Internet via the AT&T 3G network. If SSL is broken on the iPhone and I am not really getting a secure connection on the iPhone, what happens when I tether my laptop to it and try to create an SSL connection over the 3G network? Is that broken also? Is it possible to tunnel through that 3G network with an encrypted channel and have a secure connection? I still have many questions about how this all works!!

Sunday, June 7, 2009

Shortened URLs

TinyURL and Bit.ly are commonly used application interfaces that redirect a long URL with a shortened URL. This shortened URL can then be used in various kinds of mobile computing, and where smaller content is needed, such as Twitter. This smaller URL is subject to abuse because the user can’t see the actual URL. The shortened URL redirects the user to the original site using the longer URL stored at the “mother” site. Malware is already using the shortened URL to redirect “trusted users” to malicious sites. When a friend sends you a link to a site, you are essentially trusting that they are sending you to a safe site. Bad people are stealing Twitter logins, for example, and then sending bad links to all the people in their “friends” list. Firefox has a plug-in called longURL that will show you the long URL when you hoover your mouse over the short URL. Or, you can go to the longURL site – www.longURL.org – type in the TinyURL and it will give you the full URL. LongURL supports URLs from tinyurl.com, is.gd, ping.fm, ur1.ca, bit.ly, snipurl.com, tweetburner.com, metamark.net, url.ie, x.se, 6url.com, yep.it, piurl.com, and others. It is also good to note that LongURL has a web developer plug-in as well.

Friday, May 1, 2009

The OSI & TCP/IP Models

The OSI (Open System Interconnect) model is a product of the International Standards Organization (ISO). It consists of seven layers that define how information is transferred across networks. The layers, from lowest to highest, are the physical layer, datalink layer, network layer, transport layer, session layer, presentation layer, and application layer. Knowledge of this model is required for most any networking test out there, and is often used during job interviews to see how well one understands networks. One way to remember these layers is with a mnemonic. If you google the OSI layer, you will find a long list of mnemonics that are meant to help! Her are a few:

"People Design Networks To Send Packets Accurately"
"People Don't Need This Stuff Presented Anyway"
"People Don't Need To Study Protocol Analysis"
"Phil Donahue Never Televises Sick People Anymore"
"Philys Did Networking Till She Passed Away"
"Please Do Not Take Sales-People's Advice"
"Please Do Not Tell Secret Passwords Anytime"
"Please Do Not Throw Salami Pizza Away"
"Please Do Not Throw Sausage Pizza Away"
"Please Do Not Touch Steve's Pet Alligator"
"Please Don't Network These Stupid People Again"
"Programmers Dare Not Throw Salty Pretzels Away"
"Programmers Do Not Throw Sausage Pizza Away"

If you want to go the other way, these are from top to bottom!

"A Pathetic Silly Trick Never Does Please"
"A PC Sees The Network During PowerUp"
"A Perfect System That Never Did look Perfect"
"Active Penguins Seek the Nearest Deep Pool"
"All Parents Should Teach New Dads Parenting"
"All Penguins Stand Too Near Deep Pools"
"All People Seem To Need Data Processing"
"All People Seem to Need Dominos Pizza"
"All people should teach networking daily please"
"All People Studying This Need Drastic Psychotherapy"
"All Pizza Seems To Need Double Pepperoni"
"All Pre-School Toys Need Durable Parts"
"All Pretty Serious Teenagers Never Do Physics"
"American Presidents Should Try New Dating Practices"
"And Please Send Them New Delhi Pie"
"Angus Prefers Sausages To Nibbling Dried Pork"
"Apply Proper Sense To Network Data Path"
"APS Transports Network Data Physically"
"Australian Post Sucks They Never Deliver Parcels"

Personally, I have more trouble remembering the mnemonics!! At least the layers make sense to me!! Perhaps that comes with understanding how the layers are meant to function together.

The TCP/IP model is probably a more useful model, and is often shown beside the OSI model to compare it's layers. This model was first defined by DARPA in a pre-Internet description of the ARPANET. The TCP/IP model has only 4 layers: the Network or link layer (which consists of the physical & datalink layers of the OSI), the IP layer (which compares to the OSI network layer), the TCP layer which compares to the transport layer of the OSI, and the Application layer which spans the session, presentation and application layers of the OSI.

Since the IP protocol suite are the primary protocols used on the Internet, learning and using the TCP/IP model is critical to understanding the Internet architecture.

For additional information, there are great descriptions of these models on Wikipedia. Also see RFC-1122 and RFC-1123 for a discussion of the Internet layer protocols and architectures.

