OpenDNS is an easy way to help protect you and your family on the Internet. Before you get turned off by something technical, let me assure you that you can make this simple change no matter what your technical expertise, and it will cost you nothing. If you have just one computer connected to the Internet at home, this change is simple. If you have more than one, then you will want to make this configuration change on your router, but it will still be easy. The OpenDNS team has done a great job documenting how to make such a change, so I am not going to duplicate that effort here. You should go to this page to learn how to make the change, but before you do please continue reading to learn why it will help you.

Please note that this information applies to business users as well. The small business without the budget for an IT department could benefit greatly from making these simple changes.

Read the rest of this entry »

Recently we went through a project to determine the best encryption software to use in our business. The projects evaluated were McAfee Safeboot, SafeNet, and GuardianEdge. Each of these three products have their respective strengths and weaknesses in an enterprise environment, but there is one problem that all three of them share, and that is that they are an enterprise solution. You wouldn’t want to use this or pay for this for home or small business use.

The best solution that I have found for the home and small business is Truecrypt. There is plenty of documentation on that site to explain how to set it up and run it. I want to describe the reasons for running it at home. Obviously an enterprise has company confidential data including trade secrets, pricing, margins, employee data, etc. that has to be protected. Hopefully they aren’t putting these things on a laptop in the first place since there is very little reason that anyone would have to have a local copy of much of this while off site, but it does happen.

Your home laptop probably doesn’t put an enterprise at risk if it is lost, however it can put you at risk. The majority of laptops that are stolen are done so just for their resale value. They get stuck on ebay or sold to a pawn shop or some guy down the street. There is less thought to the value of the data on it than the value of the hardware itself. When that is not the case, your data is completely vulnerable. If you have logged into banking websites, the tracks are probably still available. If you recently logged into your webmail then your computer may still have a cached session available for the thief. If you run an email client you likely have it set to remember your email account passwords. With that little bit of information a theif could reset your password for your bank and log in, just as one small example.

Encryption solves this problem by making it more difficult to break into your data than any value that could possibly be received from having done so. In other words, no commonly used encryption is completely foolproof, but all provide barriers to your data that would require significant computing effort to break through.

There are two types of encryption most commonly used by consumers. First is the built in encryption with their computer. For Windows users that would be Microsoft’s file and folder encryption which is activated simply by right clicking on the file or folder, clicking properties, advanced, and then checking the box that says to encrypt. Note that you have to have a password specified for your account, and I’m just speaking about modern versions of Windows. There are two inherent dangers with this type of encryption. First, it is all tied to your windows password. In other words, if someone gets your password, they have your encrypted files. Second, it is easy to forget to encrypt important files including paging file, temporary files, etc.

The solution is full disk encryption which encrypts everything on your hard drive including temporary and swap files and makes it all inaccessible without a bootloader password. The password you generate should be significantly difficult. I use a combination of phrases and random characters and numbers. With recent versions of the software Truecrypt is capable of allowing suspend to disk with your bootloader password required to boot back into the system.

Having this protection on your laptop gives you peace of mind when there are times that you must leave your laptop in a less secure place. There are some concerns about your encryption key being in memory if the system is in a sleep state, and it is true that someone could compromise your laptop in that state IF they were prepared to do so. In Vista it is easy to set a timer on the sleep so that after a certain amount of time the system will wake up and go into hibernation. There is also a possibility that within a few minutes of the system being off that the data would still remain in RAM to be retrieved by someone who really knows what they are doing. In other words, there is little reason to be concerned about these vulnerabilities. If you worry then just hibernate or power off your system and wait two minutes before leaving it alone.

I would also like to say that I’ve had it installed on my laptop for a long time and have never noticed a performance problem.

Wired has a description (warning: language) up about how the guy hacked into Palin’s email account at Yahoo. I am not sure that hack is the right word since this was more of an exercise in social engineering and search engines. What bothers me most about this article is how it describes the “hacker.” Some poor kid in his dorm room at college has enough foresight to get behind a proxy (even if it is just one). Not only that, but his own description of his activities demonstrates forethought.

The hacker said that he read all of the e-mails in the Palin account and found “nothing incriminating, nothing that would derail her campaign as I had hoped. All I saw was personal stuff, some clerical stuff from when she was governor…. And pictures of her family.”

His story is of someone who was more worried that he would get caught than worried that he was doing something wrong. This is someone who is morally stunted and needs crash remedial training before he ends up in jail for a crime that may actually hurt someone. He will probably end up with some jail time for this, or at least some community service, because the only thing he really did was to violate someone’s privacy. I am assuming that he didn’t make copies of the data or post that data on the Internet and that someone subsequent did that. His second stupid move was posting the password on a forum which instead of making him seem more anonymous is just going to increase the charges against him and the interest of the authorities to catch him.

He tried to derail her campaign. That’s should be wrong no matter what your political viewpoint is.

Here to ask why has a post about this with some good tips. I have another few -

• Use a different password for every website. Here’s how I do it: I use Roboform to generate and save passwords. Most passwords are 12 characters or more and randomly generated. There are relatively few passwords that I need while away from my computer, so it isn’t a problem. For those I use something with slightly lower number of random characters and numbers, but it is still complex.
• Change your birth date and other personal information slightly when registering on sites. Most sites that ask for your birthday just want to know that you are over 13 or 18 or whatnot. This means you will have to remember your fake birthday just in case you need to reset your password. Here’s a tip: Use the birthday of someone you know.
• Randomize security questions and answers. I back up my passwords in many different places, all encrypted, so I’m not going to lose them. When a website allows me to randomize questions and answers I use my random character generator within Roboform to generate the answers and then save them in a notecard. The name of your first pet can be a4lzioE0lPJY, and the name of your high school was 58PiZgotJD1A.
• Watch your account for strange activity. Google has a newish feature that shows where login activity has or is occurring and allows you to sign out sessions if you accidentally left your GMail account active on another computer, for example. I use Fastmail which has had the loging feature for a long time. Most banks and places where privacy is important will also display your last logged in time and IP. If they don’t, ask them to start.
• Change your password if you have the slightest doubt that something is going wrong. With Roboform this is easy, and I can sync up my USB Roboform2Go and backups quickly enough.

