by Karl Fox on November 16, 2009
Keeping your computer systems well-defended against the latest attacks is a daunting task, but fortunately, one of the most important defenses is really quite easy to maintain. Microsoft has provided some powerful tools that can keep your Windows systems patched with very little ongoing effort.
If the idea of configuring Windows Group Policy makes you break out in a sweat, be afraid no longer. We’ll go step-by-step through the process so that even a relative neophyte can get good results. [click to continue…]
These icons link to social bookmarking sites where readers can share and discover new web pages.
by Karl Fox on October 22, 2009
We often help organizations test how well their staff knows their security policy by performing social engineering tests. In one, we drop hacked USB drives around the premises that notify our home server when inserted into a Windows computer. Such tests are a lot of fun when they’re just tests, but when a real hacker leaves such a tasty tidbit in your parking lot, you can bet it’s going to do a lot more mischief than phone home when an employee plugs it into one of your computers.
AutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted. The main purpose of AutoRun is to provide helpful actions and capabilities when removable media or network shares are mounted. When such a device is mounted, the autorun.inf file from the media is parsed. This file specifies which commands the system should run. Many companies use this functionality to automatically start up their installers when a CD-ROM is inserted, but attackers can also use it to run data extraction sessions or automatic installations of malware.
[click to continue…]
These icons link to social bookmarking sites where readers can share and discover new web pages.
by Karl Fox on August 4, 2009
The keys to good password hygiene are:
- Making them hard to guess,
- Never writing them down,
- Limiting the scope of passwords, and
- Limiting the ability of an attacker to make repeated guesses.
Password Complexity
A recent study on password memorability and security uncovered two surprising results:
[click to continue…]
These icons link to social bookmarking sites where readers can share and discover new web pages.
by Karl Fox on April 27, 2009
I am greatly pleased when we at Lithik meet a client who uses thin clients. It not only means that IT management is forward-looking, it also often means they understand the substantial security benefit that can be gained by removing hard-disk-based Windows systems from their network. Converting an organization with a hundred Windows XP desktops accessing three Windows servers to thin client technology means a reduction from 103 Windows installations to 3. That means 30 times fewer machines to patch, 30 times fewer machines to monitor for antivirus updates and Windows events, and 30 times fewer machines on which to install services packs and other application updates. This is a seriously good thing.
Thin client sales pitches frequently include claims saying they can’t be hacked. They don’t have hard drives, so how could they? Besides, you can always push the reset button and—voilà—the software is booted from a clean copy, erasing any filth that may have found its way into memory.
[click to continue…]
These icons link to social bookmarking sites where readers can share and discover new web pages.
by Karl Fox on April 9, 2009
Carrying a laptop has always meant a bit of risk. If you’re like me, you watch your bag like a hawk when you’re in a restaurant or or in an airport. Laptops have always had great resale value on the black market, but with HIPAA, PCI, GLB and Sarbanes-Oxley violations costing organizations millions of dollars to recover from a single information theft incident, the danger is at an all-time high.
It doesn’t have to be that way.
There are some tried-and-true, basic steps you can take to dramatically reduce the cost to your organization of data loss due to laptop theft or malicious penetration when using your computer in a public place. Implement them all and you can come close to eliminating the possibility of a data breach. The following steps are organized by the threat they mitigate.
[click to continue…]
These icons link to social bookmarking sites where readers can share and discover new web pages.
by Karl Fox on November 8, 2006
When I was very young, I had a recurring nightmare about a giant. It was huge, terrifying and very, very real. In the last moment of the dream I would look out the window and see him right in front of our house, then I’d wake up shaking and in a cold sweat.
Whenever I asked my father, he assured me that we were safe, as any good father would. My dad was a doctor, a Lieutenant in the Korean War, surviving a shrapnel hit in the back from a mortar round. He is also very smart and shrewd, having made more money from investing than he ever did as a doctor. So when he told me I was safe, I believed him. Kids need to hear that they are safe. It was not until I was an adult with children of my own, though, that I understood that when he said I was safe, he was able to back it up.
[click to continue…]
These icons link to social bookmarking sites where readers can share and discover new web pages.
by Karl Fox on August 30, 2006
All I know is just what I read in the papers, and that’s an alibi for my ignorance.
— Will Rogers
There it is. Front page. Headline. Someone else has now achieved his or her 15 minutes of fame that will unfortunately become a career-defining moment. And not in a good way. Who has not read about the latest case of identity theft in the papers and wondered what really happened? Every article starts the same way; a bold headline that grabs the reader’s attention, the exaggerated surprise by those charged with safeguarding the identities that were stolen, the claims that security was and continues to be a high priority, and the all important expression of dismay and disbelief at how such an incident could possible have occurred. Of course, investigations are being conducted, and it will take some time before the full extent of the damage is known, not to mention the cause.
This organization is now in a serious public relations quagmire. Their hired PR guns weigh in next, firing phrases like “compromised information” in place of the more condemning “stolen customer identities”. Updates will be issued, still with no real information as to how the breach actually occurred or who was really responsible, since after all, that is confidential information that could disrupt the ongoing investigation. And you’ll never see a follow-up that doesn’t contain the assurance that “every effort is always made to protect customer (or alumni or patient) information.”
[click to continue…]
These icons link to social bookmarking sites where readers can share and discover new web pages.
by Karl Fox on May 18, 2006
A Day in the Life of a Hacker
Although the weather was rainy and bleak in Sofia, Bulgaria, Yevgeny had a spring in his step as he quietly slipped up the stairs to an almost empty room above the Onda coffee shop with its valuable wireless Internet connection. He would have to wait to get his morning “Americano” coffee until he checked on the state of his “import/export” business. Sure enough, his e-mail contained an anonymous order for up to 250,000 “dolls” and an additional order for as many “cribs” as he could obtain.
Yevgeny had spent the last several days improving his software to assure a targeted, automated, consistent flow of inventory that would have a much lower percentage of “damage” as he euphemistically called it. He had developed quite a reputation for delivering reliable goods to buyers who had customers waiting to fully exploit what he sold. Yevgeny always chuckled at the use of dolls and cribs as descriptions of compromised user accounts and servers. It made him feel like the 007 that he had seen in American movies. It certainly didn’t hurt with his friends who viewed him as a very worldly, successful man. Why, this month he was on pace to make $600, three times the income of the average Bulgarian. With his new scripts, he would not only double his income, but he would begin to initiate his plan to advertise for some “entrepreneurial software engineers” to enlarge his one-man shop. Within a year his dream of a 1600 square foot, palatial luxury apartment in the Lozenets district would be realized, making him neighbors with American diplomats and foreign business executives. It would be a nice change from his 350 square foot apartment.
[click to continue…]
These icons link to social bookmarking sites where readers can share and discover new web pages.
by Karl Fox on January 2, 2006
Online Attacks are in the News
You’ve read the articles—my favorite is the one about the business owner who was logged on to his corporate online brokerage account when he noticed the balance suddenly change. While he watched, somebody systematically wired all his company’s funds to a number of offshore banks. The brokerage washed their hands of the whole affair, pointing to their standard disclaimer signed by each client, which states that keeping passwords secure is the customer’s responsibility.
Well, they’re right—it is certainly the customer’s responsibility to practice good password hygiene. But just as the owner of an unfenced swimming pool is responsible for injuries sustained by youthful trespassers under “attractive nuisance” laws, surely the brokerage firm bears some responsibility for failing to design adequate security into their systems.
[click to continue…]
These icons link to social bookmarking sites where readers can share and discover new web pages.