Sunday, April 19, 2009

Firefox and No Script

Firefox is my browser of choice, at least for home use. It is not something that our IS division chooses to support in our work environment. I started using it because it was the more secure choice for browsing. It has had its security issues like everything else, but the Mozilla people are quick to fix them and it is still less likely to be the point of attack. In addition, they have these things called Add-ons. The idea of the Add-on is to customize your browser experience so that it works the way you like it. Some of these Add-ons are quite powerful. My favorite is “No Script”. It allows you to choose the scripts that you want to run. It is also an eye opener to see how many scripts are running on these sites, and which ones don’t need to run for the sites to work. I generally allow only the site I go to, if I need it, and none of the “analytics” that are used to track our browsing behavior. Those are not needed for the functionality of the web page. It is still amazing to me how many scripts are being used and how they are becoming critical to our browser experience. By blocking these scripts, we are less likely to click on a random site and become infected with some random malware! It allows us to pick and choose which sites we trust to run these scripts. This is a pretty powerful tool!!

Friday, April 10, 2009

My Mac Friends

To my Mac friends: I love Macs. I want one! They say Mac folks are a “class of their own”. They say they don’t think they need to worry about security and “antivirus”. Well – I’m a Mac lover and I agree they have built a great system. But please don’t miss the threats that are being aimed at the Macs! Think about it. Mac lovers are willing to spend a little more on a good system. In the short term, they were not targets. But now – as the world is getting more sophisticated, as are the bad guys, Macs and Mac users are targets.

Yeah for Macs. I love them! I want one! I used to work for an organization that was all Macs! That is, until Windows ’95 came along and offered some of the things that the Mac folks already knew and had been enjoying for a number of years! But – Windows ’95 came in at a better price! It took probably fifteen years for the Microsoft folks to get up to speed with the Macs – and I don’t’ think they’re there yet – but they definitely have the market share. Finally the Microsoft folks are getting their operating systems, and software, to a more secure level. The Mac folks have still been sitting back there for the last 15 years wondering when they (Microsoft) would catch up!

I love the fact that the Mac went to an underlying system that is Unix based! More of us will be able to understand and want the Mac for just that reason! Their systems are tough both physically and electronically! But – they are being targeted – not a lot, but enough to make the Mac users hesitate. First – their file system is set so that “everyone” has read permissions for any newly created files. Friends – stand up and take notice. You do need to be sure your systems are secure. You do need to purchase and install an antivirus program. You do need to use the firewall. OS X comes with a built in firewall, but you may want to change the configuration. For help with hardening your Mac platform, check out SANS MAC OS X Security Checklist at http://www.sans.org/score/macosxchecklist.php.

Network administrators may also need to help your Mac users. Macs can’t just be “left alone” … if they are on your network, you need to understand how they work, and what they are capable of. Those Macs are mighty powerful systems – and you want them on “your” side, not the bad guys’ side! The SANS Checklist also includes information about the MAC as a server. It is a “must read” for Network Administrators!

Sophos just had a great article about the latest threat to the Macs. They even have a video showing how easily they can be exploited. Please check it out at http://www.sophos.com/pressoffice/news/articles/2009/03/mac-malware.html . It is worth the time and money to put an antivirus on your Macs!! There are several options, also outlined in the SANS Checklist, including some enterprise options.

Mac users – go forth and enjoy – safely!!

Friday, April 3, 2009

What's Up With DNS?

DNS (Domain Name Service) is that wonderful service that translates domain names to IP addresses, like sans.org to 66.35.45.201 or yahoo.com to 68.180.206.184. DNS is inherently a very troubled, insecure service. It uses UDP port 53. UDP is one protocol in the TCP/IP protocol suite that is used for transport. UDP is sometimes referred to as "Spray and Pray" because it just sends packets out and hopes they get to their destination. UDP is called an "unreliable protocol" as there is no guarantee of delivery or reponse for that matter.

So what's all the hubbub about DNS being such a problem? First - it may take a little time to get your answer back. You type in your browser "www.yahoo.com" and you wait for a connection. Behind the scenes, a UDP request goes out to your "name server" who will attempt to translate the words to an IP address and send your brower request to that address. If your "name server" doesn't know the answer, they send the request up the chain to another "name server", until someone along the line knows how to translate the name to its IP address. This week two of the big name servers, Neustar and Register.com, were both hit with DDOS (Distributed Denial of Service) attacks. Several big companies were affected, including Amazon and Petco. They reported a huge increase in name service requests, to the point that they were unable to service all of the requests. The result ... you probably would not be able to connect to Amazon.com.

This is just one of the many problems with the current DNS standard. To learn more about how DNS is set up, see RFC 1035 for the Implementation and Specification document. "RFC" stands for "Request for Comment" but the RFCs are the definitive documents on how things work in the Internet protocol world!