I saw a very strange article today where someone tried to argue that SaaS (Software as a Service) changes the CIA (Confidentiality, Integrity, Availability) paradigm (Triad). I was confused and read on only to find that there was no argument within the text to back up that statement. In fact, Availability was used as an argument against itself. I started to write a comment, but then it got too long and I realized that I was probably just going to offend the guy because of something he wrote out too quickly without reading it over. I’m sure I’ve already written something like that myself, or if I haven’t yet I will.

First, here is an explanation of the CIA Triad in a nutshell. These are the core principles of information security:

Confidentiality refers to preventing disclosure of information to unauthorized systems or people. Integrity refers to the data remaining in the system the same way it was put in – that it can’t be modified without authorization. Availability means that the data is available when needed and that security controls and systems that house the data are functioning correctly.

I’ve heard many people argue against the need for the Availability piece as it doesn’t sound as interesting as the rest of it. Of course the data needs to be available, but what does that have to do with security? Joe Technician keeps the systems available. The problem is, if the system is not available, then it is not valuable, and if it is not valuable, then it is not worth using. Availability also refers to security controls being in place at all times. If the security controls for a system suddenly become unavailable, say a log file fills up and no mechanism for rotation or offloading that file is in place. Subsequent actions taken on the system may compromise Integrity, and in fact simply because the logging facility was not available we may have an Integrity or Confidentiality issue.

I understand what the article was trying to say about increasing exposure to Integrity and Confidentiality by going to a service based environment because you will be offloading sensitive information to a 3rd party, however SaaS also increases Availability issues as well. Instead of running Word on your desktop, which works whether or not you are connected to your LAN, the Internet, or anything else, now you are relying on Google (for example) to provide your word processor over the Internet. Your 3rd party still has to get you the service. In providing SaaS, both the provider and the buyer need to consider Availability just as much as Confidentiality and Integrity.

I’ll give you a simple example. I can run your company’s ERP system for you. I’ll design the system so well that after you put data into it no one will be able to get it out. I’ll make it so safe that no one can make unauthorized changes. Actually, we will take your ERP system, unplug it, and stick it in a double locked vault where I know one combination and you know the other. That satisfies Confidentiality and Integrity completely, but ignores Availability.

Some businesses or systems within a business naturally emphasize parts of CIA over others. For example, there is a company that sells a USB key that has an internal self-destruction mechanism if an authentication is failed too many times. There are cases where availability of that data should suffer. If I am bringing a copy of proprietary company confidential information from one place to another, this might be the best means to transport it. If someone steals the USB key or I lose it in transport, I want to be assured that the data will not be available to whoever found it or be able to be modified by someone sneaking into my hotel room in the middle of the night. In this case I am willing to sacrifice some availability, for example if I forget my own passkey, for the sake of Confidentiality. This in no way negates the CIA triad or changes its paradigm. The USB key still must be available to me in order to be useful. I need to be able to put data on it, and it needs to be possible for me to bring it from one place to another. Once there, I need to be able to authenticate to it and decrypt the data that is there. In other words, the data must be available else I’d never buy such a device. The manufacturer still has other availability challenges such as how to decrypt and unlock the device on an alternative operating system (making it more available), or how to alert the user if someone was trying to guess the password since the last time it was successfully accessed (protection system availability).

In fact, each piece of the triad is intrinsically linked to each other piece in a delicate balancing act. As I said, it is easy to have a completely Confidential system if there is no Availability (try a pipe to /dev/null). When an end user asks for a network share behind the firewall to be available to a customer in another company, then we suddenly have much more need for security in the forms of Confidentiality and Integrity, but it was Availability that triggered the request. If we forget that Availability triggered the request, then we might as well not worry about the additional Confidentiality and Integrity needed to satisfy that unneeded Availability.

CIA is intrinsically linked and each piece must be considered in developing any system, including SaaS. There is no paradigm change. I know the author of the article knew this, because he argued points against his own thesis. It got me thinking about stuff though, and that’s always a good thing. I didn’t write this to offend or pick on anyone. If there is something I’ve overlooked or misread about the original article I’ll be glad to have it pointed out to me, because I just don’t understand it the way it was written.

Noscript is one of my essential browser tools. What it does is intercept java, flash, and other script including executable content on a Firefox browser and keeps it from executing until the user specifically whitelists the site. It can be an inconvenience to someone who doesn’t understand the dangers that exist on the Internet, however it doesn’t save us from every danger out there.

It seems someone at ZD Net noticed it recently. It’s nice to know that Noscript protects from specific Zero Day attacks too.

If you use Firefox (and you should) then you should use Noscript to complete your safety net.

It is rare when the XSS detection triggers, but even for someone that browses as carefully as I do, it can. In fact there are some times when I am browsing through things that aren’t necessarily all on the up-and-up. I had a PC that I needed to hack into a couple weeks ago and my traditional tool is ophcrack over at SourceForge. They recently updated the tool and it no longer performs as it did – very disappointing. I downloaded a previous version and let it crack away on the target computer, however it couldn’t reveal any of the passwords. I did some searching for an alternative tool, and as you can guess that led me to some shady websites. With Noscript I didn’t worry at all.

The one thing that Noscript doesn’t save us from is a trusted site that we’ve whitelisted that was subsequently cracked. If the defacement includes posting compromised code, then it will execute just as if it were trusted.